Spybot Logo
Go Back   Safer-Networking Forums > General Malware > Archives
Reload this Page dxclib303562752.dll removal
Register ProjectsBlogs FAQ Search Today's Posts Mark Forums Read Home Support Download Donate

 
Page 1 of 2 1 2
 
Thread Tools Display Modes
Old 2007-03-25, 10:03   #1
XiKeiyaZI
Junior Member
 
Join Date: Mar 2007
Posts: 17
Default dxclib303562752.dll removal
Okay.. So.. Someone downloaded a file from Shareaza like a moron on my computer... and opened it. When it did.. It shaded all of my desktop icons and along with that, started loading random pages of advertisements.

I've run AVG, and Lavasoft products.. but dxclib303562752.dll still remains in my system32 folder. It's quite annoying so if someone could please tell me how to rid myself of this, it would be nice.
XiKeiyaZI is offline  
Old 2007-03-25, 10:34   #2
tashi
Member of Team Spybot
 
tashi's Avatar
 
Join Date: Oct 2005
Location: USA
Posts: 23,455
Rated LASSHes: 16
Default
Hello.

You seem to have missed this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance

Run Spybot-S&D in safe mode as explained.

Post the results of the on-line anti virus scan, and the HJT log into this topic, and a helper will advise you as soon as available.

Cheers.
__________________
UNITE-ASAP

Microsoft MVP. Consumer Security 2006-2010

Please help us improve Spybot, download our distributed testing client
tashi is online now  
Old 2007-03-25, 12:25   #3
XiKeiyaZI
Junior Member
 
Join Date: Mar 2007
Posts: 17
Default
Sorry about the original post. I was in such a hurry that I skipped over the rules. Here's what was requested. The Pandasoft Run won't work because it keeps closing IE... Luckily I have firefox... If I get it to work.. I'll post that log shortly.



Logfile of HijackThis v1.99.1
Scan saved at 5:16:40 AM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\XiKeiyaZI\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {461B977A-6DBE-4CA1-ABE8-3EF8232459AB} - C:\Program Files\Online Services\wodeg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {D86C5701-63CD-4C05-9795-C441E8B08E00} - C:\Program Files\Messenger\bapuzok.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
XiKeiyaZI is offline  
Old 2007-03-26, 01:21   #4
XiKeiyaZI
Junior Member
 
Join Date: Mar 2007
Posts: 17
Default
I actually went in to my startup options and found the delux communications file.. and ceased it from loading on startup. If I run Virus and S&D products after doing this directly after startup, would that rid me of the Delux communications ware that come when I obtained the pesky .dll file which I'm asking for help in removing?

Also, when I ran the pandasoft scan. It found the files, yet it IMEDIATLY closed when it finished scanning. I'm doing something wrong or is this the cause of the infection?
XiKeiyaZI is offline  
Old 2007-03-27, 04:03   #5
XiKeiyaZI
Junior Member
 
Join Date: Mar 2007
Posts: 17
Default
I've been waiting 3 days for help, but actually I need to add something else to this.

I got rid of the Deluxe Communications files, yet at the same time... there is something else going on.

When I got the virus/spyware..it messed with my graphics. At one point, I had taken a screen shot to show to a friend, and in the screen shot, I had duel screens. When I restarted, I was missing my windows Task Bar at the bottom. Upon yet ANOTHER restart, it was back.. yet my graphics now are completely faulty and my desktop icons are awkward. They had a black outline to them, now they are blue.

I'm running with an ATI Radeon 9250 PCI version, so the graphics should not be THAT BAD. If you could please help me with this issue, it would be great. I'll post an updated log from Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 9:02:57 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\XBC\neXBC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\XiKeiyaZI\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {461B977A-6DBE-4CA1-ABE8-3EF8232459AB} - C:\Program Files\Online Services\wodeg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {D86C5701-63CD-4C05-9795-C441E8B08E00} - C:\Program Files\Messenger\bapuzok.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Reboot.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
XiKeiyaZI is offline  
Old 2007-03-29, 19:40   #6
Mr_JAk3
Security Expert
 
Mr_JAk3's Avatar
 
Join Date: Oct 2006
Location: Finland
Posts: 3,952
Default
Hello XiKeiyaZI and welcome to the Forums

Sorry for the delay.

I must warn that one or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post
__________________
MalWare Removal University - You too could train to help others
UNITE & ASAP member since 2006
Mr_JAk3 is offline  
Old 2007-03-30, 09:14   #7
XiKeiyaZI
Junior Member
 
Join Date: Mar 2007
Posts: 17
Default
I'd like to go ahead and attempt to clean the PC without reformatting, seeing as how that was just recently done. It's not a problem for bank accounts or passwords because there's not too much that could be harmed.

Thank you for you time.
XiKeiyaZI is offline  
Old 2007-03-30, 22:38   #8
Mr_JAk3
Security Expert
 
Mr_JAk3's Avatar
 
Join Date: Oct 2006
Location: Finland
Posts: 3,952
Default
I'll be happy to help you

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
MalWare Removal University - You too could train to help others
UNITE & ASAP member since 2006
Mr_JAk3 is offline  
Old 2007-03-31, 06:08   #9
XiKeiyaZI
Junior Member
 
Join Date: Mar 2007
Posts: 17
Default
SDFix: Version 1.75

Run by XiKeiyaZI - Fri 03/30/2007 - 22:51:14.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

"" -e mc-110-12-0000140

Client IP-IPX Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\XBC\\neXBC.exe"="C:\\Program Files\\XBC\\neXBC.exe:*:Enabled:XBConnect"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.bits
C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.filelist
C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.seeds
C:\Program Files\FlashGet\Torrent\RAG_SETUP1010.exe.torrent.~tmp
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.bits
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.filelist
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.seeds
C:\Program Files\FlashGet\Torrent\SAK_SETUP1010.exe.torrent.~tmp
C:\WINDOWS\system32\Tools\All.exe
C:\WINDOWS\system32\Tools\Change.exe
C:\WINDOWS\system32\Tools\CheckPath.exe
C:\WINDOWS\system32\Tools\Counter.exe
C:\WINDOWS\system32\Tools\DelFolders.exe
C:\WINDOWS\system32\Tools\DirectSetup.exe
C:\WINDOWS\system32\Tools\RegClean.exe
C:\WINDOWS\system32\Tools\Regexe.exe
C:\WINDOWS\system32\Tools\Restart.exe
C:\WINDOWS\system32\Tools\RunRegexe.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished



Logfile of HijackThis v1.99.1
Scan saved at 11:02:16 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\XiKeiyaZI\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {461B977A-6DBE-4CA1-ABE8-3EF8232459AB} - C:\Program Files\Online Services\wodeg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {D86C5701-63CD-4C05-9795-C441E8B08E00} - C:\Program Files\Messenger\bapuzok.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Reboot.exe
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
XiKeiyaZI is offline  
Old 2007-03-31, 06:09   #10
XiKeiyaZI
Junior Member
 
Join Date: Mar 2007
Posts: 17
Default
"XiKeiyaZI" - 07-03-30 23:03:30 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Program Files\Mozilla Firefox"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\DOCUME~1\XIKEIY~1\APPLIC~1\Dxcuknwrd.dll
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\Common Files\{3818D~1\system.dll
C:\Program Files\Common Files\{3818D~2\system.dll
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\Program Files\ipwindows
C:\WINDOWS\system32\bund1
C:\Program Files\Common Files\{3818D~1
C:\Program Files\Common Files\{3818D~2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-30 ))))))))))))))))))))))))))))))))))


2007-03-29 06:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-03-29 06:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-03-29 06:22 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-25 22:43 <DIR> d-------- C:\WINDOWS\system32\Tools
2007-03-25 22:13 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-03-25 22:13 1,478,656 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-25 22:12 <DIR> d-------- C:\Program Files\ATI Technologies
2007-03-25 21:28 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-25 14:45 <DIR> d-------- C:\WINDOWS\pss
2007-03-25 05:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-25 04:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-03-25 04:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-25 03:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-25 02:44 93,736 --a------ C:\WINDOWS\VTTC.exe
2007-03-25 02:10 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-25 01:48 19,296 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-03-25 01:27 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-25 01:27 41,792 --a------ C:\WINDOWS\system32\nek.exe
2007-03-25 01:27 114 --a------ C:\WINDOWS\system32\hhjj.bat
2007-03-25 01:27 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-03-25 01:26 203,149 --a------ C:\WINDOWS\system32\lo.exe
2007-03-24 21:56 <DIR> d-------- C:\Downloads
2007-03-24 21:50 <DIR> d-------- C:\Program Files\FlashGet
2007-03-24 21:43 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-03-24 21:43 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-03-24 21:43 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-03-24 21:43 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-03-24 21:43 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-03-24 21:43 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-03-24 21:43 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-03-24 21:43 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-03-24 21:43 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-03-24 21:43 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-03-24 21:43 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-03-24 21:43 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-03-24 21:42 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2007-03-24 21:42 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2007-03-24 21:42 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-03-24 21:41 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-03-24 21:41 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-03-24 21:41 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-03-24 21:41 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-03-24 21:41 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-03-24 21:41 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-03-24 21:01 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-03-24 17:34 <DIR> d-------- C:\SonySupport
2007-03-24 17:34 <DIR> d-------- C:\Program Files\Sony
2007-03-24 15:52 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-03-24 15:52 <DIR> d-------- C:\Program Files\Viewpoint
2007-03-24 15:52 <DIR> d-------- C:\Program Files\AWS
2007-03-24 15:52 <DIR> d-------- C:\Program Files\AOD
2007-03-24 15:52 <DIR> d-------- C:\Program Files\AIM
2007-03-24 15:52 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Aim
2007-03-24 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-03-24 15:41 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\Contacts
2007-03-24 15:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-03-24 12:39 <DIR> d-------- C:\Program Files\XBC
2007-03-24 12:39 <DIR> d-------- C:\Program Files\WinPcap
2007-03-24 11:40 <DIR> d-------- C:\Program Files\Silkroad
2007-03-23 21:34 <DIR> d-------- C:\Program Files\Shareaza
2007-03-23 21:34 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Shareaza
2007-03-23 21:21 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-03-23 21:21 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-03-23 21:21 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-03-23 21:21 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-03-23 21:21 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-03-23 21:21 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-03-23 21:21 <DIR> d-------- C:\Program Files\DivX
2007-03-23 21:21 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\DivX
2007-03-23 17:06 <DIR> d-------- C:\Program Files\World of Warcraft
2007-03-23 16:33 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-03-23 13:41 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-03-23 13:34 <DIR> d-------- C:\Program Files\WinMX
2007-03-23 13:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-03-23 13:28 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-23 13:21 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\AdobeUM
2007-03-23 13:21 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Adobe
2007-03-16 02:22 <DIR> d-------- C:\Program Files\Eidos Interactive
2007-03-16 01:04 <DIR> d-------- C:\Program Files\Winamp
2007-03-15 22:34 <DIR> d-------- C:\Program Files\Activision
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-14 23:18 <DIR> d-------- C:\Program Files\Bethesda Softworks
2007-03-14 17:56 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-03-05 10:56 <DIR> d-------- C:\Program Files\MSN Messenger
2007-03-02 15:18 <DIR> d--hs---- C:\DOCUME~1\XIKEIY~1\UserData
2007-03-02 15:05 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-02 15:05 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-03-02 15:05 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-03-01 12:54 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-02-28 13:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-02-28 13:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-28 13:56 <DIR> d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\Lavasoft
2007-02-28 11:15 <DIR> d--hs---- C:\RECYCLER
2007-02-28 02:01 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-02-28 02:01 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-02-28 02:01 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-02-28 02:01 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-02-28 02:01 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-02-28 02:01 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-02-28 02:01 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-02-28 02:01 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-02-28 02:01 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-02-28 02:01 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-02-28 02:00 917,504 --a------ C:\WINDOWS\system\cmids3d.dll
2007-02-28 02:00 712,704 --a------ C:\WINDOWS\system32\Audio3D.dll
2007-02-28 02:00 712,704 --a------ C:\WINDOWS\system32\a3d.dll
2007-02-28 02:00 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-02-28 02:00 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-02-28 02:00 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-02-28 02:00 32,768 --a------ C:\WINDOWS\system32\udaprop.dll
2007-02-28 02:00 28,672 --a------ C:\WINDOWS\system32\cmirmdrv.dll
2007-02-28 02:00 28,672 --a------ C:\WINDOWS\CMIRmDriver.dll
2007-02-28 02:00 266,240 --a------ C:\WINDOWS\CMIUninstall.exe
2007-02-28 02:00 233,472 --a------ C:\WINDOWS\system32\cmirmdrv.exe
2007-02-28 02:00 225,280 --a------ C:\WINDOWS\CmiRmRedundDir.exe
2007-02-28 02:00 172,032 --a------ C:\WINDOWS\system32\cmuda.dll
2007-02-28 02:00 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-02-28 02:00 1,458,176 --a------ C:\WINDOWS\system\SmWizard.exe
2007-02-28 02:00 1,373,120 --a------ C:\WINDOWS\system32\drivers\cmuda.sys
2007-02-28 02:00 <DIR> d-------- C:\Program Files\C-Media 3D Audio


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-30 22:47 -------- d-------- C:\Program Files\online services
2007-03-30 12:01 -------- d-------- C:\Program Files\messenger
2007-03-25 22:33 -------- d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\ati
2007-03-21 19:33 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-21 19:24 -------- d--h----- C:\Program Files\installshield installation information
2007-02-27 19:32 -------- d-------- C:\Program Files\sis vga utilities v3.74
2007-02-27 19:31 -------- d-------- C:\Program Files\Common Files\installshield
2007-02-27 19:11 98304 --a------ C:\WINDOWS\system32cmdlineext.dll
2007-02-27 17:58 -------- d-------- C:\Program Files\ubisoft
2007-02-27 17:57 -------- d-------- C:\DOCUME~1\XIKEIY~1\APPLIC~1\installshield
2007-02-27 17:42 0 -rahs---- C:\MSDOS.SYS
2007-02-27 17:42 0 -rahs---- C:\IO.SYS
2007-02-27 17:42 0 --a------ C:\CONFIG.SYS
2007-02-27 17:42 0 --a------ C:\AUTOEXEC.BAT
2007-02-27 17:42 -------- d-------- C:\Program Files\microsoft frontpage
2007-02-27 17:40 -------- d--h----- C:\Program Files\windowsupdate
2007-02-27 17:39 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-02-27 17:39 -------- d-------- C:\Program Files\movie maker
2007-02-27 17:39 -------- d-------- C:\Program Files\Common Files\mssoap
2007-02-27 17:38 -------- d-------- C:\Program Files\msn gaming zone
2007-02-27 17:37 -------- d-------- C:\Program Files\windows nt
2007-02-27 11:06 -------- d-------- C:\Program Files\Common Files\speechengines
2007-02-27 11:06 -------- d-------- C:\Program Files\Common Files\odbc
2007-02-27 11:05 62 --ahs---- C:\DOCUME~1\XIKEIY~1\APPLIC~1\desktop.ini
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-23 04:55 1571001 --a------ C:\WINDOWS\system32\sisgl.dll
2007-01-23 04:39 3514368 --a------ C:\WINDOWS\system32\sisgrv.dll
2007-01-23 04:34 9728 --a------ C:\WINDOWS\system32\sispins2.dll
2007-01-23 04:33 12288 --a------ C:\WINDOWS\instfunc.dll
2007-01-23 04:32 49152 --a------ C:\WINDOWS\system32\sisbase.dll
2007-01-23 04:32 258048 --a------ C:\WINDOWS\system32\sisparse.dll
2007-01-23 04:32 172032 --a------ C:\WINDOWS\system32\sisinst.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\Messenger\fsoxynid.html

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\autorun.exe


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-30 23:05:49
XiKeiyaZI is offline  
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +2. The time now is 17:19.

Contact Us - Safer-Networking Limited - Archive - Privacy Statement - Top

Copyright © 2000-2010 Safer-Networking Limited. All rights reserved.