System-Defender fixed. [RESOLVED]
Started by
termin8or2
, Jul 24 2008 06:28 PM
#16
Posted 03 August 2008 - 03:16 PM
#17
Posted 03 August 2008 - 03:17 PM
There is a possible registry fix from Kellys Korner
http://www.kellys-ko...nsaveactive.reg
Double click the reg file and then try it again
http://www.kellys-ko...nsaveactive.reg
Double click the reg file and then try it again
#18
Posted 03 August 2008 - 05:07 PM
How is Kellys-Korner info to be used?
#19
Posted 04 August 2008 - 10:42 AM
Download the fix, right click and select merge. Or just double click and accept the warning
Did you try the OE batch file ?
Did you try the OE batch file ?
#20
Posted 04 August 2008 - 03:51 PM
I don't know where to download the fix.
I ran the OE batch file and everything succeeded except:
"mshtml.dll was loaded, but the DllRegisterServer entry point was not found. The file can not be registered."
Still cannot get into "display".
This is fun isn't it???
I ran the OE batch file and everything succeeded except:
"mshtml.dll was loaded, but the DllRegisterServer entry point was not found. The file can not be registered."
Still cannot get into "display".
This is fun isn't it???
#21
Posted 04 August 2008 - 04:00 PM
The spice of lifeThis is fun isn't it???
Download the reg fix to the desktop and just run it from there http://www.kellys-ko...displaytabs.reg
How is OE running now ?
#22
Posted 04 August 2008 - 05:35 PM
Do I copy it, then go "start" "run". Paste it in the run box??
OE still makes everything an attachment when it comes in.
Sorry, I'am not very good at this.
OE still makes everything an attachment when it comes in.
Sorry, I'am not very good at this.
#23
Posted 05 August 2008 - 11:43 AM
Having downloaded the regfix to your desktop right click and select merge as shown in the screenshot. Worry not, I can't dance - every one to his own
[attachment=22504:Untitled.png]
I will do more research on the OE error
[attachment=22504:Untitled.png]
I will do more research on the OE error
#24
Posted 05 August 2008 - 12:34 PM
Do not know how to download to desktop.
#25
Posted 05 August 2008 - 12:58 PM
Another piccy - right click the link and select save target as... Then place it on your desktop
[attachment=22505:Untitled.jpg]
You will then get this - select desktop
[attachment=22506:Untitled1.jpg]
Click save
[attachment=22507:Untitled2.jpg]
Then run
[attachment=22505:Untitled.jpg]
You will then get this - select desktop
[attachment=22506:Untitled1.jpg]
Click save
[attachment=22507:Untitled2.jpg]
Then run
#26
Posted 05 August 2008 - 03:06 PM
Me again.
When I save it to my desktop, and double click on it , this is what I see:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00
When I right click on it, it does not offer "run".
Must be doing something wrong again.
When I save it to my desktop, and double click on it , this is what I see:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00
When I right click on it, it does not offer "run".
Must be doing something wrong again.
#27
Posted 05 August 2008 - 03:55 PM
Does it offer the option to merge on a right click?
#28
Posted 05 August 2008 - 05:12 PM
No
#29
Posted 06 August 2008 - 11:34 AM
OK lets try another programme, this one will repair the most common problems experienced with the registry from a malware attack. I very rarely admit defeat If that does not work I will try to make it a vbs file
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingc...to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet. It is imperative that you install this as it will enable a system recovery in the event of problems
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingc...to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet. It is imperative that you install this as it will enable a system recovery in the event of problems
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
#30
Posted 06 August 2008 - 01:48 PM
Following is log from ComboFix:
ComboFix 08-08-06.01 - Advantage 2008-08-06 14:35:10.1 - NTFSx86
Running from: C:\Documents and Settings\Advantage\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-03 17:25 . 2008-08-03 17:25 123 --a------ C:\Documents and Settings\Advantage\fix.bat
2008-08-03 13:22 . 2008-08-03 13:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 13:22 . 2008-08-03 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 13:22 . 2008-08-03 13:22 <DIR> d-------- C:\Documents and Settings\Advantage\Application Data\Malwarebytes
2008-08-03 13:22 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-03 13:22 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-03 13:13 . 2008-08-03 13:13 <DIR> d-------- C:\_OTMoveIt
2008-08-02 10:35 . 2008-08-02 10:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 10:31 . 2008-08-02 10:31 <DIR> d-------- C:\Deckard
2008-07-30 18:39 . 2008-07-30 18:39 137,320 --a------ C:\Documents and Settings\Advantage\Application Data\GDIPFONTCACHEV1.DAT
2008-07-26 12:12 . 2008-07-26 12:12 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-22 21:59 . 2008-07-22 21:59 4 --a------ C:\WINDOWSRegDefrag.dat
2008-07-22 21:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-22 21:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-22 21:22 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-22 21:22 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-22 21:22 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-22 21:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-22 21:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-22 20:10 . 2008-07-22 21:22 3,120 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-22 19:01 . 2008-07-22 19:11 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-22 19:00 . 2008-07-22 19:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-22 17:43 . 2008-07-22 17:43 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-14 16:20 . 2008-07-14 16:20 <DIR> d-------- C:\Program Files\Schmap
2008-07-14 16:20 . 2008-07-14 16:20 <DIR> d-------- C:\Documents and Settings\Advantage\Application Data\Schmap
2008-07-13 10:34 . 2004-08-04 07:00 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2008-07-13 10:34 . 2004-08-04 07:00 33,792 --a--c--- C:\WINDOWS\system32\dllcache\lmmib2.dll
2008-07-13 09:46 . 2008-07-13 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 14:29 . 2007-11-28 10:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-12 14:29 . 2008-07-12 14:29 <DIR> d-------- C:\Documents and Settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 19:39 3,349,280 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-06 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-27 19:33 40,988 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-27 19:32 --------- d-----w C:\Program Files\Eraser
2008-07-23 03:02 1,779,200 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-13 14:47 --------- d-----w C:\Program Files\Lavasoft
2008-07-13 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 23:22 --------- d-----w C:\Program Files\Stellarium
2008-07-09 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-04 20:46 1,811,814 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-14 15:00 --------- d-----w C:\Program Files\CCleaner
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-03-17 20:20 123,904 ----a-w C:\Program Files\Membership Directory.doc
2006-07-26 00:14 540 -c--a-w C:\Program Files\INSTALL.LOG
2005-09-14 13:24 33,280 -c--a-w C:\Program Files\EndProcess.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-12-25 19:23 643072]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-11 15:46 68856]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 22:00 99840]
"D-Link Wireless G WDA-1320"="C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2005-12-14 15:56 2711552]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 10:35 49152]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2008-07-24 20:01 438359]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 03:54 65024 C:\WINDOWS\SOUNDMAN.EXE]
"SprintModemUpdate"="javaw.exe" [2007-09-24 22:30 135168 C:\WINDOWS\system32\javaw.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CO2 Saver.lnk - C:\Program Files\CO2 Saver\CO2Saver.exe [2007-06-16 13:59:55 229448]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [2004-01-20 13:10:38 339968]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-11 15:46:33 126136]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-09-05 15:52:11 49220]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2003-06-07 06:32 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra--c--- 2002-10-08 13:03 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"67:UDP"= 67:UDP:DHCP Discovery Service
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-08-06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2008-08-06 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Advantage\Application Data\Mozilla\Firefox\Profiles\i4qfoz8p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.myembarq.com
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.969.23408\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 14:38:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-06 14:42:29
ComboFix-quarantined-files.txt 2008-08-06 19:42:21
Pre-Run: 70,178,181,120 bytes free
Post-Run: 70,195,511,296 bytes free
160 --- E O F --- 2008-07-30 22:30:34
I will now go run Hijack This.
ComboFix 08-08-06.01 - Advantage 2008-08-06 14:35:10.1 - NTFSx86
Running from: C:\Documents and Settings\Advantage\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-03 17:25 . 2008-08-03 17:25 123 --a------ C:\Documents and Settings\Advantage\fix.bat
2008-08-03 13:22 . 2008-08-03 13:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 13:22 . 2008-08-03 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 13:22 . 2008-08-03 13:22 <DIR> d-------- C:\Documents and Settings\Advantage\Application Data\Malwarebytes
2008-08-03 13:22 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-03 13:22 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-03 13:13 . 2008-08-03 13:13 <DIR> d-------- C:\_OTMoveIt
2008-08-02 10:35 . 2008-08-02 10:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 10:31 . 2008-08-02 10:31 <DIR> d-------- C:\Deckard
2008-07-30 18:39 . 2008-07-30 18:39 137,320 --a------ C:\Documents and Settings\Advantage\Application Data\GDIPFONTCACHEV1.DAT
2008-07-26 12:12 . 2008-07-26 12:12 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-22 21:59 . 2008-07-22 21:59 4 --a------ C:\WINDOWSRegDefrag.dat
2008-07-22 21:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-22 21:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-22 21:22 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-22 21:22 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-22 21:22 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-22 21:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-22 21:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-22 20:10 . 2008-07-22 21:22 3,120 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-22 19:01 . 2008-07-22 19:11 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-22 19:00 . 2008-07-22 19:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-22 17:43 . 2008-07-22 17:43 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-14 16:20 . 2008-07-14 16:20 <DIR> d-------- C:\Program Files\Schmap
2008-07-14 16:20 . 2008-07-14 16:20 <DIR> d-------- C:\Documents and Settings\Advantage\Application Data\Schmap
2008-07-13 10:34 . 2004-08-04 07:00 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2008-07-13 10:34 . 2004-08-04 07:00 33,792 --a--c--- C:\WINDOWS\system32\dllcache\lmmib2.dll
2008-07-13 09:46 . 2008-07-13 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 14:29 . 2007-11-28 10:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-12 14:29 . 2008-07-12 14:29 <DIR> d-------- C:\Documents and Settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 19:39 3,349,280 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-06 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-27 19:33 40,988 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-27 19:32 --------- d-----w C:\Program Files\Eraser
2008-07-23 03:02 1,779,200 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-13 14:47 --------- d-----w C:\Program Files\Lavasoft
2008-07-13 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 23:22 --------- d-----w C:\Program Files\Stellarium
2008-07-09 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-04 20:46 1,811,814 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-14 15:00 --------- d-----w C:\Program Files\CCleaner
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-03-17 20:20 123,904 ----a-w C:\Program Files\Membership Directory.doc
2006-07-26 00:14 540 -c--a-w C:\Program Files\INSTALL.LOG
2005-09-14 13:24 33,280 -c--a-w C:\Program Files\EndProcess.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-12-25 19:23 643072]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-11 15:46 68856]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 22:00 99840]
"D-Link Wireless G WDA-1320"="C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2005-12-14 15:56 2711552]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 10:35 49152]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2008-07-24 20:01 438359]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 03:54 65024 C:\WINDOWS\SOUNDMAN.EXE]
"SprintModemUpdate"="javaw.exe" [2007-09-24 22:30 135168 C:\WINDOWS\system32\javaw.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CO2 Saver.lnk - C:\Program Files\CO2 Saver\CO2Saver.exe [2007-06-16 13:59:55 229448]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [2004-01-20 13:10:38 339968]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-11 15:46:33 126136]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-09-05 15:52:11 49220]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2003-06-07 06:32 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra--c--- 2002-10-08 13:03 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"67:UDP"= 67:UDP:DHCP Discovery Service
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-08-06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2008-08-06 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Advantage\Application Data\Mozilla\Firefox\Profiles\i4qfoz8p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.myembarq.com
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.969.23408\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 14:38:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-06 14:42:29
ComboFix-quarantined-files.txt 2008-08-06 19:42:21
Pre-Run: 70,178,181,120 bytes free
Post-Run: 70,195,511,296 bytes free
160 --- E O F --- 2008-07-30 22:30:34
I will now go run Hijack This.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users