Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rootkit + vundo infection [CLOSED]

Started by apohran , May 12 2008 10:17 PM

  • This topic is locked This topic is locked

#1
apohran
Posted 12 May 2008 - 10:17 PM

apohran

    New Member

  • Member
  • Pip
  • 8 posts
It started when my internet started to really slow down. I had some odd icons in the taskbar and popups galore. After running numerous scanners and antivirus programs I've eliminated those two symptoms but I'm still concerned as SUPERantiSpyware keeps detecting rootkit instances.

On the surface everything seems fine -- I'm just concered about reappearing infected files. Everytime I restart I keep finding more..... any suggestions?

HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13:04, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\3D92.tmp
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.levelplatforms.com/exchange
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [9sQsxXDj6V] C:\WINDOWS\TEMP\win14.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: winnt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6106 bytes

Malwarebytes log:
Malwarebytes' Anti-Malware 1.12
Database version: 744

Scan type: Quick Scan
Objects scanned: 35787
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
c:\WINDOWS\Temp\3D92.tmp (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\3D92.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\jkkHaXRk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8F30.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9BA2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\17PHolmes2000352.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

  • 0

Advertisements

#2
apohran
Posted 12 May 2008 - 10:41 PM

apohran

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is Malwarebytes log after immediate restart:
Malwarebytes' Anti-Malware 1.12
Database version: 744

Scan type: Quick Scan
Objects scanned: 35149
Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\tcpsr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Delete on reboot.

  • 0

#3
Rorschach112
Posted 13 May 2008 - 06:13 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please don't put the logs in code boxes


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#4
apohran
Posted 13 May 2008 - 06:57 AM

apohran

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Combofix log:

ComboFix 08-05-12.1 - Andrew 2008-05-13 8:47:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.631 [GMT -4:00]
Running from: C:\Documents and Settings\Andrew\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Nuc28.sys
C:\WINDOWS\system32\WinData.cab

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NUC28
-------\Legacy_TCPSR
-------\Service_Nuc28
-------\Service_yzbgqap


((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 00:09 . 2008-05-13 00:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 00:08 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 00:08 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 22:25 . 2008-05-12 22:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 22:25 . 2008-05-12 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 21:43 . 2008-05-12 22:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-12 16:21 . 2008-05-12 16:21 <DIR> d-------- C:\Program Files\Panda Security
2008-05-12 08:42 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-11 23:28 . 2008-05-11 23:28 84 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-05-11 23:15 . 2008-05-12 23:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-11 23:15 . 2008-05-12 23:34 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2008-05-11 23:15 . 2008-05-11 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-11 22:33 . 2008-05-12 22:12 <DIR> d-------- C:\VundoFix Backups
2008-05-11 22:07 . 2008-05-11 22:07 106,496 --a------ C:\WINDOWS\system32\gbyjasqm.dll
2008-05-11 19:07 . 2008-05-13 00:21 <DIR> d-------- C:\Program Files\Starcraft
2008-05-09 21:59 . 2008-05-09 21:59 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\Program Files\Real
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-09 21:43 . 2008-05-09 21:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 21:43 . 2008-05-09 21:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 21:39 . 2008-05-09 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-09 21:33 . 2008-05-09 21:33 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Media Player Classic
2008-05-08 23:29 . 2008-05-08 23:34 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\U3
2008-05-06 20:23 . 2008-05-09 19:58 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Microsoft Games
2008-05-03 14:04 . 2008-05-03 14:04 18,620 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 17:16 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-27 17:16 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-27 17:16 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-27 17:16 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-26 11:05 . 2008-04-26 11:11 <DIR> d-------- C:\Program Files\GoldWave
2008-04-25 23:37 . 2008-04-25 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-04-25 23:36 . 2008-04-25 23:36 <DIR> d-------- C:\Program Files\GomPlayer
2008-04-25 23:36 . 2008-04-25 23:36 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\GRETECH
2008-04-25 23:25 . 2008-04-25 23:25 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-04-25 18:17 . 2006-12-07 00:14 2,330,624 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-04-24 21:08 . 2008-04-24 21:08 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-24 21:08 . 2008-04-24 21:08 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-24 19:48 . 2008-05-09 20:38 <DIR> d-------- C:\Documents and Settings\Andrew\Incomplete
2008-04-24 19:47 . 2008-04-25 00:47 <DIR> d-------- C:\Program Files\MP3 Rocket
2008-04-24 19:47 . 2008-04-25 00:50 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\MP3Rocket
2008-04-22 22:03 . 2008-04-24 21:15 <DIR> d-------- C:\Program Files\MediaMonkey
2008-04-22 21:33 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-04-22 01:49 . 2008-04-22 01:49 <DIR> d-------- C:\Documents and Settings\Andrew\.thumbnails
2008-04-22 01:48 . 2008-04-22 18:48 <DIR> d-------- C:\Documents and Settings\Andrew\.gimp-2.4
2008-04-20 18:43 . 2008-05-09 19:04 <DIR> d-------- C:\Westwood
2008-04-14 22:39 . 2008-04-14 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-14 22:39 . 2008-02-15 10:21 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-04-14 22:37 . 2008-04-14 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 23:05 . 2008-04-13 23:05 <DIR> d-------- C:\Program Files\CodeBlocks
2008-04-13 23:05 . 2008-04-28 11:05 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\codeblocks
2008-04-13 17:45 . 2008-04-13 17:45 <DIR> d-------- C:\Program Files\TrueCrypt
2008-04-13 17:45 . 2008-04-13 17:45 223,424 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-04-13 17:44 . 2008-04-14 19:15 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 12:38 --------- d-----w C:\Documents and Settings\Andrew\Application Data\OpenOffice.org2
2008-05-13 04:27 --------- d-----w C:\Documents and Settings\Andrew\Application Data\.purple
2008-05-12 03:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 02:19 --------- d-----w C:\Program Files\Google
2008-05-10 01:49 --------- d-----w C:\Program Files\Common Files\Real
2008-05-05 23:22 --------- d-----w C:\Documents and Settings\Andrew\Application Data\FileZilla
2008-05-03 18:04 --------- d-----w C:\Program Files\Picasa2
2008-04-26 03:06 --------- d-----w C:\Program Files\MediaCoder
2008-04-23 04:14 --------- d-----w C:\Documents and Settings\Andrew\Application Data\gtk-2.0
2008-04-23 00:26 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-04-07 03:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 18:14 --------- d-----w C:\Program Files\Common Files\Taxman
2008-04-01 18:08 --------- d-----w C:\Program Files\StudioTax 2007
2008-03-29 19:09 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-03-29 19:08 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-29 19:07 --------- d-----w C:\Program Files\Java
2008-03-29 15:00 --------- d-----w C:\Documents and Settings\Andrew\Application Data\InstallShield
2008-03-23 01:20 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-21 16:58 --------- d-----w C:\Program Files\Graph
2008-03-19 23:41 --------- d-----w C:\Program Files\Pidgin
2008-03-14 03:49 --------- d-----w C:\Program Files\MultiDesk
2008-03-13 04:17 --------- d-----w C:\Program Files\Motorola
2007-08-09 17:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 15:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 17:20 1024000]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 12:39 151552]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-18 15:58 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-18 15:57 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-18 15:58 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 11:20 413696 C:\WINDOWS\stsystra.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]

C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"9sQsxXDj6V"= C:\WINDOWS\TEMP\win14.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-09-27 18:26 573440 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Westwood\\RA2 fake\\GAME.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

S0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys []
S0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys []
S3 portio;portio;C:\Program Files\Zinf\portio.sys []
S3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d017e91e-f007-11dc-97e6-e6774b7d068e}]
\Shell\AutoRun\command - E:\start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 03:28:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 08:50:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-13 8:53:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 12:53:53

Pre-Run: 132,501,393,408 bytes free
Post-Run: 132,606,349,312 bytes free

198 --- E O F --- 2008-04-25 22:17:51








HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:57:52, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.levelplatforms.com/exchange
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [9sQsxXDj6V] C:\WINDOWS\TEMP\win14.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5801 bytes
  • 0

#5
Rorschach112
Posted 13 May 2008 - 07:24 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Policies\Explorer\Run: [9sQsxXDj6V] C:\WINDOWS\TEMP\win14.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\gbyjasqm.dll
E:\LaunchU3.exe
E:\start.exe
C:\WINDOWS\TEMP\win14.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d017e91e-f007-11dc-97e6-e6774b7d068e}]

SysRst::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg Mountpoints2, File - Additional Folder Scans, File - Lop Check, and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#6
apohran
Posted 13 May 2008 - 07:53 AM

apohran

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the ComboFix log: (the OTScanIt log is attached)

ComboFix 08-05-12.1 - Andrew 2008-05-13 9:45:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.541 [GMT -4:00]
Running from: C:\Documents and Settings\Andrew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Andrew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\gbyjasqm.dll
C:\WINDOWS\TEMP\win14.exe
E:\LaunchU3.exe
E:\start.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gbyjasqm.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 00:09 . 2008-05-13 00:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes
2008-05-13 00:08 . 2008-05-13 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 00:08 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 00:08 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 22:25 . 2008-05-12 22:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 22:25 . 2008-05-12 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-12 21:43 . 2008-05-12 22:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-12 16:21 . 2008-05-12 16:21 <DIR> d-------- C:\Program Files\Panda Security
2008-05-12 08:42 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-11 23:28 . 2008-05-11 23:28 84 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-05-11 23:15 . 2008-05-12 23:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-11 23:15 . 2008-05-12 23:34 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2008-05-11 23:15 . 2008-05-11 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-11 22:33 . 2008-05-12 22:12 <DIR> d-------- C:\VundoFix Backups
2008-05-11 19:07 . 2008-05-13 00:21 <DIR> d-------- C:\Program Files\Starcraft
2008-05-09 21:59 . 2008-05-09 21:59 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\Program Files\Real
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-09 21:43 . 2008-05-09 21:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 21:43 . 2008-05-09 21:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 21:39 . 2008-05-09 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-09 21:33 . 2008-05-09 21:33 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Media Player Classic
2008-05-08 23:29 . 2008-05-08 23:34 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\U3
2008-05-06 20:23 . 2008-05-09 19:58 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Microsoft Games
2008-05-03 14:04 . 2008-05-03 14:04 18,620 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 17:16 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-27 17:16 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-27 17:16 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-27 17:16 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-26 11:05 . 2008-04-26 11:11 <DIR> d-------- C:\Program Files\GoldWave
2008-04-25 23:37 . 2008-04-25 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-04-25 23:36 . 2008-04-25 23:36 <DIR> d-------- C:\Program Files\GomPlayer
2008-04-25 23:36 . 2008-04-25 23:36 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\GRETECH
2008-04-25 23:25 . 2008-04-25 23:25 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-04-25 18:17 . 2006-12-07 00:14 2,330,624 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-04-24 21:08 . 2008-04-24 21:08 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-24 21:08 . 2008-04-24 21:08 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-24 19:48 . 2008-05-09 20:38 <DIR> d-------- C:\Documents and Settings\Andrew\Incomplete
2008-04-24 19:47 . 2008-04-25 00:47 <DIR> d-------- C:\Program Files\MP3 Rocket
2008-04-24 19:47 . 2008-04-25 00:50 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\MP3Rocket
2008-04-22 22:03 . 2008-04-24 21:15 <DIR> d-------- C:\Program Files\MediaMonkey
2008-04-22 21:33 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-04-22 01:49 . 2008-04-22 01:49 <DIR> d-------- C:\Documents and Settings\Andrew\.thumbnails
2008-04-22 01:48 . 2008-04-22 18:48 <DIR> d-------- C:\Documents and Settings\Andrew\.gimp-2.4
2008-04-20 18:43 . 2008-05-09 19:04 <DIR> d-------- C:\Westwood
2008-04-14 22:39 . 2008-04-14 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-14 22:39 . 2008-02-15 10:21 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-04-14 22:37 . 2008-04-14 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 23:05 . 2008-04-13 23:05 <DIR> d-------- C:\Program Files\CodeBlocks
2008-04-13 23:05 . 2008-04-28 11:05 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\codeblocks
2008-04-13 17:45 . 2008-04-13 17:45 <DIR> d-------- C:\Program Files\TrueCrypt
2008-04-13 17:45 . 2008-04-13 17:45 223,424 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-04-13 17:44 . 2008-04-14 19:15 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 13:46 --------- d-----w C:\Documents and Settings\Andrew\Application Data\.purple
2008-05-13 12:52 --------- d-----w C:\Documents and Settings\Andrew\Application Data\OpenOffice.org2
2008-05-12 03:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 02:19 --------- d-----w C:\Program Files\Google
2008-05-10 01:49 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-10 01:49 --------- d-----w C:\Program Files\Common Files\Real
2008-05-05 23:22 --------- d-----w C:\Documents and Settings\Andrew\Application Data\FileZilla
2008-05-03 18:04 --------- d-----w C:\Program Files\Picasa2
2008-04-26 03:06 --------- d-----w C:\Program Files\MediaCoder
2008-04-23 04:14 --------- d-----w C:\Documents and Settings\Andrew\Application Data\gtk-2.0
2008-04-23 00:26 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-04-07 03:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 18:14 --------- d-----w C:\Program Files\Common Files\Taxman
2008-04-01 18:08 --------- d-----w C:\Program Files\StudioTax 2007
2008-03-29 19:09 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-03-29 19:08 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-29 19:07 --------- d-----w C:\Program Files\Java
2008-03-29 15:00 --------- d-----w C:\Documents and Settings\Andrew\Application Data\InstallShield
2008-03-23 01:20 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-21 16:58 --------- d-----w C:\Program Files\Graph
2008-03-19 23:41 --------- d-----w C:\Program Files\Pidgin
2008-03-19 22:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 03:49 --------- d-----w C:\Program Files\MultiDesk
2008-03-13 04:17 --------- d-----w C:\Program Files\Motorola
2008-03-12 06:01 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-08-09 17:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0678ae36fb2ce581bec948b8531de8\SP2QFE\acadproc.dll
2006-10-04 10:05 39424 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000715.dll

C:\0678ae36fb2ce581bec948b8531de8\spmsg.dll
2005-10-12 19:12 14048 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000712.dll

C:\0678ae36fb2ce581bec948b8531de8\spuninst.exe
2005-10-12 19:12 213216 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000722.exe

C:\0678ae36fb2ce581bec948b8531de8\update\spcustom.dll
2005-10-12 19:12 22752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000711.dll

C:\0678ae36fb2ce581bec948b8531de8\update\update.exe
2005-10-12 19:12 716000 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000723.exe

C:\0678ae36fb2ce581bec948b8531de8\update\updspapi.dll
2005-10-12 19:12 371424 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000713.dll

C:\0c4241a1b3e22144a82af0af55\admparse.dll
2007-08-13 19:39 71680 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000510.dll

C:\0c4241a1b3e22144a82af0af55\advpack.dll
2007-08-13 19:39 123904 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000509.dll

C:\0c4241a1b3e22144a82af0af55\browseui.dll
2006-09-23 14:12 1022976 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000508.dll

C:\0c4241a1b3e22144a82af0af55\corpol.dll
2007-08-13 19:42 17408 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000507.dll

C:\0c4241a1b3e22144a82af0af55\custsat.dll
2007-08-13 19:54 33792 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000506.dll

C:\0c4241a1b3e22144a82af0af55\dxtmsft.dll
2007-08-13 19:35 346624 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000505.dll

C:\0c4241a1b3e22144a82af0af55\dxtrans.dll
2007-08-13 19:35 214528 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000504.dll

C:\0c4241a1b3e22144a82af0af55\extmgr.dll
2007-08-13 19:54 131584 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000503.dll

C:\0c4241a1b3e22144a82af0af55\hmmapi.dll
2007-08-13 19:18 60416 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000502.dll

C:\0c4241a1b3e22144a82af0af55\icardie.dll
2007-08-13 19:36 61952 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000501.dll

C:\0c4241a1b3e22144a82af0af55\ie4uinit.exe
2007-08-13 19:39 54784 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000463.exe

C:\0c4241a1b3e22144a82af0af55\ieakeng.dll
2007-08-13 19:39 152064 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000500.dll

C:\0c4241a1b3e22144a82af0af55\ieaksie.dll
2007-08-13 19:39 229376 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000499.dll

C:\0c4241a1b3e22144a82af0af55\ieakui.dll
2007-08-13 18:56 161792 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000498.dll

C:\0c4241a1b3e22144a82af0af55\ieapfltr.dll
2007-07-11 13:27 383488 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000497.dll

C:\0c4241a1b3e22144a82af0af55\iedkcs32.dll
2007-08-13 19:39 382976 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000496.dll

C:\0c4241a1b3e22144a82af0af55\iedw.exe
2007-08-13 19:44 69120 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000462.exe

C:\0c4241a1b3e22144a82af0af55\ieencode.dll
2007-08-13 19:45 78336 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000495.dll

C:\0c4241a1b3e22144a82af0af55\ieframe.dll
2007-08-13 19:54 6049280 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000494.dll

C:\0c4241a1b3e22144a82af0af55\iepeers.dll
2007-08-13 19:54 191488 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000493.dll

C:\0c4241a1b3e22144a82af0af55\ieproxy.dll
2007-08-13 19:54 287744 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000492.dll

C:\0c4241a1b3e22144a82af0af55\iernonce.dll
2007-08-13 19:39 43008 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000491.dll

C:\0c4241a1b3e22144a82af0af55\iertutil.dll
2007-08-13 19:34 266752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000490.dll

C:\0c4241a1b3e22144a82af0af55\iesetup.dll
2007-08-13 19:39 55296 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000489.dll

C:\0c4241a1b3e22144a82af0af55\ieudinit.exe
2007-08-13 19:39 13312 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000461.exe

C:\0c4241a1b3e22144a82af0af55\ieui.dll
2007-08-13 19:54 180736 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000488.dll

C:\0c4241a1b3e22144a82af0af55\iexplore.exe
2007-08-13 19:43 622080 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000460.exe

C:\0c4241a1b3e22144a82af0af55\imgutil.dll
2007-08-13 19:36 36352 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000487.dll

C:\0c4241a1b3e22144a82af0af55\inseng.dll
2007-08-13 19:39 92672 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000486.dll

C:\0c4241a1b3e22144a82af0af55\jscript.dll
2007-08-13 19:38 491520 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000485.dll

C:\0c4241a1b3e22144a82af0af55\jsproxy.dll
2007-08-13 19:54 27136 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000484.dll

C:\0c4241a1b3e22144a82af0af55\licmgr10.dll
2007-08-13 19:44 40960 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000483.dll

C:\0c4241a1b3e22144a82af0af55\msfeeds.dll
2007-08-13 19:54 458752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000482.dll

C:\0c4241a1b3e22144a82af0af55\msfeedsbs.dll
2007-08-13 19:54 50688 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000481.dll

C:\0c4241a1b3e22144a82af0af55\msfeedssync.exe
2007-08-13 19:36 12288 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000459.exe

C:\0c4241a1b3e22144a82af0af55\mshta.exe
2007-08-13 19:32 45568 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000458.exe

C:\0c4241a1b3e22144a82af0af55\mshtml.dll
2007-08-13 19:54 3578368 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000480.dll

C:\0c4241a1b3e22144a82af0af55\mshtmled.dll
2007-08-13 19:54 475648 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000479.dll

C:\0c4241a1b3e22144a82af0af55\mshtmler.dll
2007-08-13 19:01 48128 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000478.dll

C:\0c4241a1b3e22144a82af0af55\msls31.dll
2007-08-13 19:54 156160 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000477.dll

C:\0c4241a1b3e22144a82af0af55\msrating.dll
2007-08-13 19:44 192000 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000476.dll

C:\0c4241a1b3e22144a82af0af55\mstime.dll
2007-08-13 19:54 670720 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000475.dll

C:\0c4241a1b3e22144a82af0af55\occache.dll
2007-08-13 19:44 101376 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000474.dll

C:\0c4241a1b3e22144a82af0af55\pngfilt.dll
2007-08-13 19:36 44544 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000473.dll

C:\0c4241a1b3e22144a82af0af55\shdocvw.dll
2006-09-23 14:12 1497088 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000472.dll

C:\0c4241a1b3e22144a82af0af55\shlwapi.dll
2006-09-23 14:12 474112 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000471.dll

C:\0c4241a1b3e22144a82af0af55\spmsg.dll
2006-09-06 18:43 14048 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000470.dll

C:\0c4241a1b3e22144a82af0af55\spuninst.exe
2006-09-06 18:43 213216 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000457.exe

C:\0c4241a1b3e22144a82af0af55\spupdsvc.exe
2006-09-06 18:43 22752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000456.exe

C:\0c4241a1b3e22144a82af0af55\update\idndl.exe
2006-09-06 18:42 589672 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000440.exe

C:\0c4241a1b3e22144a82af0af55\update\iecustom.dll
2007-08-13 19:54 32960 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000443.dll

C:\0c4241a1b3e22144a82af0af55\update\iereseticons.exe
2007-08-13 19:52 66048 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000439.exe

C:\0c4241a1b3e22144a82af0af55\update\iesetup.exe
2007-08-13 19:54 1084096 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000438.exe

C:\0c4241a1b3e22144a82af0af55\update\legitlibm.dll
2007-02-12 17:10 635696 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000442.dll

C:\0c4241a1b3e22144a82af0af55\update\nlsdl.exe
2006-09-06 18:42 498016 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000437.exe

C:\0c4241a1b3e22144a82af0af55\update\update.exe
2006-09-06 18:43 716000 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000436.exe

C:\0c4241a1b3e22144a82af0af55\update\updspapi.dll
2006-09-06 18:43 371424 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000441.dll

C:\0c4241a1b3e22144a82af0af55\update\xmllitesetup.exe
2006-09-06 18:43 536888 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000435.exe

C:\0c4241a1b3e22144a82af0af55\url.dll
2007-08-13 19:44 105984 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000469.dll

C:\0c4241a1b3e22144a82af0af55\urlmon.dll
2007-08-13 19:54 1162240 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000468.dll

C:\0c4241a1b3e22144a82af0af55\vbscript.dll
2007-08-13 19:54 413696 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000467.dll

C:\0c4241a1b3e22144a82af0af55\vgx.dll
2007-08-13 19:54 765952 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000466.dll

C:\0c4241a1b3e22144a82af0af55\webcheck.dll
2007-08-13 19:54 231424 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000465.dll

C:\0c4241a1b3e22144a82af0af55\winfxdocobj.exe
2007-08-13 19:45 206336 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000455.exe

C:\0c4241a1b3e22144a82af0af55\wininet.dll
2007-08-13 19:54 818688 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP11\A0000464.dll

C:\0f6d565df9dbcd5ca524652a4a032f50\commonfiles\hdaprop.dll
2005-01-07 18:07 25088 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000191.dll

C:\0f6d565df9dbcd5ca524652a4a032f50\commonfiles\hdashcut.exe
2005-01-07 18:07 61952 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000189.exe

C:\0f6d565df9dbcd5ca524652a4a032f50\commonfiles\hdaudbus.sys
2005-01-07 18:07 138752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000186.sys

C:\0f6d565df9dbcd5ca524652a4a032f50\commonfiles\hdaudio.sys
2005-01-07 18:07 145920 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000185.sys

C:\0f6d565df9dbcd5ca524652a4a032f50\commonfiles\hdaudres.dll
2005-01-07 18:07 5120 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000190.dll

C:\0f6d565df9dbcd5ca524652a4a032f50\sprecovr.exe
2004-11-18 11:43 27360 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000194.exe

C:\0f6d565df9dbcd5ca524652a4a032f50\spuninst.exe
2004-11-18 11:44 209632 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000193.exe

C:\0f6d565df9dbcd5ca524652a4a032f50\spupdsvc.exe
2004-11-18 11:42 22752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000192.exe

C:\0f6d565df9dbcd5ca524652a4a032f50\update\spcustom.dll
2004-11-18 11:47 22752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000183.dll

C:\0f6d565df9dbcd5ca524652a4a032f50\update\spmsg.dll
2004-11-18 11:41 14048 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000182.dll

C:\0f6d565df9dbcd5ca524652a4a032f50\update\update.exe
2004-11-18 11:46 717024 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000180.exe

C:\0f6d565df9dbcd5ca524652a4a032f50\update\updspapi.dll
2004-11-18 11:45 371936 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000181.dll

C:\0f6d565df9dbcd5ca524652a4a032f50\winxpsp2\portcls.sys
2004-03-16 11:58 136960 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP3\A0000177.sys

C:\578585eaac08e0c5dc8f5498f7c55d70\update\update.exe
2006-05-16 19:11 716000 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000787.exe

C:\578585eaac08e0c5dc8f5498f7c55d70\update\updspapi.dll
2006-05-16 19:11 371424 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP18\A0000788.dll

C:\c67a4c6badc9d788341e8e724d68cb\spmsg.dll
2006-09-16 02:05 14640 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000615.dll

C:\c67a4c6badc9d788341e8e724d68cb\spuninst.exe
2006-09-16 02:05 221488 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000609.exe

C:\c67a4c6badc9d788341e8e724d68cb\spupdsvc.exe
2006-09-16 02:05 23856 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000608.exe

C:\c67a4c6badc9d788341e8e724d68cb\update\update.exe
2006-09-16 02:05 742192 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000600.exe

C:\c67a4c6badc9d788341e8e724d68cb\update\updspapi.dll
2006-09-16 02:05 379184 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000602.dll

C:\c67a4c6badc9d788341e8e724d68cb\update\wudfcustom.dll
2006-09-28 20:01 58368 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000601.dll

C:\c67a4c6badc9d788341e8e724d68cb\wudfcoinstaller.dll
2006-09-28 21:13 95344 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000614.dll

C:\c67a4c6badc9d788341e8e724d68cb\wudfcustom.dll
2006-09-28 20:01 58368 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000613.dll

C:\c67a4c6badc9d788341e8e724d68cb\wudfhost.exe
2006-09-28 19:56 146432 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000607.exe

C:\c67a4c6badc9d788341e8e724d68cb\wudfpf.sys
2006-09-28 19:55 77568 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000605.sys

C:\c67a4c6badc9d788341e8e724d68cb\wudfplatform.dll
2006-09-28 19:56 165376 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000612.dll

C:\c67a4c6badc9d788341e8e724d68cb\wudfrd.sys
2006-09-28 20:00 82944 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000604.sys

C:\c67a4c6badc9d788341e8e724d68cb\wudfsvc.dll
2006-09-28 19:56 55808 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000611.dll

C:\c67a4c6badc9d788341e8e724d68cb\wudfx.dll
2006-09-28 19:56 316416 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP16\A0000610.dll

C:\c7f7008582edcad7b40a29e7f421d537\nlsdl.dll
2006-06-28 18:59 24576 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000344.dll

C:\c7f7008582edcad7b40a29e7f421d537\spmsg.dll
2006-05-24 13:32 14048 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000343.dll

C:\c7f7008582edcad7b40a29e7f421d537\spuninst.exe
2006-05-24 13:32 213216 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000342.exe

C:\c7f7008582edcad7b40a29e7f421d537\spupdsvc.exe
2006-05-24 13:32 22752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000341.exe

C:\c7f7008582edcad7b40a29e7f421d537\update\spcustom.dll
2006-05-24 13:32 22752 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000339.dll

C:\c7f7008582edcad7b40a29e7f421d537\update\update.exe
2006-05-24 13:32 716000 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000337.exe

C:\c7f7008582edcad7b40a29e7f421d537\update\updspapi.dll
2006-05-24 13:32 371424 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000338.dll

2006-10-20 14:45 4110518 C:\cabs\D20003-003-001\ISSetup.dll
2006-10-20 15:45 4110518 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP35\A0002653.dll
2006-10-20 14:45 4110518 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP56\A0004207.dll

2006-10-20 14:45 2185018 C:\cabs\D20003-003-001\setup.exe
2006-10-20 15:45 2185018 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP35\A0002654.exe
2006-10-20 14:45 2185018 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP56\A0004208.exe

2004-03-23 11:45 28672 C:\cabs\D20003-003-001\Windows\tiinst\cttib1.dll
2004-03-23 12:45 28672 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP35\A0002657.dll
2004-03-23 11:45 28672 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP56\A0004211.dll

2005-11-17 15:46 337320 C:\cabs\D20003-003-001\Windows\tiinst\difxapi.dll
2005-11-17 16:46 337320 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP35\A0002658.dll
2005-11-17 15:46 337320 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP56\A0004212.dll

2006-04-06 15:49 88192 C:\cabs\D20003-003-001\Windows\tiinst\gtipci21.sys
2006-04-06 16:49 88192 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP35\A0002661.sys
2006-04-06 15:49 88192 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP56\A0004215.sys

2006-07-06 13:44 168448 C:\cabs\D20003-003-001\Windows\tiinst\tifm21.sys
2006-07-06 14:44 168448 {593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP35\A0002664.sys
{593F298F-B7D6-4A3D-A260-6D
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 15:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 17:20 1024000]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 12:39 151552]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-18 15:58 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-18 15:57 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-18 15:58 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 11:20 413696 C:\WINDOWS\stsystra.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-09-27 18:26 573440 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"C:\\Westwood\\RA2 fake\\GAME.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

S0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys []
S0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys []
S3 portio;portio;C:\Program Files\Zinf\portio.sys []
S3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 03:28:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 09:46:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 9:48:23
ComboFix-quarantined-files.txt 2008-05-13 13:48:16
ComboFix2.txt 2008-05-13 12:53:57

Pre-Run: 132,595,765,248 bytes free
Post-Run: 132,583,739,392 bytes free

410 --- E O F --- 2008-04-25 22:17:51

Attached Files


  • 0

#7
Rorschach112
Posted 13 May 2008 - 08:35 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Download NIAP to your desktop and unzip it to it's own folder

Close all windows and run NIAP_XRay_FileMgr
  • Click the Log tab at the top and click Create System log. Check the boxes beside Autorun.inf file. and System Critical Files and click OK. Save the log to your desktop and let the program run.
  • Exit out of NIAP_XRay_FileMgr


Next run NIAP_XRay_Regedit
  • Click the Log tab then click on Get log. Once it is finished scanning, click Save and call the log NiapReg, then save it to your desktop
  • Exit out of NIAP_XRay_Regedit


Finally run NIAP_XRay_System
  • Click the Log tab and click Create log. Check all the boxes and click Log, save it to your desktop. Let the program run.
  • Once it is done close the program and post the log back here along with the other two logs.

  • 0

#8
Rorschach112
Posted 19 May 2008 - 09:04 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP