View Full Version : Can't get rid of fakeWGA
dumbo283
2007-09-18, 12:32
I can't get rid of fakeWGA identified by Spybot. I have tried running on startup and safe mode. Now running Kaspersky to get the 2 logs requested, I see I have viruses not identified by McAfee. Help!
HJT log follows below and Kaspersky one in next thread, as together te thread exceeded allowed 20000 characters.
Thanks in advance for any help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:07:40, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\System32\opppp.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mouseElf] C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [chat] winhost32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update Manager] C:\WINDOWS\taskbar.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [chat] winhost32.exe (User 'Default user')
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Freeserve - {EC2C4617-18C7-4E0B-ADD9-EB2DBA8AFC3F} - http://www.freeserve.net/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.tyco-valves.com
O16 - DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} (Oracle JInitiator 1.1.8.20) -
O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
End of file - 7835 bytes
dumbo283
2007-09-18, 12:48
Here's the Kaspersky log to go with my earlier post.
KASPERSKY ONLINE SCANNER REPORT
Monday, September 17, 2007 11:27:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 17/09/2007
Kaspersky Anti-Virus database records: 420061
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\C:\D:\E:\
Scan Statistics:
Total number of scanned objects: 69975
Number of viruses found: 7
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:28:32
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070917_Time-201707562_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070917_Time-201707562_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_MACNAB-PC-2002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_MACNAB-PC-2002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Jan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\History\History.IE5\MSHist012007091720070918\index.dat Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\Temp\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jan\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\log0.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP228\A0022241.dll Infected: Trojan-Spy.Win32.VBStat.c skipped
C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP238\A0022802.exe Infected: not-a-virus:Downloader.Win32.WinFixer.r skipped
C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP238\A0022805.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP238\A0022805.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP238\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acgenral.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\aclayers.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\aclua.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acspecfc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acverfyr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acxtrnal.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\apphelp.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\apps.chm Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\d3d8.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\drvmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\msimain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\qdvd.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\udfs.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\shgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migapp.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz_a.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\rdchost.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\sessmgr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308210$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308276$\smlogsvc.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308276$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308276$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309376$\rdbss.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ309376$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309376$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309495$\msi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309495$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309495$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\ssdpapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\ssdpsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309691$\cdrom.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309691$\imapi.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309691$\imapi.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ309691$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309691$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\ups.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\aec.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\dxmrtp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\splitter.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\usbuhci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ311542$\pci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ311542$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311542$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\acgenral.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\aclayers.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\aclua.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\acspecfc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\acverfyr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\acxtrnal.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\apphelp.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\apps.chm Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\d3d8.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\drvmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\msimain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\qdvd.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ313484$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\netsetup.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\upnp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N822M1605NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.j skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N822M1605NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.j skipped
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M1004NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.j skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{03D13C1A-3C3B-48BD-ADF6-280039B6C33D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\opppp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
dumbo283
2007-09-19, 00:00
Sorry that you had to merge my 2 threads. I realised too late that I should have put the continuation of my logs on a reply to my own post, not as a new thread. I am afraid I have never posted anything on any web-site before and am not up with all the jargon. I am a Mum in a complete panic as I am not computer literate and appear to have an infected computer despite running frequent anti-virus and Spybot checks - I really need this fixed as the computer is used for home computing including banking and shopping and for my daughter's homework - and I have no idea how to begin ridding myself of these nasties now my anti-virus software has not succeeded.
Please help!
Hello dumbo283 and welcome to the Forums :)
I must warn that one or more of the identified infections is a backdoor trojan :sick:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.
Please let us know what you have decided to do in your next post:bigthumb:
dumbo283
2007-09-20, 23:21
If you can help I would like to attempt a clean-up, as reformatting sounds pretty drastic, I am not sure how to do it and presumably I would lose things forever - eg I have quite a lot of music on this pc which I don't know how to transfer to another.
I will change all passwords as recommended and look forward to following any other suggestions you may have.
Thanks
Dumbo
Hi and sorry for the delay, my connection was down.
I'll be happy to help you.
Let the games begin...
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
dumbo283
2007-09-25, 13:57
Thanks Mr JAk3. I have done as you suggested and attach the new logs. By the way, the SDFix link did not offer SDFix.zip but I was able to download SDFix.exe and then use this. I hope that was OK.
Looking forward to hearing if things are on the road to recovery.
dumbo
SDFix: Version 1.107
Run by Jan on 25/09/2007 at 11:25
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
UpdateManager
ImagePath:
C:\WINDOWS\update\updmgr.exe /updatemgr
UpdateManager - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\regsvr32.exe.tmp - Deleted
C:\WINDOWS\Downloaded Program Files\USYP_0002_N91M1708NetInstaller.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N73M1004NetInstaller.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe - Deleted
C:\WINDOWS\system32\TFTP1148 - Deleted
C:\WINDOWS\system32\TFTP2392 - Deleted
C:\WINDOWS\system32\TFTP2616 - Deleted
C:\WINDOWS\system32\TFTP2948 - Deleted
C:\WINDOWS\system32\TFTP3404 - Deleted
C:\WINDOWS\system32\TFTP368 - Deleted
C:\WINDOWS\system32\TFTP3776 - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\update\\updmgr.exe"="C:\\WINDOWS\\update\\updmgr.exe:*:Enabled:Microsoft (R) Windows Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sat 11 Jan 2003 30,720 ...HR --- "C:\WINDOWS\CdaC13BA.EXE"
Sat 11 Jan 2003 112,128 ...HR --- "C:\WINDOWS\CdaC14BA.DLL"
Mon 1 May 2006 581,684 ..SH. --- "C:\WINDOWS\SYSTEM32\opppp.dll"
Thu 5 Oct 2006 838,426 ..SH. --- "C:\WINDOWS\SYSTEM32\ppppo.tmp"
Mon 1 May 2006 601,805 ..SH. --- "C:\WINDOWS\SYSTEM32\ppppo.bak1"
Mon 28 Aug 2006 830,871 ..SH. --- "C:\WINDOWS\SYSTEM32\ppppo.bak2"
Thu 8 Mar 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 12 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 30 Jul 2002 10,678 A..H. --- "C:\Program Files\Microsoft Office(2)\Office\Shortcut Bar\Off2.tmp"
Sun 2 Apr 2006 8,246 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off15h.tmp"
Sun 2 Apr 2006 8,246 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off15s.tmp"
Tue 25 Sep 2007 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2.tmp"
Sun 24 Jun 2007 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off3.tmp"
Sat 6 Jan 2007 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off4.tmp"
Mon 14 May 2007 268,800 A..H. --- "C:\Documents and Settings\Jan\My Documents\Jan's Files\Church\~WRL0004.tmp"
Fri 1 Jun 2007 258,048 A..H. --- "C:\Documents and Settings\Jan\My Documents\Jan's Files\Church\~WRL2105.tmp"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:43, on 25/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\System32\opppp.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mouseElf] C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [chat] winhost32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update Manager] C:\WINDOWS\taskbar.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [chat] winhost32.exe (User 'Default user')
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Freeserve - {EC2C4617-18C7-4E0B-ADD9-EB2DBA8AFC3F} - http://www.freeserve.net/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.tyco-valves.com
O16 - DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} (Oracle JInitiator 1.1.8.20) -
O20 - Winlogon Notify: opppp - C:\WINDOWS\System32\opppp.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
End of file - 7396 bytes
Yes looks a bit better now :)
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
dumbo283
2007-09-26, 23:27
Here's the Combofix log. Obviously I don't understand much of what it says, but I am puzzled as it refers to things like Napster and AVG6 which I thought I had properly "uninstalled" long ago. Can these things cause ongoing problems?
dumbo
ComboFix 07-09-21.2 - "Jan" 2007-09-26 21:04:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT 1:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\SYSTEM32\ppppo.bak1
C:\WINDOWS\SYSTEM32\ppppo.bak2
C:\WINDOWS\SYSTEM32\ppppo.ini
C:\WINDOWS\SYSTEM32\ppppo.ini2
C:\WINDOWS\SYSTEM32\ppppo.tmp
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
2007-09-26 21:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 11:23 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-01 17:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-01 15:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-01 15:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-26 21:13 --------- d-------- C:\Program Files\lx_cats
2007-09-26 21:10 196 --a------ C:\WINDOWS\system32\drivers\ALCICH.DAT
2007-09-17 20:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-19 07:59 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-13 00:31 765952 --a------ C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-06-27 15:34 823808 --a------ C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a------ C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 15:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 15:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a------ C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a------ C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 15:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a------ C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a------ C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 15:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 09:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 09:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 07:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2002-10-03 22:51 5327831 --a--c--- C:\Program Files\gdsol.exe
2006-05-01 20:45:41 581,684 --sh--w C:\WINDOWS\SYSTEM32\opppp.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1}]
2006-05-01 21:45 581684 ---hs---- C:\WINDOWS\System32\opppp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-02-21 03:01]
"SoundMan"="soundman.exe" [2001-11-14 22:57 C:\WINDOWS\soundman.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-07-10 14:55]
"NvCplDaemon"="NvQTwk" []
"mouseElf"="C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe" [2001-09-18 17:21]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-13 21:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 21:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 21:00]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-11 12:58]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 19:38]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"chat"=winhost32.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Windows Update Manager"=C:\WINDOWS\taskbar.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE [1997-08-01]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 21:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-01]
VPN Client.lnk - C:\WINDOWS\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2006-05-08 15:16:40]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opppp]
C:\WINDOWS\System32\opppp.dll 2006-05-01 21:45 581684 C:\WINDOWS\SYSTEM32\opppp.dll
R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys
R3 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 genmcmn;Genus Mouse+ Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys
S2 AvgCore;AVG6 Kernel;\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
S2 AvgFsh;AVG6 Rezident Driver;\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
*Newly Created Service* - ENTDRV51
Contents of the 'Scheduled Tasks' folder
"2007-04-02 09:00:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\TALKTA~1\ANTI-V~1\fsav.exe
**************************************************************************
Catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 21:12:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-26 21:17:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 21:16
--- E O F ---
Hi again :)
Yes these leftovers may cause some problems...
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\SYSTEM32\opppp.dll
C:\WINDOWS\taskbar.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"chat"=-
"Windows Update Manager"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opppp]
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
dumbo283
2007-09-27, 23:25
Hello and thanks for looking at my logs so promptly.
Here are the new HJT & Combofix logs.
dumbo
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:08:40, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mouseElf] C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [chat] winhost32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update Manager] C:\WINDOWS\taskbar.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [chat] winhost32.exe (User 'Default user')
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Freeserve - {EC2C4617-18C7-4E0B-ADD9-EB2DBA8AFC3F} - http://www.freeserve.net/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.tyco-valves.com
O16 - DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} (Oracle JInitiator 1.1.8.20) -
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
End of file - 7161 bytes
dumbo283
2007-09-27, 23:27
ComboFix 07-09-21.2 - "Jan" 2007-09-27 20:49:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.202 [GMT 1:00]
* Created a new restore point
FILE::
C:\WINDOWS\SYSTEM32\opppp.dll
C:\WINDOWS\taskbar.exe
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\SYSTEM32\opppp.dll
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
2007-09-26 21:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-25 11:23 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-01 17:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-01 15:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-01 15:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-27 20:58 --------- d-------- C:\Program Files\lx_cats
2007-09-27 20:56 196 --a------ C:\WINDOWS\system32\drivers\ALCICH.DAT
2007-09-17 20:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2002-10-03 22:51 5327831 --a--c--- C:\Program Files\gdsol.exe
((((((((((((((((((((((((((((( snapshot_2007-09-26_211539.46 )))))))))))))))))))))))))))))))))))))))))
-c--a-w 1,568,768 2001-09-04 20:45:14 C:\WINDOWS\SYSTEM32\3D Windows XP.scr
-c--a-w 229,376 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati2cqag.dll
-c--a-w 377,984 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati2dvaa.dll
-c--a-w 201,728 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati2dvag.dll
-c--a-w 870,784 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati3d1ag.dll
-c--a-w 1,057,760 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati3d2ag.dll
-c--a-w 1,888,992 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati3duag.dll
-c--a-w 32,768 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ativtmxx.dll
-c--a-w 516,768 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ativvaxx.dll
----a-w 276,992 2006-10-18 21:47:08 C:\WINDOWS\SYSTEM32\audiodev.dll
----a-w 14,336 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\auditusr.exe
----a-w 580,608 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\autofmt.exe
----a-w 11,264 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\autolfn.exe
-c--a-w 8,192 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bitsprx2.dll
-c--a-w 7,168 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bitsprx3.dll
----a-w 71,680 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\blastcln.exe
-c--a-w 20,992 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bthci.dll
-c--a-w 30,208 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bthserv.dll
-c--a-w 50,688 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\btpanui.dll
-c--a-r 32,768 1996-04-04 01:11:00 C:\WINDOWS\SYSTEM32\CMGR32.DLL
-c--a-w 13,824 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\cmsetacl.dll
-c--a-r 27,200 2001-07-21 14:15:52 C:\WINDOWS\SYSTEM32\ctl3dv2.dll
----a-w 1,689,088 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\d3d9.dll
-c--a-w 847,872 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dbgeng.dll
----a-w 640,000 2004-08-03 23:56:44 C:\WINDOWS\SYSTEM32\dbghelp.dll
----a-w 55,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\1033\dwintl.dll
-c--a-w 299,059 2001-03-14 12:10:56 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\NPSVGVw.dll
-c--a-w 491,574 2001-03-14 12:14:00 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\SVGControl.dll
-c--a-w 12,288 2001-03-14 12:06:24 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\SVGRSRC.DLL
-c--a-w 1,597,491 2001-03-14 12:07:52 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\SVGView.dll
-c--a-w 361,984 2004-07-01 22:08:18 C:\WINDOWS\SYSTEM32\bits\qmgr.dll
-c--a-w 32,768 2007-09-27 19:46:12 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-09-27 19:46:12 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 49,152 2007-09-27 19:46:12 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 100,352 2006-08-16 11:58:05 C:\WINDOWS\SYSTEM32\dllcache\6to4svc.dll
----a-w 71,680 2006-11-07 03:26:44 C:\WINDOWS\SYSTEM32\dllcache\admparse.dll
----a-w 124,928 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
----a-w 151,040 2006-09-14 08:39:49 C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
-c--a-w 617,472 2006-08-25 15:45:58 C:\WINDOWS\SYSTEM32\dllcache\comctl32.dll
----a-w 17,408 2007-01-08 19:01:14 C:\WINDOWS\SYSTEM32\dllcache\corpol.dll
----a-w 1,054,208 2006-09-14 08:39:50 C:\WINDOWS\SYSTEM32\dllcache\danim.dll
-c--a-w 111,616 2006-05-19 12:59:41 C:\WINDOWS\SYSTEM32\dllcache\dhcpcsvc.dll
----a-w 86,528 2007-05-16 15:12:00 C:\WINDOWS\SYSTEM32\dllcache\directdb.dll
-c--a-w 148,480 2006-06-26 17:37:10 C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
-c--a-w 40,960 2004-03-30 01:48:36 C:\WINDOWS\SYSTEM32\dllcache\evtgprov.dll
-c--a-w 5,632 2001-08-18 06:36:10 C:\WINDOWS\SYSTEM32\dllcache\EXCH_adsiisex.dll
-c--a-w 45,056 2001-08-18 06:36:10 C:\WINDOWS\SYSTEM32\dllcache\EXCH_aqadmin.dll
-c--a-w 312,832 2001-08-18 06:36:10 C:\WINDOWS\SYSTEM32\dllcache\EXCH_aqueue.dll
-c--a-w 43,520 2001-08-18 06:36:16 C:\WINDOWS\SYSTEM32\dllcache\EXCH_fcachdll.dll
-c--a-w 65,536 2001-08-18 06:36:18 C:\WINDOWS\SYSTEM32\dllcache\EXCH_mailmsg.dll
-c--a-w 38,912 2001-08-18 06:36:28 C:\WINDOWS\SYSTEM32\dllcache\EXCH_ntfsdrv.dll
-c--a-w 23,040 2001-08-18 06:36:54 C:\WINDOWS\SYSTEM32\dllcache\EXCH_regtrace.exe
-c--a-w 9,216 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_rwnh.dll
-c--a-w 57,856 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_scripto.dll
-c--a-w 205,824 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_seo.dll
-c--a-w 26,112 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_seos.dll
-c--a-w 175,104 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpadm.dll
-c--a-w 9,728 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpapi.dll
-c--a-w 12,288 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpctrs.dll
-c--a-w 2,134,528 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpsnap.dll
-c--a-w 431,104 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpsvc.dll
-c--a-w 7,168 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_snprfdll.dll
----a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\SYSTEM32\dllcache\explorer.exe
-c--a-w 23,040 2006-08-21 09:14:58 C:\WINDOWS\SYSTEM32\dllcache\fltmc.exe
-c--a-w 128,896 2006-08-21 09:14:58 C:\WINDOWS\SYSTEM32\dllcache\fltmgr.sys
----a-w 282,112 2007-06-19 13:31:19 C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
----a-w 60,416 2006-10-17 11:44:36 C:\WINDOWS\SYSTEM32\dllcache\hmmapi.dll
----a-w 63,488 2007-06-27 08:27:04 C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
----a-w 153,088 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
----a-w 230,400 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
----a-w 2,455,488 2007-04-17 09:28:12 C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dat
----a-w 383,488 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
----a-w 384,512 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
----a-w 78,336 2006-10-17 12:06:00 C:\WINDOWS\SYSTEM32\dllcache\ieencode.dll
----a-w 6,058,496 2007-06-27 14:34:55 C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
----a-w 44,544 2007-06-27 14:34:55 C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
----a-w 267,776 2007-06-27 14:34:55 C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
----a-w 55,296 2006-11-07 03:26:42 C:\WINDOWS\SYSTEM32\dllcache\iesetup.dll
----a-w 13,824 2007-06-27 08:27:05 C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
----a-w 625,152 2007-06-27 08:27:30 C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
----a-w 36,352 2006-10-17 11:57:58 C:\WINDOWS\SYSTEM32\dllcache\imgutil.dll
----a-w 683,520 2007-05-16 15:12:02 C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
-c--a-w 94,720 2006-05-19 12:59:41 C:\WINDOWS\SYSTEM32\dllcache\iphlpapi.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbda1.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbda2.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbda3.dll
-c--a-w 5,120 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdarme.dll
-c--a-w 5,120 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdarmw.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbddiv1.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbddiv2.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdfa.dll
-c--a-w 5,120 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdgeo.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdheb.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdindev.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinguj.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinhin.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinkan.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinmar.dll
-c--a-w 6,144 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinpun.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdintam.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdintel.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdsyr1.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdsyr2.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth0.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth1.dll
-c--a-w 6,144 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth2.dll
-c--a-w 6,144 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth3.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbduk.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdurdu.dll
-c--a-w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdvntc.dll
----a-w 984,576 2007-04-16 15:52:53 C:\WINDOWS\SYSTEM32\dllcache\kernel32.dll
-c--a-w 172,416 2006-06-14 08:47:45 C:\WINDOWS\SYSTEM32\dllcache\kmixer.sys
----a-w 40,960 2006-10-17 12:05:10 C:\WINDOWS\SYSTEM32\dllcache\licmgr10.dll
----a-w 721,920 2006-08-17 12:28:27 C:\WINDOWS\SYSTEM32\dllcache\lsasrv.dll
----a-w 40,960 2007-03-08 15:36:28 C:\WINDOWS\SYSTEM32\dllcache\mf3216.dll
----a-w 981,760 2006-10-14 08:13:25 C:\WINDOWS\SYSTEM32\dllcache\mfc42u.dll
-c--a-w 453,120 2006-05-05 09:41:45 C:\WINDOWS\SYSTEM32\dllcache\mrxsmb.sys
----a-w 459,264 2007-06-27 14:34:56 C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
----a-w 52,224 2007-06-27 14:34:56 C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
----a-w 539,136 2006-11-27 14:54:06 C:\WINDOWS\SYSTEM32\dllcache\msftedit.dll
----a-w 45,568 2006-10-17 11:56:10 C:\WINDOWS\SYSTEM32\dllcache\mshta.exe
----a-w 48,128 2006-10-17 11:28:56 C:\WINDOWS\SYSTEM32\dllcache\mshtmler.dll
----a-w 1,314,816 2007-05-16 15:12:08 C:\WINDOWS\SYSTEM32\dllcache\msoe.dll
----a-w 1,104,896 2007-06-26 06:08:16 C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
----a-w 332,288 2006-08-17 12:28:27 C:\WINDOWS\SYSTEM32\dllcache\netapi32.dll
----a-w 2,136,064 2007-02-28 09:08:48 C:\WINDOWS\SYSTEM32\dllcache\ntkrnlmp.exe
----a-w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\SYSTEM32\dllcache\ntkrnlpa.exe
----a-w 2,015,744 2007-02-28 08:38:57 C:\WINDOWS\SYSTEM32\dllcache\ntkrpamp.exe
----a-w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\SYSTEM32\dllcache\ntoskrnl.exe
----a-w 142,336 2006-10-13 12:35:12 C:\WINDOWS\SYSTEM32\dllcache\nwprovau.dll
----a-w 102,400 2007-06-27 14:34:58 C:\WINDOWS\SYSTEM32\dllcache\occache.dll
-c--a-w 13,107,200 2001-09-10 21:15:36 C:\WINDOWS\SYSTEM32\dllcache\oembios.bin
----a-w 549,376 2007-05-17 11:28:05 C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
-c--a-w 8,192 2006-06-26 17:37:10 C:\WINDOWS\SYSTEM32\dllcache\rasadhlp.dll
-c--a-w 181,248 2006-05-14 08:44:08 C:\WINDOWS\SYSTEM32\dllcache\rasmans.dll
-c--a-w 174,592 2006-05-05 09:47:57 C:\WINDOWS\SYSTEM32\dllcache\rdbss.sys
----a-w 433,152 2006-11-27 14:54:06 C:\WINDOWS\SYSTEM32\dllcache\riched20.dll
----a-w 144,896 2007-04-25 14:21:15 C:\WINDOWS\SYSTEM32\dllcache\schannel.dll
----a-w 8,453,632 2006-12-19 21:52:18 C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
----a-w 134,656 2006-12-19 21:52:18 C:\WINDOWS\SYSTEM32\dllcache\shsvcs.dll
-c--a-w 6,400 2006-06-14 08:47:46 C:\WINDOWS\SYSTEM32\dllcache\splitter.sys
-c--a-w 332,928 2006-08-14 10:34:41 C:\WINDOWS\SYSTEM32\dllcache\srv.sys
----a-w 713,216 2006-10-19 13:56:32 C:\WINDOWS\SYSTEM32\dllcache\sxs.dll
-c--a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
.
dumbo283
2007-09-27, 23:28
-c----w 1,568,768 2001-09-04 20:45:14 C:\WINDOWS\SYSTEM32\3D Windows XP.scr
-c----w 229,376 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati2cqag.dll
-c----w 377,984 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati2dvaa.dll
-c----w 201,728 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati2dvag.dll
-c----w 870,784 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati3d1ag.dll
-c----w 1,057,760 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati3d2ag.dll
-c----w 1,888,992 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ati3duag.dll
-c----w 32,768 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ativtmxx.dll
-c----w 516,768 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\ativvaxx.dll
------w 276,992 2006-10-18 21:47:08 C:\WINDOWS\SYSTEM32\audiodev.dll
------w 14,336 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\auditusr.exe
------w 580,608 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\autofmt.exe
------w 11,264 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\autolfn.exe
-c----w 8,192 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bitsprx2.dll
-c----w 7,168 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bitsprx3.dll
------w 71,680 2004-08-03 23:56:48 C:\WINDOWS\SYSTEM32\blastcln.exe
-c----w 20,992 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bthci.dll
-c----w 30,208 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\bthserv.dll
-c----w 50,688 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\btpanui.dll
-c----r 32,768 1996-04-04 01:11:00 C:\WINDOWS\SYSTEM32\CMGR32.DLL
-c----w 13,824 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\cmsetacl.dll
-c----r 27,200 2001-07-21 14:15:52 C:\WINDOWS\SYSTEM32\ctl3dv2.dll
------w 1,689,088 2004-08-03 23:56:42 C:\WINDOWS\SYSTEM32\d3d9.dll
-c----w 847,872 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dbgeng.dll
------w 640,000 2004-08-03 23:56:44 C:\WINDOWS\SYSTEM32\dbghelp.dll
------w 55,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\1033\dwintl.dll
-c----w 299,059 2001-03-14 12:10:56 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\NPSVGVw.dll
-c----w 491,574 2001-03-14 12:14:00 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\SVGControl.dll
-c----w 12,288 2001-03-14 12:06:24 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\SVGRSRC.DLL
-c----w 1,597,491 2001-03-14 12:07:52 C:\WINDOWS\SYSTEM32\Adobe\SVG Viewer\SVGView.dll
-c----w 361,984 2004-07-01 22:08:18 C:\WINDOWS\SYSTEM32\bits\qmgr.dll
-c--a-w 32,768 2007-09-26 20:10:39 C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-09-26 20:10:39 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 49,152 2007-09-26 20:10:39 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c----w 100,352 2006-08-16 11:58:05 C:\WINDOWS\SYSTEM32\dllcache\6to4svc.dll
------w 71,680 2006-11-07 03:26:44 C:\WINDOWS\SYSTEM32\dllcache\admparse.dll
------w 124,928 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
------w 151,040 2006-09-14 08:39:49 C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
-c----w 617,472 2006-08-25 15:45:58 C:\WINDOWS\SYSTEM32\dllcache\comctl32.dll
------w 17,408 2007-01-08 19:01:14 C:\WINDOWS\SYSTEM32\dllcache\corpol.dll
------w 1,054,208 2006-09-14 08:39:50 C:\WINDOWS\SYSTEM32\dllcache\danim.dll
-c----w 111,616 2006-05-19 12:59:41 C:\WINDOWS\SYSTEM32\dllcache\dhcpcsvc.dll
------w 86,528 2007-05-16 15:12:00 C:\WINDOWS\SYSTEM32\dllcache\directdb.dll
-c----w 148,480 2006-06-26 17:37:10 C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
-c----w 40,960 2004-03-30 01:48:36 C:\WINDOWS\SYSTEM32\dllcache\evtgprov.dll
-c----w 5,632 2001-08-18 06:36:10 C:\WINDOWS\SYSTEM32\dllcache\EXCH_adsiisex.dll
-c----w 45,056 2001-08-18 06:36:10 C:\WINDOWS\SYSTEM32\dllcache\EXCH_aqadmin.dll
-c----w 312,832 2001-08-18 06:36:10 C:\WINDOWS\SYSTEM32\dllcache\EXCH_aqueue.dll
-c----w 43,520 2001-08-18 06:36:16 C:\WINDOWS\SYSTEM32\dllcache\EXCH_fcachdll.dll
-c----w 65,536 2001-08-18 06:36:18 C:\WINDOWS\SYSTEM32\dllcache\EXCH_mailmsg.dll
-c----w 38,912 2001-08-18 06:36:28 C:\WINDOWS\SYSTEM32\dllcache\EXCH_ntfsdrv.dll
-c----w 23,040 2001-08-18 06:36:54 C:\WINDOWS\SYSTEM32\dllcache\EXCH_regtrace.exe
-c----w 9,216 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_rwnh.dll
-c----w 57,856 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_scripto.dll
-c----w 205,824 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_seo.dll
-c----w 26,112 2001-08-18 06:36:30 C:\WINDOWS\SYSTEM32\dllcache\EXCH_seos.dll
-c----w 175,104 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpadm.dll
-c----w 9,728 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpapi.dll
-c----w 12,288 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpctrs.dll
-c----w 2,134,528 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpsnap.dll
-c----w 431,104 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpsvc.dll
-c----w 7,168 2001-08-18 06:36:32 C:\WINDOWS\SYSTEM32\dllcache\EXCH_snprfdll.dll
------w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\SYSTEM32\dllcache\explorer.exe
-c----w 23,040 2006-08-21 09:14:58 C:\WINDOWS\SYSTEM32\dllcache\fltmc.exe
-c----w 128,896 2006-08-21 09:14:58 C:\WINDOWS\SYSTEM32\dllcache\fltmgr.sys
------w 282,112 2007-06-19 13:31:19 C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
------w 60,416 2006-10-17 11:44:36 C:\WINDOWS\SYSTEM32\dllcache\hmmapi.dll
------w 63,488 2007-06-27 08:27:04 C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
------w 153,088 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
------w 230,400 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
------w 2,455,488 2007-04-17 09:28:12 C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dat
------w 383,488 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
------w 384,512 2007-06-27 14:34:51 C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
------w 78,336 2006-10-17 12:06:00 C:\WINDOWS\SYSTEM32\dllcache\ieencode.dll
------w 6,058,496 2007-06-27 14:34:55 C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
------w 44,544 2007-06-27 14:34:55 C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
------w 267,776 2007-06-27 14:34:55 C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
------w 55,296 2006-11-07 03:26:42 C:\WINDOWS\SYSTEM32\dllcache\iesetup.dll
------w 13,824 2007-06-27 08:27:05 C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
------w 625,152 2007-06-27 08:27:30 C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
------w 36,352 2006-10-17 11:57:58 C:\WINDOWS\SYSTEM32\dllcache\imgutil.dll
------w 683,520 2007-05-16 15:12:02 C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
-c----w 94,720 2006-05-19 12:59:41 C:\WINDOWS\SYSTEM32\dllcache\iphlpapi.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbda1.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbda2.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbda3.dll
-c----w 5,120 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdarme.dll
-c----w 5,120 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdarmw.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbddiv1.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbddiv2.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdfa.dll
-c----w 5,120 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdgeo.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdheb.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdindev.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinguj.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinhin.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinkan.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinmar.dll
-c----w 6,144 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdinpun.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdintam.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdintel.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdsyr1.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdsyr2.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth0.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth1.dll
-c----w 6,144 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth2.dll
-c----w 6,144 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdth3.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbduk.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdurdu.dll
-c----w 5,632 2001-08-18 12:00:00 C:\WINDOWS\SYSTEM32\dllcache\kbdvntc.dll
------w 984,576 2007-04-16 15:52:53 C:\WINDOWS\SYSTEM32\dllcache\kernel32.dll
-c----w 172,416 2006-06-14 08:47:45 C:\WINDOWS\SYSTEM32\dllcache\kmixer.sys
------w 40,960 2006-10-17 12:05:10 C:\WINDOWS\SYSTEM32\dllcache\licmgr10.dll
------w 721,920 2006-08-17 12:28:27 C:\WINDOWS\SYSTEM32\dllcache\lsasrv.dll
------w 40,960 2007-03-08 15:36:28 C:\WINDOWS\SYSTEM32\dllcache\mf3216.dll
------w 981,760 2006-10-14 08:13:25 C:\WINDOWS\SYSTEM32\dllcache\mfc42u.dll
-c----w 453,120 2006-05-05 09:41:45 C:\WINDOWS\SYSTEM32\dllcache\mrxsmb.sys
------w 459,264 2007-06-27 14:34:56 C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
------w 52,224 2007-06-27 14:34:56 C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
------w 539,136 2006-11-27 14:54:06 C:\WINDOWS\SYSTEM32\dllcache\msftedit.dll
------w 45,568 2006-10-17 11:56:10 C:\WINDOWS\SYSTEM32\dllcache\mshta.exe
------w 48,128 2006-10-17 11:28:56 C:\WINDOWS\SYSTEM32\dllcache\mshtmler.dll
------w 1,314,816 2007-05-16 15:12:08 C:\WINDOWS\SYSTEM32\dllcache\msoe.dll
------w 1,104,896 2007-06-26 06:08:16 C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
------w 332,288 2006-08-17 12:28:27 C:\WINDOWS\SYSTEM32\dllcache\netapi32.dll
------w 2,136,064 2007-02-28 09:08:48 C:\WINDOWS\SYSTEM32\dllcache\ntkrnlmp.exe
------w 2,057,600 2007-02-28 08:38:55 C:\WINDOWS\SYSTEM32\dllcache\ntkrnlpa.exe
------w 2,015,744 2007-02-28 08:38:57 C:\WINDOWS\SYSTEM32\dllcache\ntkrpamp.exe
------w 2,180,352 2007-02-28 09:10:57 C:\WINDOWS\SYSTEM32\dllcache\ntoskrnl.exe
------w 142,336 2006-10-13 12:35:12 C:\WINDOWS\SYSTEM32\dllcache\nwprovau.dll
------w 102,400 2007-06-27 14:34:58 C:\WINDOWS\SYSTEM32\dllcache\occache.dll
-c----w 13,107,200 2001-09-10 21:15:36 C:\WINDOWS\SYSTEM32\dllcache\oembios.bin
------w 549,376 2007-05-17 11:28:05 C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
-c----w 8,192 2006-06-26 17:37:10 C:\WINDOWS\SYSTEM32\dllcache\rasadhlp.dll
-c----w 181,248 2006-05-14 08:44:08 C:\WINDOWS\SYSTEM32\dllcache\rasmans.dll
-c----w 174,592 2006-05-05 09:47:57 C:\WINDOWS\SYSTEM32\dllcache\rdbss.sys
------w 433,152 2006-11-27 14:54:06 C:\WINDOWS\SYSTEM32\dllcache\riched20.dll
------w 144,896 2007-04-25 14:21:15 C:\WINDOWS\SYSTEM32\dllcache\schannel.dll
------w 8,453,632 2006-12-19 21:52:18 C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
------w 134,656 2006-12-19 21:52:18 C:\WINDOWS\SYSTEM32\dllcache\shsvcs.dll
-c----w 6,400 2006-06-14 08:47:46 C:\WINDOWS\SYSTEM32\dllcache\splitter.sys
-c----w 332,928 2006-08-14 10:34:41 C:\WINDOWS\SYSTEM32\dllcache\srv.sys
------w 713,216 2006-10-19 13:56:32 C:\WINDOWS\SYSTEM32\dllcache\sxs.dll
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-02-21 03:01]
"SoundMan"="soundman.exe" [2001-11-14 22:57 C:\WINDOWS\soundman.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-07-10 14:55]
"NvCplDaemon"="NvQTwk" []
"mouseElf"="C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe" [2001-09-18 17:21]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-13 21:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 21:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 21:00]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-11 12:58]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 19:38]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"chat"=winhost32.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Windows Update Manager"=C:\WINDOWS\taskbar.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE [1997-08-01]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 21:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-01]
VPN Client.lnk - C:\WINDOWS\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2006-05-08 15:16:40]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys
R3 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 genmcmn;Genus Mouse+ Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys
S2 AvgCore;AVG6 Kernel;\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
S2 AvgFsh;AVG6 Rezident Driver;\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
Contents of the 'Scheduled Tasks' folder
"2007-04-02 09:00:00 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\TALKTA~1\ANTI-V~1\fsav.exe
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 20:57:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
Completion time: 2007-09-27 21:00:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 21:00
C:\ComboFix2.txt ... 2007-09-26 21:17
Finally the end! dumbo
Hi and sorry for the delay :)
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"chat"=-
"Windows Update Manager"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
dumbo283
2007-10-01, 14:00
Thanks again -this certainly seems to have zapped a lot of nasties (logs to follow). However, I still have this "fakeWGA" appearing when I run Spybot. The details given are
(SBI $88177DB5) Settings [Registry Key]
HKEY_LOCAL_MACHINE\SOFTWARE\Tmp.
Not really sure how to tackle this.
dumbo
RegUBP2b-Jan.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
HPFix.reg;C:\SDFix\apps;Trojan.StartPage.1505;Deleted.;
HPFix2.reg;C:\SDFix\apps;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;
A0022802.exe;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP238;Trojan.DownLoader.12309;Deleted.;
A0024922.reg;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP240;Trojan.StartPage.1505;Deleted.;
A0026003.reg;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP243;Trojan.StartPage.1505;Deleted.;
A0026042.exe;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP243;Trojan.DownLoader.10963;Deleted.;
A0026043.exe;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP243;Trojan.DownLoader.8548;Deleted.;
A0026044.exe;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP243;Trojan.DownLoader.10346;Deleted.;
A0026275.dll;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP246;Trojan.Virtumod;Deleted.;
A0026373.reg;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP247;Trojan.StartPage.1505;Deleted.;
A0026374.reg;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP247;Trojan.StartPage.1505;Deleted.;
A0026375.reg;C:\System Volume Information\_restore{3ED5D9B9-22FF-481B-BD35-02123C5251EF}\RP247;Trojan.StartPage.1505;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.1;Trojan.DownLoader.10346;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.2;Trojan.DownLoader.10346;Deleted.;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:43, on 01/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mouseElf] C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.tyco-valves.com
O16 - DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} (Oracle JInitiator 1.1.8.20) -
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
End of file - 6843 bytes
Hello :)
I think that this FakeWGA alert is a flase positive.
Is this all the info Spybot gives?
(SBI $88177DB5) Settings [Registry Key]
HKEY_LOCAL_MACHINE\SOFTWARE\Tmp.
dumbo283
2007-10-03, 15:26
Hello Mr JAk3
Yes, this is all the information it gives on fakeWGA.
I also have Spybot popping up a window to Allow or Deny access from "Bad URLs" from DoubleClick and AvenueAInc every time I click on any of my e-mails/inbox or anywhere within Hotmail. I don't know if this is related as Spybot does not identify these as problems on a scan.
dumbo
Hi :)
Ok what version of Spybot are you using? Are you using the latets definition files?
dumbo283
2007-10-03, 23:34
Hello again
Yes I think I have the latest definitions- I upgraded to v1.5 last week before starting this thread and regularly download updates. Although the fakeWGA thing used to be picked up by v1.4 too.
dumbo :red:
Ok let's see :)
Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file peek.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on peek.bat and let it run.
When finished it will open a file in Notepad.
That file will be named check.txt
Please post the contents of check.txt into your next reply here.
if not exist Files MkDir Files
regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Tmp."
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Tmp"
type peek1.txt >> check.txt
type peek2.txt >> check.txt
del peek*.txt
start notepad check.txt
Copy files\*.txt = check.txt
rmdir /s /q files
Start Notepad check.txt
dumbo283
2007-10-05, 00:11
Hi there
Here are the contents of check.txt:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Tmp]
I have no idea what this is telling me!
dumbo:red:
Hi :)
OK that is just a minor leftover...
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tmp]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to
merge the contents to the registry, click yes/ok.
Restart the computer and run Spybot scan again. Still finding FakeWGA ?
dumbo283
2007-10-08, 16:58
Unfortunately, I am still getting the same message, even after the running fix.reg. I think maybe the Spybot program is creating this on start-up. In fact now I think about it usually Spybot does not start up straight away and I have to double-click on it 2 or 3 times for it to run. I have tried uninstalling Spybot and downloading and installing it again - but the same thing happens :sad:
dumbo
Hi :)
Ok strange...And you didn't get no error message when you ran the regfix?
Please run the peek.bat again and post the contents of check.txt
dumbo283
2007-10-10, 01:14
Hi Mr JaK3
No - the message when I ran fix.reg said it had been entered into the Registry.
Peek.bat produces the same as last time:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Tmp]
When I ran Spybot & got the same fakeWGA finding, I got the same details as before:
SBI $88177DB5 Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Tmp
I then double-clicked the Registry icon looking for more details and got into Registry Editor where it said under
Name Type Data
[icon with Ab on it] (Default) REG_SZ (Value not set)
Didn't dare do anything with this! - I just noted it down.
Have you any suggestions, or should I just live with this?
Many thanks
dumbo
You can remove the tools we used.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
dumbo283
2007-10-11, 15:27
Many many thanks for all your help Mr JaK3.
Although I still I have what I thought was my problem, I have cured many I didn't realise I had! I am now putting into practice all your final advice.
Thanks again :)
dumbo
You're very welcome :D:
This topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: