Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Haxdoor.hm (trojan) [RESOLVED]


  • This topic is locked This topic is locked

#16
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Deckard's System Scanner v20071014.68
Run by Kelly on 2008-08-04 13:27:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Kelly.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:38, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Kelly\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kelly.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [PCDrProfiler] "C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r
O4 - HKLM\..\Run: [PCDrSmartMonitor] "C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" -r
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINDOWS\system32\PuXpTwks.exe /TWEAK
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [HostsMan] "C:\Program Files\HostsMan\hm.exe" -s
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} (OMN Player Support) - http://kdx.omn.org/s...ayerSupport.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} (OMN Media Publisher) - http://kdx.omn.org/s...iaPublisher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave...h2.1.0.0.67.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1165348971449
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 9239 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 13:18:29 135168 --a------ C:\zip.exe
2008-08-04 13:18:29 19286 --a------ C:\cleanup.exe
2008-08-04 13:18:29 574 --a------ C:\cleanup.bat
2008-07-30 21:01:29 466502 --a------ C:\HaxFix.exe <Not Verified; Marckie; >
2008-07-29 14:12:12 0 d-------- C:\Program Files\Common Files\Motive
2008-07-29 14:11:25 0 d-------- C:\Program Files\ATT
2008-07-29 10:20:28 492 --a------ C:\Documents and Settings\Kelly\Application Data\wklnhst.dat
2008-07-26 13:43:17 0 d-------- C:\Program Files\Trillian
2008-07-26 13:24:31 0 d-------- C:\Program Files\InterMute
2008-07-26 00:01:16 0 d-------- C:\Program Files\PC-Doctor 5 for Windows
2008-07-24 18:19:26 68096 --a------ C:\WINDOWS\zip.exe
2008-07-24 18:19:26 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-24 18:19:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-24 18:19:26 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-24 18:19:26 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-24 18:19:26 98816 --a------ C:\WINDOWS\sed.exe
2008-07-24 18:19:26 80412 --a------ C:\WINDOWS\grep.exe
2008-07-24 18:19:26 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-22 20:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-17 21:50:47 0 d-------- C:\Program Files\FlySim
2008-07-15 09:08:46 96559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-15 09:08:46 87855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-15 09:08:03 250912 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 09:08:03 35737888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 09:08:03 0 d-------- C:\Program Files\Kaspersky Lab
2008-07-15 09:08:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 09:06:33 0 d-------- C:\kav
2008-07-11 10:24:46 0 d-------- C:\Documents and Settings\Kelly\Application Data\abelhadigital.com
2008-07-11 10:24:46 0 d-------- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2008-07-11 10:21:50 6735942 --a------ C:\backup.reg
2008-07-09 18:45:48 0 d-------- C:\Documents and Settings\Kelly\Application Data\OnlineArmor
2008-07-09 18:45:48 0 d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-07-09 18:45:34 28872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-07-09 18:45:34 25600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-07-09 18:45:34 75776 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-07-09 18:45:34 0 d-------- C:\Program Files\Tall Emu
2008-07-04 14:02:01 0 d-------- C:\Program Files\HostsMan


-- Find3M Report ---------------------------------------------------------------

2008-08-04 12:35:00 0 d-------- C:\Program Files\Lavasoft
2008-08-04 12:32:38 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 13:06:37 0 d-------- C:\Program Files\Paltalk Messenger
2008-07-31 18:00:01 0 d-------- C:\Program Files\Java
2008-07-31 17:50:26 0 d-------- C:\Program Files\Common Files\Real
2008-07-31 17:50:03 0 d-------- C:\Program Files\Common Files
2008-07-31 17:49:18 0 d-------- C:\Documents and Settings\Kelly\Application Data\Real
2008-07-31 13:15:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 13:12:43 0 d-------- C:\Program Files\SpywareGuard
2008-07-28 15:17:09 0 d-------- C:\Program Files\TVK - CoolText Extreme
2008-07-25 22:13:48 0 d-------- C:\Program Files\SpeedFan
2008-07-25 16:04:28 0 d-------- C:\Program Files\OpenTalk
2008-07-16 05:29:52 118784 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2008-07-16 05:29:50 16267 --a------ C:\WINDOWS\mozver.dat
2008-07-16 05:29:21 118784 --a------ C:\WINDOWS\GREUninstall.exe
2008-07-09 21:00:44 0 d-------- C:\Program Files\HP
2008-07-09 20:52:11 0 d-------- C:\Program Files\kontiki
2008-07-09 14:19:25 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-03 22:34:19 0 d-------- C:\Program Files\HD Tune
2008-07-01 01:04:47 0 d-------- C:\Program Files\Messenger
2008-07-01 01:04:23 0 d-------- C:\Program Files\Movie Maker
2008-07-01 01:02:15 0 d-------- C:\Program Files\Windows NT
2008-06-29 18:15:35 0 d-------- C:\Program Files\Napster
2008-06-29 10:55:37 0 d-------- C:\Program Files\MSECache
2008-06-28 17:03:27 0 d-------- C:\Program Files\Yahoo!
2008-06-28 17:03:24 0 d-------- C:\Program Files\SureThing
2008-06-28 17:03:01 0 d-------- C:\Program Files\QuickTime
2008-06-28 17:02:26 0 d-------- C:\Program Files\Logitech
2008-06-28 17:02:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 17:02:22 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-28 17:02:17 0 d-------- C:\Program Files\GemMaster
2008-06-28 17:02:12 0 d-------- C:\Program Files\Common Files\aolshare
2008-06-28 17:02:11 0 d-------- C:\Program Files\Common Files\AOL
2008-06-28 17:02:04 0 d-------- C:\Program Files\CD to MP3 Freeware
2008-06-28 17:02:04 0 d-------- C:\Program Files\BitComet
2008-06-28 17:02:04 0 d-------- C:\Program Files\Audible
2008-06-28 14:34:28 0 d-------- C:\Documents and Settings\Kelly\Application Data\SUPERAntiSpyware.com
2008-06-28 14:24:33 0 d-------- C:\Program Files\DrWeb
2008-06-28 12:09:39 0 d-------- C:\Program Files\WinUpdatesList
2008-06-28 11:59:58 39424 --a------ C:\WINDOWS\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-06-28 00:19:13 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-27 23:32:13 0 d-------- C:\Program Files\Common Files\Java
2008-06-24 18:57:59 0 d-------- C:\Program Files\Shockwave.com
2008-06-15 21:31:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-12 15:36:36 0 d-------- C:\Documents and Settings\Kelly\Application Data\Apple Computer
2008-06-12 15:36:26 0 d-------- C:\Program Files\iTunes
2008-06-12 15:35:16 0 d-------- C:\Program Files\iPod
2008-06-12 15:29:35 0 d-------- C:\Program Files\Apple Software Update
2008-06-08 16:20:06 0 d-------- C:\Documents and Settings\Kelly\Application Data\Adobe
2008-06-06 08:57:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-05 23:32:44 0 d-------- C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-06-04 19:37:15 0 d-------- C:\Program Files\Trend Micro
2008-06-04 19:25:50 0 d-------- C:\Program Files\7-Zip


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/09/2006 17:50]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [04/17/2008 05:22]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 18:36]
"PCDrProfiler"="C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" [04/06/2006 13:17]
"PCDrSmartMonitor"="C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" [05/10/2006 17:44]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [04/17/2008 14:51]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 16:24]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/23/2005 00:14]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50]
"PwrUpTweakMe"="C:\WINDOWS\system32\PuXpTwks.exe" [09/12/2005 11:36]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/16/2006 00:34]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/03/2005 01:19 C:\WINDOWS\arpwrmsg.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostsMan"="C:\Program Files\HostsMan\hm.exe" [06/16/2008 04:19]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [11/28/2006 12:47]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [11/23/2006 17:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [04/17/2008 05:22 671432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-04 13:32:40 ------------
  • 0

Advertisements


#17
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Well that is no fun at all,

The Files are for some reason being interpreted as Folders, could you try doing the same Avenger script in safemode, i.e

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Select your normal user account.

Then do the avenger instructions again.

Do this for me then,

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

Post back :)
  • 0

#18
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
If you press restart, and it starts loading, you will see Windows, and Recover Console, so it is already installed. Also if you go to safe mode, I believe you see the Recovery Console as well. I had to contact HP about that, to see. I have never used Recovery Console, but it is there. I will try Avenger in safe mode.

Edited by kelkay, 04 August 2008 - 02:07 PM.

  • 0

#19
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Even better, saves you a step :)

I'll wait on the logs.
  • 0

#20
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "AZZVJ"
Disablement of driver "AZZVJ" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "OYKNVASYNG"
Disablement of driver "OYKNVASYNG" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\AZZVJ" not found!
Deletion of driver "AZZVJ" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\OYKNVASYNG" not found!
Deletion of driver "OYKNVASYNG" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: "C:\WINDOWS\system32\C3.DLL" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\C3.DLL" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\C3.SYS" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\C3.SYS" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\C4.SYS" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\C4.SYS" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\fuxx32.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\fuxx32.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\klo5.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\klo5.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\qo.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\qo.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\qo.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\qo.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\qy.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\qy.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\qz.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\qz.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\qz.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\qz.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\yvpp01.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\yvpp01.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\smss.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\smss.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\wintems.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\filekiller.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\filekiller.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\7search.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\7search.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\klo5.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\klo5.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\ieaccess2.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\ieaccess2.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\draw32.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\draw32.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\cm.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\cm.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\sdmapi.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\sdmapi.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\boot32.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\boot32.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\vdnt32.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\vdnt32.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\memlow.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\memlow.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\hm.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\hm.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32\wd.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\wd.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Completed script processing.

*******************

Finished! Terminate.
  • 0

#21
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Do you want me to do another DSS now? Then the Combofix step?

Edited by kelkay, 04 August 2008 - 02:06 PM.

  • 0

#22
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Use this script with avenger and see what it says please out of interest.

Begin copying here:
Folders to delete:
C:\WINDOWS\system32\C3.DLL
C:\WINDOWS\system32\C3.SYS
C:\WINDOWS\system32\C4.SYS
C:\WINDOWS\system32\fuxx32.dll
C:\WINDOWS\system32\klo5.sys
C:\WINDOWS\system32\qo.dll
C:\WINDOWS\system32\qo.sys
C:\WINDOWS\system32\qy.sys
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\qz.sys
C:\WINDOWS\system32\yvpp01.dll
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\filekiller.dll
C:\WINDOWS\system32\7search.dll
C:\WINDOWS\system32\klo5.sys
C:\WINDOWS\system32\ieaccess2.dll
C:\WINDOWS\system32\draw32.dll
C:\WINDOWS\system32\cm.dll
C:\WINDOWS\system32\sdmapi.sys
C:\WINDOWS\system32\boot32.sys
C:\WINDOWS\system32\vdnt32.sys
C:\WINDOWS\system32\memlow.sys
C:\WINDOWS\system32\hm.sys
C:\WINDOWS\system32\wd.sys

Continue with ComboFix please after that, no need for a DSS log.
  • 0

#23
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Do you want me to put the computer in safe mode to do the Avenger again first?

Since you did not say to, I just ran it the regular way. Here are the results.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\WINDOWS\system32\C3.DLL" deleted successfully.
Folder "C:\WINDOWS\system32\C3.SYS" deleted successfully.
Folder "C:\WINDOWS\system32\C4.SYS" deleted successfully.
Folder "C:\WINDOWS\system32\fuxx32.dll" deleted successfully.
Folder "C:\WINDOWS\system32\klo5.sys" deleted successfully.
Folder "C:\WINDOWS\system32\qo.dll" deleted successfully.
Folder "C:\WINDOWS\system32\qo.sys" deleted successfully.
Folder "C:\WINDOWS\system32\qy.sys" deleted successfully.
Folder "C:\WINDOWS\system32\qz.dll" deleted successfully.
Folder "C:\WINDOWS\system32\qz.sys" deleted successfully.
Folder "C:\WINDOWS\system32\yvpp01.dll" deleted successfully.
Folder "C:\WINDOWS\smss.exe" deleted successfully.
Folder "C:\WINDOWS\system32\wintems.exe" deleted successfully.
Folder "C:\WINDOWS\system32\filekiller.dll" deleted successfully.
Folder "C:\WINDOWS\system32\7search.dll" deleted successfully.

Error: folder "C:\WINDOWS\system32\klo5.sys" not found!
Deletion of folder "C:\WINDOWS\system32\klo5.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\system32\ieaccess2.dll" deleted successfully.
Folder "C:\WINDOWS\system32\draw32.dll" deleted successfully.
Folder "C:\WINDOWS\system32\cm.dll" deleted successfully.
Folder "C:\WINDOWS\system32\sdmapi.sys" deleted successfully.
Folder "C:\WINDOWS\system32\boot32.sys" deleted successfully.
Folder "C:\WINDOWS\system32\vdnt32.sys" deleted successfully.
Folder "C:\WINDOWS\system32\memlow.sys" deleted successfully.
Folder "C:\WINDOWS\system32\hm.sys" deleted successfully.
Folder "C:\WINDOWS\system32\wd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Edited by kelkay, 04 August 2008 - 02:21 PM.

  • 0

#24
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
ComboFix 08-08-03.05 - Kelly 2008-08-04 15:26:45.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.498 [GMT -5:00]
Running from: C:\Documents and Settings\Kelly\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 13:18 . 2008-08-04 15:14 135,168 --a------ C:\zip.exe
2008-08-04 13:18 . 2008-08-04 15:14 19,286 --a------ C:\cleanup.exe
2008-08-04 13:18 . 2008-08-04 15:14 574 --a------ C:\cleanup.bat
2008-08-03 16:37 . 2008-08-03 16:37 <DIR> d-------- C:\Deckard
2008-08-01 05:01 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\70C.tmp
2008-07-30 21:01 . 2008-08-03 16:26 466,502 --a------ C:\HaxFix.exe
2008-07-29 14:12 . 2008-07-29 14:12 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-07-29 14:11 . 2008-07-29 14:14 <DIR> d-------- C:\Program Files\ATT
2008-07-29 10:20 . 2008-07-29 10:21 492 --a------ C:\Documents and Settings\Kelly\Application Data\wklnhst.dat
2008-07-27 12:21 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\6AB.tmp
2008-07-27 10:52 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\699.tmp
2008-07-27 10:47 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\698.tmp
2008-07-26 13:57 . 2008-07-26 13:57 <DIR> d-------- C:\Program Files\ERUNT
2008-07-26 13:43 . 2008-07-28 15:24 <DIR> d-------- C:\Program Files\Trillian
2008-07-26 13:24 . 2008-07-26 13:24 <DIR> d-------- C:\Program Files\InterMute
2008-07-26 01:07 . 2008-08-04 15:16 38,400 --a------ C:\WINDOWS\system32\pcdhdm.cpl
2008-07-26 00:01 . 2008-07-26 01:07 <DIR> d-------- C:\Program Files\PC-Doctor 5 for Windows
2008-07-22 20:51 . 2008-07-22 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-19 14:37 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-17 21:50 . 2008-07-17 21:51 <DIR> d-------- C:\Program Files\FlySim
2008-07-15 09:08 . 2008-07-15 09:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-15 09:08 . 2008-08-04 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 09:08 . 2008-08-04 15:28 35,843,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 09:08 . 2008-08-04 15:14 480,764 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-15 09:08 . 2008-08-04 15:28 254,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 09:08 . 2008-07-24 08:58 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-15 09:08 . 2008-07-24 08:58 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-15 09:08 . 2008-08-04 15:14 24,716 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-15 09:06 . 2008-07-15 09:06 <DIR> d-------- C:\kav
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\abelhadigital.com
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2008-07-11 10:21 . 2008-08-04 14:56 6,735,942 --a------ C:\backup.reg
2008-07-09 18:45 . 2008-07-09 18:45 <DIR> d-------- C:\Program Files\Tall Emu
2008-07-09 18:45 . 2008-08-04 15:25 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-08-04 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-07-09 19:05 75,776 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-07-09 18:45 . 2008-04-17 05:22 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-07-09 18:45 . 2008-07-09 19:05 25,600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-07-09 09:55 . 2008-06-20 06:51 361,600 --------- C:\WINDOWS\system32\drivers\tcpip.sys
2008-07-09 09:55 . 2008-06-20 06:08 225,856 --------- C:\WINDOWS\system32\drivers\tcpip6.sys
2008-07-09 09:55 . 2008-06-20 06:40 138,496 --------- C:\WINDOWS\system32\drivers\afd.sys
2008-07-04 14:02 . 2008-07-04 14:02 <DIR> d-------- C:\Program Files\HostsMan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 17:35 --------- d-----w C:\Program Files\Lavasoft
2008-08-04 17:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 17:32 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-02 18:06 --------- d-----w C:\Program Files\Paltalk Messenger
2008-07-31 23:00 --------- d-----w C:\Program Files\Java
2008-07-31 22:50 --------- d-----w C:\Program Files\Common Files\Real
2008-07-31 18:15 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 18:12 --------- d-----w C:\Program Files\SpywareGuard
2008-07-31 01:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 20:17 --------- d-----w C:\Program Files\TVK - CoolText Extreme
2008-07-26 03:13 --------- d-----w C:\Program Files\SpeedFan
2008-07-25 21:04 --------- d-----w C:\Program Files\OpenTalk
2008-07-21 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-07-15 14:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-10 02:00 --------- d-----w C:\Program Files\HP
2008-07-10 01:52 --------- d-----w C:\Program Files\kontiki
2008-07-10 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-04 03:34 --------- d-----w C:\Program Files\HD Tune
2008-07-02 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-02 16:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-29 23:15 --------- d-----w C:\Program Files\Napster
2008-06-29 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\RunOff
2008-06-29 15:55 --------- d-----w C:\Program Files\MSECache
2008-06-28 22:03 --------- d-----w C:\Program Files\Yahoo!
2008-06-28 22:03 --------- d-----w C:\Program Files\SureThing
2008-06-28 22:03 --------- d-----w C:\Program Files\QuickTime
2008-06-28 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 22:02 --------- d-----w C:\Program Files\Logitech
2008-06-28 22:02 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-28 22:02 --------- d-----w C:\Program Files\GemMaster
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\aolshare
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-28 22:02 --------- d-----w C:\Program Files\CD to MP3 Freeware
2008-06-28 22:02 --------- d-----w C:\Program Files\BitComet
2008-06-28 22:02 --------- d-----w C:\Program Files\Audible
2008-06-28 19:40 --------- d-----w C:\Program Files\ESET
2008-06-28 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-06-28 19:34 --------- d-----w C:\Documents and Settings\Kelly\Application Data\SUPERAntiSpyware.com
2008-06-28 19:24 --------- d-----w C:\Program Files\DrWeb
2008-06-28 17:09 --------- d-----w C:\Program Files\WinUpdatesList
2008-06-28 16:59 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-06-28 05:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-28 04:32 --------- d-----w C:\Program Files\Common Files\Java
2008-06-24 23:57 --------- d-----w C:\Program Files\Shockwave.com
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-16 20:01 2,869,536 ----a-w C:\spywareblastersetup41.exe
2008-06-16 02:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-16 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 20:36 --------- d-----w C:\Program Files\iTunes
2008-06-12 20:36 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Apple Computer
2008-06-12 20:35 --------- d-----w C:\Program Files\iPod
2008-06-12 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-12 20:29 --------- d-----w C:\Program Files\Apple Software Update
2008-06-12 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-06 13:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 13:55 23,454,528 ----a-w C:\AdbeRdr812_en_US.exe
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 04:30 1,756,760 ----a-w C:\mbam-setup.exe
2008-06-05 00:37 --------- d-----w C:\Program Files\Trend Micro
2008-06-05 00:25 --------- d-----w C:\Program Files\7-Zip
2008-06-04 19:37 142,096 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-12-17 15:57 1,646 ----a-w C:\Documents and Settings\Kayla\Application Data\wklnhst.dat
2006-11-28 05:00 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( [email protected]_18.23.03.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\7-26-2008\ERDNT.EXE
+ 2008-07-26 18:58:20 10,952,704 ----a-w C:\WINDOWS\erdnt\7-26-2008\Users\00000001\NTUSER.DAT
+ 2008-07-26 18:58:20 430,080 ----a-w C:\WINDOWS\erdnt\7-26-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-26-2008\ERDNT.EXE
+ 2008-07-26 20:08:50 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-26-2008\Users\00000001\NTUSER.DAT
+ 2008-07-26 20:08:50 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-26-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-27-2008\ERDNT.EXE
+ 2008-07-27 14:39:29 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-27-2008\Users\00000001\NTUSER.DAT
+ 2008-07-27 14:39:30 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-27-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-28-2008\ERDNT.EXE
+ 2008-07-28 21:30:59 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-28-2008\Users\00000001\NTUSER.DAT
+ 2008-07-28 21:31:05 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-28-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-29-2008\ERDNT.EXE
+ 2008-07-29 14:37:54 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-29-2008\Users\00000001\NTUSER.DAT
+ 2008-07-29 14:37:55 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-29-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-30-2008\ERDNT.EXE
+ 2008-07-30 15:12:58 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-30-2008\Users\00000001\NTUSER.DAT
+ 2008-07-30 15:12:58 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-30-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-31-2008\ERDNT.EXE
+ 2008-07-31 06:16:41 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-31-2008\Users\00000001\NTUSER.DAT
+ 2008-07-31 06:16:41 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\7-31-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-1-2008\ERDNT.EXE
+ 2008-08-02 03:45:39 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-1-2008\Users\00000001\NTUSER.DAT
+ 2008-08-02 03:45:40 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-1-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-2-2008\ERDNT.EXE
+ 2008-08-02 14:30:08 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-2-2008\Users\00000001\NTUSER.DAT
+ 2008-08-02 14:30:09 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-2-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-3-2008\ERDNT.EXE
+ 2008-08-03 15:14:07 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-3-2008\Users\00000001\NTUSER.DAT
+ 2008-08-03 15:14:08 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-3-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-4-2008\ERDNT.EXE
+ 2008-08-04 14:51:29 10,952,704 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-4-2008\Users\00000001\NTUSER.DAT
+ 2008-08-04 14:51:30 430,080 ----a-w C:\WINDOWS\erdnt\AutoBackup\8-4-2008\Users\00000002\UsrClass.dat
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-07-26 03:53:13 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-5464-3428-800000000003}\ARPPRODUCTICON.exe
+ 2008-07-28 21:05:40 65,536 ----a-r C:\WINDOWS\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\ARPPRODUCTICON.exe
+ 2008-07-28 21:05:40 643,072 ----a-r C:\WINDOWS\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\HPSUShortcut_BB85ED9CAFC943BDB8DC258C3C7DF72E.exe
- 2008-07-24 02:09:25 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-31 15:15:03 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-24 02:09:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-31 15:15:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-24 02:09:25 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-31 15:15:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-11 05:27:00 28,848 -c--a-w C:\WINDOWS\system32\drivers\USBkey.sys
+ 2006-05-10 22:27:00 28,848 -c--a-w C:\WINDOWS\system32\drivers\USBkey.sys
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
- 2007-11-21 00:52:38 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2007-11-21 00:52:40 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-04-07 03:49:39 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-08-02 00:31:06 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-04-07 03:57:10 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-07-31 23:18:44 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2006-09-24 13:28:47 5,248 ----a-w C:\WINDOWS\system32\speedfan.sys
+ 2006-09-24 13:28:46 5,248 ----a-w C:\WINDOWS\system32\speedfan.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostsMan"="C:\Program Files\HostsMan\hm.exe" [2008-06-16 04:19 2847232]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2006-11-28 12:47 1040832]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 17:50 7311360]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-17 05:22 5606464]
"PCDrProfiler"="C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" [2006-04-06 13:17 53248]
"PCDrSmartMonitor"="C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" [2006-05-10 17:44 376832]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-04-17 14:51 1870592]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 00:14 237568]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PwrUpTweakMe"="C:\WINDOWS\system32\PuXpTwks.exe" [2005-09-12 11:36 45056]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 00:34 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 19:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Kayla\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-07-31 20:44:35 27136]

C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20566:TCP"= 20566:TCP:BitComet 20566 TCP
"20566:UDP"= 20566:UDP:BitComet 20566 UDP

R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-07-09 19:05]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-07-09 19:05]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 05:22]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 13:47]
S2 SvcOnlineArmor;Online Armor;C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2008-04-17 05:22]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://yahoo.sbc.com/dsl


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 15:28:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc22.tmp"
.
Completion time: 2008-08-04 15:30:33
ComboFix-quarantined-files.txt 2008-08-04 20:30:17
ComboFix2.txt 2008-07-26 00:52:46
ComboFix3.txt 2008-07-24 23:24:04

Pre-Run: 191,911,362,560 bytes free
Post-Run: 191,892,889,600 bytes free

304 --- E O F --- 2008-07-09 18:55:03
  • 0

#25
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Just so you aren't hanging around in the thread, it's bedtime here so I will reply in the morning :)

In the meanwhile I would be interested in what ComboFix picked up in its previous runs. Could you please attach C:\qoobox\ComboFix-quarantined-files.txt in your next reply?

To attach a file, do the following:* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse for the attachment file you want to upload, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* Click on Posted Image to insert the attachment into your post

  • 0

Advertisements


#26
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
2005-02-12 23:00 10373 --a------ C:\Qoobox\Quarantine\C\install.bat.vir
2007-10-09 19:49 251 --a------ C:\Qoobox\Quarantine\C\Program Files\wt3d.ini.vir
2008-07-13 15:00 313 --a------ C:\Qoobox\Quarantine\C\avexport.bat.vir
2008-07-24 17:13 19286 --a------ C:\Qoobox\Quarantine\C\cleanup.exe.vir
2008-07-24 17:13 574 --a------ C:\Qoobox\Quarantine\C\cleanup.bat.vir
2008-07-24 18:23 146 --a------ C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat
2008-07-24 18:23 189 --a------ C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-updateMgr.reg.dat
2008-07-24 21:17 1054 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_MEMSWEEP2.reg.dat
2008-07-24 21:17 2434 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_MEMSWEEP2.reg.dat
2008-07-24 21:17 2702 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_OYKNVASYNG.reg.dat
2008-07-24 21:17 822 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_OYKNVASYNG.reg.dat
2008-07-25 19:40 1290 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_MCHINJDRV.reg.dat
2008-07-25 19:40 850 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_mchInjDrv.reg.dat
2008-07-25 19:51 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-07-25 19:51 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-07-25 19:51 0 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-08-04 15:28 216 --a------ C:\Qoobox\Quarantine\catchme.log


Legacy is a genealogy program. I wonder why it was put in quarantine. Alright Mike, have a good nights rest. THANK YOU for helping me. I really do appreciate it.

Attached Files


Edited by kelkay, 04 August 2008 - 03:13 PM.

  • 0

#27
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Good morning :)

The legacy you are referring to is not what is in the quarantine, they are legacy keys from drivers.

Let's get some more information before we do to much.

First off, re-run HaxFix and select option 1 - Make a logfile. Post the results here please.

Then,

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\cleanup.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Next,

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
FileLook::
C:\cleanup.bat

File::
C:\WINDOWS\system32\70C.tmp
C:\WINDOWS\system32\699.tmp
C:\WINDOWS\system32\698.tmp
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Post back with those results please.
  • 0

#28
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
HAXFIX logfile - by Marckie

version 5.01.2
Tue 08/05/2008 11:27:01.54
running from C:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
ASPI32

checking for matching safeboot services
no matching safeboot services found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking iexplore.exe
iexplore.exe is not infected


--- Checking for other Goldun and Haxdoor files ---
no other Haxdoor or Goldun files found


--- Catchme logfile - thank you Gmer ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 11:27:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!
  • 0

#29
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I tried to copy and paste, but it did not work. It did say no infection found. It also said this...
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database.
File Name : cleanup.exe
File Size : 19286 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : d5816bddd4382975c1693cce68547fcc
SHA1 : 619e67d565bb4e5ce9557aff4e0a3bdf8d11b74d

Scanner results : All Scanners reported not find malware!
Time : 2008/08/05 11:46:48 (CDT)
  • 0

#30
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
It did not ask me to reboot this time. Here are the results. :)


ComboFix 08-08-04.06 - Kelly 2008-08-05 12:08:58.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.433 [GMT -5:00]
Running from: C:\Documents and Settings\Kelly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kelly\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 11:26 . 2008-08-05 11:35 <DIR> d-------- C:\HaxFix
2008-08-05 11:26 . 2008-08-05 11:24 466,502 --a------ C:\HaxFix.exe
2008-08-04 13:18 . 2008-08-04 15:14 135,168 --a------ C:\zip.exe
2008-08-04 13:18 . 2008-08-04 15:14 19,286 --a------ C:\cleanup.exe
2008-08-03 16:37 . 2008-08-03 16:37 <DIR> d-------- C:\Deckard
2008-08-01 05:01 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\70C.tmp
2008-07-29 14:12 . 2008-07-29 14:12 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-07-29 14:11 . 2008-07-29 14:14 <DIR> d-------- C:\Program Files\ATT
2008-07-29 10:20 . 2008-07-29 10:21 492 --a------ C:\Documents and Settings\Kelly\Application Data\wklnhst.dat
2008-07-27 12:21 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\6AB.tmp
2008-07-27 10:52 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\699.tmp
2008-07-27 10:47 . 2007-08-14 09:12 5,760 --------- C:\WINDOWS\system32\698.tmp
2008-07-26 13:57 . 2008-07-26 13:57 <DIR> d-------- C:\Program Files\ERUNT
2008-07-26 13:43 . 2008-07-28 15:24 <DIR> d-------- C:\Program Files\Trillian
2008-07-26 13:24 . 2008-07-26 13:24 <DIR> d-------- C:\Program Files\InterMute
2008-07-26 01:07 . 2008-08-04 20:31 38,400 --a------ C:\WINDOWS\system32\pcdhdm.cpl
2008-07-26 00:01 . 2008-07-26 01:07 <DIR> d-------- C:\Program Files\PC-Doctor 5 for Windows
2008-07-22 20:51 . 2008-07-22 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-19 14:37 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-17 21:50 . 2008-07-17 21:51 <DIR> d-------- C:\Program Files\FlySim
2008-07-15 09:08 . 2008-07-15 09:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-15 09:08 . 2008-08-05 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 09:08 . 2008-08-05 12:11 36,209,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 09:08 . 2008-08-04 20:27 483,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-15 09:08 . 2008-08-05 12:11 264,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 09:08 . 2008-07-24 08:58 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-15 09:08 . 2008-07-24 08:58 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-15 09:08 . 2008-08-04 20:27 25,268 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-15 09:06 . 2008-07-15 09:06 <DIR> d-------- C:\kav
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\abelhadigital.com
2008-07-11 10:24 . 2008-07-11 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2008-07-11 10:21 . 2008-08-04 14:56 6,735,942 --a------ C:\backup.reg
2008-07-09 18:45 . 2008-07-09 18:45 <DIR> d-------- C:\Program Files\Tall Emu
2008-07-09 18:45 . 2008-08-05 12:07 <DIR> d-------- C:\Documents and Settings\Kelly\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-08-05 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-07-09 18:45 . 2008-07-09 19:05 75,776 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-07-09 18:45 . 2008-04-17 05:22 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-07-09 18:45 . 2008-07-09 19:05 25,600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-07-09 09:55 . 2008-06-20 06:51 361,600 --------- C:\WINDOWS\system32\drivers\tcpip.sys
2008-07-09 09:55 . 2008-06-20 06:08 225,856 --------- C:\WINDOWS\system32\drivers\tcpip6.sys
2008-07-09 09:55 . 2008-06-20 06:40 138,496 --------- C:\WINDOWS\system32\drivers\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 20:35 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-04 17:35 --------- d-----w C:\Program Files\Lavasoft
2008-08-02 18:06 --------- d-----w C:\Program Files\Paltalk Messenger
2008-07-31 23:00 --------- d-----w C:\Program Files\Java
2008-07-31 22:50 --------- d-----w C:\Program Files\Common Files\Real
2008-07-31 18:15 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 18:12 --------- d-----w C:\Program Files\SpywareGuard
2008-07-31 01:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 20:17 --------- d-----w C:\Program Files\TVK - CoolText Extreme
2008-07-26 03:13 --------- d-----w C:\Program Files\SpeedFan
2008-07-25 21:04 --------- d-----w C:\Program Files\OpenTalk
2008-07-21 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\SeaMonkeyUninstall.exe
2008-07-16 10:29 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-07-15 14:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-10 02:00 --------- d-----w C:\Program Files\HP
2008-07-10 01:52 --------- d-----w C:\Program Files\kontiki
2008-07-10 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-04 19:02 --------- d-----w C:\Program Files\HostsMan
2008-07-04 03:34 --------- d-----w C:\Program Files\HD Tune
2008-07-02 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-02 16:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-29 23:15 --------- d-----w C:\Program Files\Napster
2008-06-29 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\RunOff
2008-06-29 15:55 --------- d-----w C:\Program Files\MSECache
2008-06-28 22:03 --------- d-----w C:\Program Files\Yahoo!
2008-06-28 22:03 --------- d-----w C:\Program Files\SureThing
2008-06-28 22:03 --------- d-----w C:\Program Files\QuickTime
2008-06-28 22:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 22:02 --------- d-----w C:\Program Files\Logitech
2008-06-28 22:02 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-28 22:02 --------- d-----w C:\Program Files\GemMaster
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\aolshare
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-28 22:02 --------- d-----w C:\Program Files\CD to MP3 Freeware
2008-06-28 22:02 --------- d-----w C:\Program Files\BitComet
2008-06-28 22:02 --------- d-----w C:\Program Files\Audible
2008-06-28 19:40 --------- d-----w C:\Program Files\ESET
2008-06-28 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-06-28 19:34 --------- d-----w C:\Documents and Settings\Kelly\Application Data\SUPERAntiSpyware.com
2008-06-28 19:24 --------- d-----w C:\Program Files\DrWeb
2008-06-28 17:09 --------- d-----w C:\Program Files\WinUpdatesList
2008-06-28 16:59 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-06-28 05:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-28 04:32 --------- d-----w C:\Program Files\Common Files\Java
2008-06-24 23:57 --------- d-----w C:\Program Files\Shockwave.com
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-16 20:01 2,869,536 ----a-w C:\spywareblastersetup41.exe
2008-06-16 02:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-16 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 20:36 --------- d-----w C:\Program Files\iTunes
2008-06-12 20:36 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Apple Computer
2008-06-12 20:35 --------- d-----w C:\Program Files\iPod
2008-06-12 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-12 20:29 --------- d-----w C:\Program Files\Apple Software Update
2008-06-12 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-06 13:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 13:55 23,454,528 ----a-w C:\AdbeRdr812_en_US.exe
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-06-06 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 04:30 1,756,760 ----a-w C:\mbam-setup.exe
2008-06-05 00:37 --------- d-----w C:\Program Files\Trend Micro
2008-06-05 00:25 --------- d-----w C:\Program Files\7-Zip
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-12-17 15:57 1,646 ----a-w C:\Documents and Settings\Kayla\Application Data\wklnhst.dat
2006-11-28 05:00 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.bat -- Invalid filepath or file no longer exist


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostsMan"="C:\Program Files\HostsMan\hm.exe" [2008-06-16 04:19 2847232]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2006-11-28 12:47 1040832]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 17:12 851968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 17:50 7311360]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-17 05:22 5606464]
"PCDrProfiler"="C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" [2006-04-06 13:17 53248]
"PCDrSmartMonitor"="C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" [2006-05-10 17:44 376832]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-04-17 14:51 1870592]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 00:14 237568]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PwrUpTweakMe"="C:\WINDOWS\system32\PuXpTwks.exe" [2005-09-12 11:36 45056]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 00:34 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 19:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Kayla\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-07-31 20:44:35 27136]

C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
backup=C:\WINDOWS\pss\Updates From HP.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1164757353\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20566:TCP"= 20566:TCP:BitComet 20566 TCP
"20566:UDP"= 20566:UDP:BitComet 20566 UDP

R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-07-09 19:05]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-07-09 19:05]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 05:22]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 13:47]
S2 SvcOnlineArmor;Online Armor;C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2008-04-17 05:22]

*Newly Created Service* - PCD5SRVC{8A863ACB-F5F6CC6A-05010004}
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 12:11:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-08-05 12:13:35
ComboFix-quarantined-files.txt 2008-08-05 17:13:21
ComboFix2.txt 2008-08-04 20:30:37
ComboFix3.txt 2008-07-26 00:52:46
ComboFix4.txt 2008-07-24 23:24:04

Pre-Run: 192,519,159,808 bytes free
Post-Run: 192,497,422,336 bytes free

243 --- E O F --- 2008-07-09 18:55:03
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP