View Full Version : Aargh, Command Service
Never again will I be careless about firewalls. The best part is, I used my firewall to block Command Service's Internet access and it blanked out my desktop--no icons, no taskbar, no right-click menu, nothing.
I can't get a Kaspersky report because IE freezes on startup, but here's a HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 16:39, on 2007-09-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [{31-19-99-93-ZN}] C:\DOCUME~1\Dave\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Dave\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Just noticed HJT was out of date, here's a proper log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25, on 2007-09-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\DAVE\DESKTOP\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [{31-19-99-93-ZN}] C:\DOCUME~1\Dave\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Dave\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Dave\My Documents\My Pictures\calvintrexed2.jpg
--
End of file - 4127 bytes
Angelfire777
2007-09-26, 12:17
Hi, Welcome to Safer Networking!
C:\DOCUMENTS AND SETTINGS\DAVE\DESKTOP\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Your logs shows 2 Hijackthis running, use only the new version.
Download combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
_______
HJT Uninstall list
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.
On your next reply, please include a
Fresh HijackThis log.
HJT Uninstall list
Combofix log.
ComboFix seems to have already solved my vanishing desktop problem, so thank you for that.
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:10 PM, on 9/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\F***SP~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Dave\My Documents\My Pictures\calvintrexed2.jpg
--
End of file - 4517 bytes
Uninstall list:
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Alien Shooter 2 Pre-release Demo
Aliens vs. Predator 2
AOL Instant Messenger
ArtRage 2.2 Free
AstroPop Deluxe 1.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI HYDRAVISION
ATI Multimedia Center 9.01
ATI Parental Control & Encoder
ATI Remote Wonder 2.3
Battleships Forever v0.74
Blackhawk Striker from ATI (remove only)
Blasterball 2 from ATI (remove only)
Bookworm Adventures Deluxe 1.0
Bounce Symphony from ATI (remove only)
BreakQuest
CCleaner (remove only)
Chuzzle Deluxe 1.0
Community Expansion Pack version 1.51
Cortex Command
Crimsonland
DAO
Darwinia v1.42
Dawn of War - Dark Crusade
Dink Smallwood
DivX
DROD: Journey to Rooted Hold AppVersion
DROD: Journey to Rooted Hold Demo 2.0.8
DROD3D Shareware (Uninstall)
EPSON Printer Software
Fable - The Lost Chapters
Fahrenheit Demo
Fallout2
Far Cry
Feeding Frenzy
Fraps (remove only)
FreeUndelete
Game Maker 6.1
GameTap
Gish Demo
Glace
Gothic II
GTA San Andreas
GTK+ 2.6.7-1 runtime environment
Half-Life(R) 2
Hamsterball Gold 2.18m
Heavy Weapon Deluxe 1.0
Hex Workshop v4.23
HijackThis 2.0.2
Hostile Waters
HSP56 MR Drivers
Hyperballoid Complete Edition
Immortal Defense 1.0
Insaniquarium Deluxe 1.0
Internet Explorer Q867801
iTunes
Jardinains!
Java 2 Runtime Environment, SE v1.4.2_05
Knytt 1.0.1
Last.fm Player 1.0.3
LEGO Digital Designer
LEGO Star Wars 2 DEMO
LEGO Star Wars Demo Disc
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lode Runner Online
Macromedia Shockwave Player
Mars Rover from ATI (remove only)
Microsoft .NET Framework 2.0
Microsoft Crimson Skies
Microsoft Data Access Components KB870669
MilkShape 3D 1.7.4
mIRC
ModPlug Player
Mozilla Firefox (1.0PR)
MrRobot 1.0
Narbacular Drop version 1.4
Neverwinter Nights 2
Norton Personal Firewall
OpenAL
Orbital from ATI (remove only)
Outlook Express Q823353
Overball from ATI (remove only)
Painkiller
Peggle Deluxe 1.0
Polar Bowler from ATI (remove only)
PopCap Browser Plugin
Puzzle Pirates
QuickTime
Real Alternative 1.42
Realtek AC'97 Audio
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Sacrifice Demo
ScriptEase 1.3.5
Serious Sam 2 Demo
Serious Sam: The Second Encounter
SiN Episodes: Emergence
SiSoftware Sandra Standard 2004.SP2b (Win32 x86)
Snood for Windows version 3.52-W
Sound Blaster Live! Web 2K/XP
SpaceCowboy
SpeedFan (remove only)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Starscape V1.5c
Steam(TM)
STX from ATI (remove only)
Talismania Deluxe 1.0
TES Construction Set
The GIMP 2.2.7
The Ur-Quan Masters 0.4.0
Tom Clancy's Splinter Cell Chaos Theory
Trillian
Typer Shark Deluxe 1.02
UniChrome II Graphics Display Driver and Utilities
Unreal Gold
Vampire - The Masquerade Bloodlines
VDMSound 2.0.4
Ventrilo Client
VIA Integrated Setup Wizard
VIA Rhine Family Fast Ethernet Adapter
Virtual Warfare from ATI (remove only)
Warhammer 40,000: Dawn Of War - Gold Edition
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinRAR archiver
Wireless PCI Card Configuration Utility
Word Symphony from ATI (remove only)
Zuma Deluxe 1.0
ComboFix log:
ComboFix 07-09-21.2 - "Dave" 2007-09-26 20:05:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.783 [GMT -4:00]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\DOCUME~1\Dave\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Dave\STARTM~1\Programs\Startup\ta_start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\system32\D2
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\opnmnmn.dll
C:\WINDOWS\system32\ybadd.bak1
C:\WINDOWS\system32\ybadd.bak2
C:\WINDOWS\system32\ybadd.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SFSYNC02
-------\cmdService
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.
2007-09-25 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-25 16:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 14:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-08 14:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-08 14:45 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-08 14:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-08 14:45 2,060 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-04 20:34 <DIR> d--hs---- C:\WINDOWS\Qm9EYXZTVGU
2007-09-04 20:33 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-04 20:33 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-04 20:33 <DIR> d-------- C:\WINDOWS\system32\capcom
2007-08-26 20:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 19:59 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-21 21:48 --------- d-------- C:\Program Files\Trillian
2007-09-04 21:41 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-26 20:04 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 11:12 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI MMC
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\Qm9EYXZTVGU\kA6Hsrtnp3o.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 18:56 C:\WINDOWS\system32\CTHELPER.EXE]
"VTTimer"="VTTimer.exe" [2003-08-19 23:56 C:\WINDOWS\system32\VTTimer.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 04:54 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-03 15:02]
"PCTVOICE"="pctspk.exe" [2002-06-05 02:17 C:\WINDOWS\system32\pctspk.exe]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-09 20:19]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-14 19:29]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-14 19:29]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 22:05]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 23:17]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 07:43]
"ATI Launchpad"="" []
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 22:04:00]
C:\DOCUME~1\Dave\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2004-10-04 21:36:25]
PowerReg SchedulerV2.exe [2005-07-10 23:02:09]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Dave\My Documents\My Pictures\calvintrexed2.jpg
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless PCI Card Configuration Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless PCI Card Configuration Utility.lnk
backup=C:\WINDOWS\pss\Wireless PCI Card Configuration Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
R0 viasraid;viasraid;C:\WINDOWS\System32\DRIVERS\viasraid.sys
R2 SVKP;SVKP;\??\C:\WINDOWS\System32\SVKP.sys
R2 X4HSX32;X4HSX32;\??\E:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\System32\DRIVERS\WMP11V27.sys
S3 cdrmkaun;cdrmkaun;\??\C:\DOCUME~1\Dave\LOCALS~1\Temp\cdrmkaun.sys
.
Contents of the 'Scheduled Tasks' folder
"2004-09-10 21:26:29 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 20:13:01
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-26 20:15:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 20:14
.
--- E O F ---
Angelfire777
2007-09-27, 14:55
Hi,
Remove MS Java
The Microsoft Java Virtual Machine, or MS Java VM, is used to run Java applets that can be found on web sites. When you visit a web site that has a Java applet, the MS JVM will compile and execute that applet on your machine. Microsoft no longer supports the MS JVM and it has become obsolete. There have also been known security issues with unpatched versions of the MS JVM and you should remove it and install the safer SUN JVM as an alternative (instructions follow).
Instructions on how to remove MS Java can be found >here< (http://www.bleepingcomputer.com/tutorials/tutorial97.html)
____
Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
This is a registration reminder that is used by several companies. It is also believed to report back to the installing company some information about your computer. I recommend that you fix it.
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____
Combofix Deletions
Open notepad."
Copy and paste the text inside the code box below to notepad
File::
C:\WINDOWS\System32\SVKP.sys
Folder::
C:\WINDOWS\Qm9EYXZTVGU
C:\WINDOWS\system32\drvr2
C:\WINDOWS\system32\cfig322
C:\WINDOWS\system32\capcom
Driver::
SVKP
Dirlook::
C:\WINDOWS\system32\DRVSTORE
Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img263.imageshack.us/img263/9894/cfscriptno0.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.
_____
Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u2 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
_____
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
On your next reply, please include a
Fresh HijackThis log.
combofix log
kaspersky scan log
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:12 PM, on 9/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\FUCKSP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 4452 bytes
ComboFix log part 1:
ComboFix 07-09-21.2 - "Dave" 2007-09-28 19:10:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.718 [GMT -4:00]
* Created a new restore point
FILE::
C:\WINDOWS\System32\SVKP.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Qm9EYXZTVGU
C:\WINDOWS\Qm9EYXZTVGU\kA6Hsrtnp3o.vbs
C:\WINDOWS\system32\capcom
C:\WINDOWS\system32\capcom\nab22011.exe
C:\WINDOWS\system32\cfig322
C:\WINDOWS\system32\cfig322\icm33o.exe
C:\WINDOWS\system32\drvr2
C:\WINDOWS\system32\drvr2\bbc002nws.exe
C:\WINDOWS\System32\SVKP.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_SVKP
-------\SVKP
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.
2007-09-28 18:16 <DIR> d-------- C:\WINDOWS\LastGood
2007-09-25 17:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-25 16:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 14:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-08 14:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-08 14:45 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-08 14:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-08 14:45 2,060 --a------ C:\WINDOWS\system32\tmp.reg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 19:15 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-21 21:48 --------- d-------- C:\Program Files\Trillian
2007-09-04 21:41 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-26 20:04 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-21 22:33 46432 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-08-21 22:07 2417664 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-08-21 21:13 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-08-05 11:12 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI MMC
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
---- Directory of C:\WINDOWS\system32\DRVSTORE ----
((((((((((((((((((((((((((((( snapshot_2007-09-26_201337.50 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 4,162 2007-09-28 23:01:11 C:\WINDOWS\mozver.dat
----a-w 192,512 2005-01-28 17:44:28 C:\WINDOWS\inf\unregmp2.exe
----a-w 6,550 2003-02-28 20:35:26 C:\WINDOWS\LastGood\jautoexp.dat
----a-w 46,352 2003-02-28 22:26:30 C:\WINDOWS\LastGood\setdebug.exe
----a-w 249,856 2002-08-29 10:41:28 C:\WINDOWS\LastGood\INF\unregmp2.exe
----a-w 5,120 2002-08-29 10:40:06 C:\WINDOWS\LastGood\System32\asferror.dll
----a-w 480,768 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\Audiodev.dll
----a-w 204,800 2001-08-18 12:00:00 C:\WINDOWS\LastGood\System32\blackbox.dll
----a-w 179,712 2002-08-29 10:40:50 C:\WINDOWS\LastGood\System32\cewmdm.dll
----a-w 266,240 2002-08-29 10:40:50 C:\WINDOWS\LastGood\System32\drmclien.dll
----a-w 76,830 2002-08-29 10:40:50 C:\WINDOWS\LastGood\System32\drmstor.dll
----a-w 602,112 2002-08-29 10:40:50 C:\WINDOWS\LastGood\System32\drmv2clt.dll
----a-w 313,856 2003-02-28 20:34:42 C:\WINDOWS\LastGood\System32\dx3j.dll
----a-w 187,152 2003-02-28 22:26:16 C:\WINDOWS\LastGood\System32\javacypt.dll
----a-w 139,536 2003-02-28 22:26:18 C:\WINDOWS\LastGood\System32\javaee.dll
----a-w 63,248 2003-02-28 22:26:18 C:\WINDOWS\LastGood\System32\javaprxy.dll
----a-w 404,752 2003-02-28 22:26:18 C:\WINDOWS\LastGood\System32\javart.dll
----a-w 15,120 2003-02-28 22:26:30 C:\WINDOWS\LastGood\System32\jdbgmgr.exe
----a-w 171,280 2003-02-28 22:26:20 C:\WINDOWS\LastGood\System32\jit.dll
----a-w 6,656 2002-08-29 10:41:00 C:\WINDOWS\LastGood\System32\laprxy.dll
----a-w 24,576 2002-08-29 10:41:26 C:\WINDOWS\LastGood\System32\logagent.exe
----a-w 154,384 2003-02-28 22:26:20 C:\WINDOWS\LastGood\System32\msawt.dll
----a-w 947,472 2003-02-28 22:26:26 C:\WINDOWS\LastGood\System32\msjava.dll
----a-w 21,264 2003-02-28 22:26:26 C:\WINDOWS\LastGood\System32\msjdbc10.dll
----a-w 174,592 2002-08-29 10:41:06 C:\WINDOWS\LastGood\System32\msnetobj.dll
----a-w 25,088 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\MsPMSNSv.dll
----a-w 175,104 2002-08-29 10:41:06 C:\WINDOWS\LastGood\System32\MsPMSP.dll
----a-w 245,760 2002-08-29 10:41:08 C:\WINDOWS\LastGood\System32\MSSCP.dll
----a-w 155,648 2001-08-18 12:00:00 C:\WINDOWS\LastGood\System32\MSWMDM.dll
----a-w 152,576 2001-08-18 12:00:00 C:\WINDOWS\LastGood\System32\qasf.dll
----a-w 47,104 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\uwdf.exe
----a-w 286,992 2003-02-28 22:26:26 C:\WINDOWS\LastGood\System32\vmhelper.dll
----a-w 15,872 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wdfapi.dll
----a-w 38,912 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wdfmgr.exe
----a-w 184,320 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmadmod.dll
----a-w 442,398 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmadmoe.dll
----a-w 274,432 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmasf.dll
----a-w 22,528 2001-08-18 12:00:00 C:\WINDOWS\LastGood\System32\WMDMLOG.dll
----a-w 20,480 2001-08-18 12:00:00 C:\WINDOWS\LastGood\System32\WMDMPS.dll
----a-w 344,064 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\WMDRMdev.dll
----a-w 290,816 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\WMDRMNet.dll
----a-w 189,440 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmerror.dll
----a-w 150,016 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmidx.dll
----a-w 253,952 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmnetmgr.dll
----a-w 5,550,080 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmp.dll
----a-w 135,168 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmpasf.dll
----a-w 253,952 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmpcd.dll
----a-w 1,298,432 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmpcore.dll
----a-w 282,624 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmpdxm.dll
----a-w 1,589,760 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmpencen.dll
----a-w 1,998,848 2002-08-29 10:39:24 C:\WINDOWS\LastGood\System32\wmploc.dll
----a-w 77,824 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmpshell.dll
----a-w 175,104 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmpsrcwp.dll
----a-w 1,404,928 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmpui.dll
----a-w 110,592 2002-08-29 10:41:18 C:\WINDOWS\LastGood\System32\wmsdmod.dll
----a-w 1,116,160 2004-08-11 05:45:04 C:\WINDOWS\LastGood\System32\wmsdmoe2.dll
----a-w 531,192 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wmspdmod.dll
----a-w 936,960 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wmspdmoe.dll
----a-w 1,181,944 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wmvadvd.dll
----a-w 1,509,376 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\WMVADVE.DLL
----a-w 1,220,608 2002-08-29 10:41:20 C:\WINDOWS\LastGood\System32\wmvcore.dll
----a-w 294,912 2002-08-29 10:41:20 C:\WINDOWS\LastGood\System32\wmvdmod.dll
----a-w 999,424 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wmvdmoe2.dll
----a-w 61,952 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wpdconns.dll
----a-w 114,176 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wpdmtp.dll
----a-w 331,776 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wpdmtpdr.dll
----a-w 66,560 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wpdmtpus.dll
----a-w 327,680 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wpdsp.dll
----a-w 10,752 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wpdtrace.dll
----a-w 38,912 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\wpd_ci.dll
----a-w 18,944 2004-08-11 05:45:06 C:\WINDOWS\LastGood\System32\DRIVERS\wpdusb.sys
----a-r 294,912 2004-07-11 02:24:32 C:\WINDOWS\LastGood.Tmp\System32\atiiiexx.dll
----a-w 131,072 2005-02-23 02:23:15 C:\WINDOWS\LastGood.Tmp\System32\atikvmag.dll
----a-w 6,524,928 2004-07-11 01:55:03 C:\WINDOWS\LastGood.Tmp\System32\atioglxx.dll
----a-w 118,784 2004-07-11 01:35:32 C:\WINDOWS\LastGood.Tmp\System32\atipdlxx.dll
----a-w 17,408 2004-07-11 01:21:09 C:\WINDOWS\LastGood.Tmp\System32\atitvo32.dll
----a-w 518,560 2004-07-11 01:23:58 C:\WINDOWS\LastGood.Tmp\System32\ativvaxx.dll
----a-w 102,400 2004-07-11 01:35:27 C:\WINDOWS\LastGood.Tmp\System32\Oemdspif.dll
----a-w 164,864 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\cewmdm.dll
----a-w 25,088 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
----a-w 173,568 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSP.dll
----a-w 364,784 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSSCP.dll
----a-w 315,904 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSWMDM.dll
----a-w 28,160 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMLOG.dll
----a-w 33,792 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMPS.dll
----a-w 25,088 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
----a-w 819,200 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\setup_wm.exe
----a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{60204BB3-7078-4F70-8F69-68297621941C}\wmpcore.dll
----a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{60204BB3-7078-4F70-8F69-68297621941C}\wmpui.dll
----a-w 47,104 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\uwdf.exe
----a-w 15,872 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfapi.dll
----a-w 38,912 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfmgr.exe
----a-w 61,952 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdconns.dll
----a-w 114,176 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtp.dll
----a-w 331,776 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpdr.dll
----a-w 66,560 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpus.dll
----a-w 331,264 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdsp.dll
----a-w 10,752 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdtrace.dll
----a-w 18,944 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdusb.sys
----a-w 38,912 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpd_ci.dll
----a-w 47,104 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\uwdf.exe
----a-w 15,872 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wdfapi.dll
----a-w 38,912 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wdfmgr.exe
----a-w 61,952 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpdconns.dll
----a-w 114,176 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpdmtp.dll
----a-w 331,776 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpdmtpdr.dll
----a-w 66,560 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpdmtpus.dll
----a-w 327,680 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpdsp.dll
----a-w 10,752 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpdtrace.dll
----a-w 18,944 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpdusb.sys
----a-w 38,912 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}$BACKUP$\System\wpd_ci.dll
----a-w 396,528 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmadmod.dll
----a-w 774,904 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmsdmod.dll
----a-w 413,944 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmspdmod.dll
----a-w 1,218,808 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvadvd.dll
----a-w 895,736 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvdmod.dll
----a-w 531,192 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmspdmod.dll
----a-w 1,181,944 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmvadvd.dll
----a-w 6,656 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\laprxy.dll
----a-w 96,768 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\logagent.exe
----a-w 221,184 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\qasf.dll
----a-w 716,288 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmadmoe.dll
----a-w 224,768 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmasf.dll
----a-w 335,872 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMdev.dll
----a-w 290,816 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMNet.dll
----a-w 150,016 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmidx.dll
----a-w 1,027,072 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmnetmgr.dll
----a-w 1,119,744 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmsdmoe2.dll
----a-w 940,544 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmspdmoe.dll
----a-w 1,512,448 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMVADVE.DLL
----a-w 2,370,296 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvcore.dll
----a-w 1,003,008 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvdmoe2.dll
----a-w 344,064 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\WMDRMdev.dll
----a-w 290,816 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\WMDRMNet.dll
----a-w 150,016 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmidx.dll
----a-w 1,116,160 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmsdmoe2.dll
----a-w 936,960 2004-08-11 05:45:06
ComboFix log part 2:
C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmspdmoe.dll
----a-w 1,509,376 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\WMVADVE.DLL
----a-w 999,424 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmvdmoe2.dll
----a-w 294,912 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
----a-w 258,296 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmclien.dll
----a-w 96,768 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmstor.dll
----a-w 502,272 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
----a-w 142,336 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
----a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\wmpcd.dll
----a-w 8,192 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\asferror.dll
----a-w 484,352 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\Audiodev.dll
----a-w 28,672 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\custsat.dll
----a-w 991,232 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\migrate.exe
----a-w 352,256 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\mpvis.dll
----a-w 192,512 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\unregmp2.exe
----a-w 189,440 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmerror.dll
----a-w 122,880 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmlaunch.exe
----a-w 5,525,504 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmp.dll
----a-w 135,168 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpasf.dll
----a-w 77,824 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpband.dll
----a-w 282,624 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpdxm.dll
----a-w 28,672 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpenc.exe
----a-w 1,594,880 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpencen.dll
----a-w 73,728 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmplayer.exe
----a-w 3,371,008 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmploc.dll
----a-w 86,016 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpshell.dll
----a-w 175,104 2005-01-28 17:44:28 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpsrcwp.dll
----a-w 480,768 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\Audiodev.dll
----a-w 28,672 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\custsat.dll
----a-w 991,232 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\migrate.exe
----a-w 344,064 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\mpvis.dll
----a-w 189,440 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmerror.dll
----a-w 122,880 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmlaunch.exe
----a-w 5,550,080 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmp.dll
----a-w 135,168 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmpasf.dll
----a-w 77,824 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmpband.dll
----a-w 282,624 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmpdxm.dll
----a-w 28,672 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmpenc.exe
----a-w 1,589,760 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmpencen.dll
----a-w 175,104 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmpsrcwp.dll
----a-w 4,792 2007-09-27 02:10:51 C:\WINDOWS\SoftwareDistribution\EventCache\{19C77CA1-CBAE-470A-A03C-E286B64FBD31}.bin
----a-w 8,192 2005-01-28 17:44:28 C:\WINDOWS\system32\asferror.dll
----a-w 450,560 2007-08-22 01:11:38 C:\WINDOWS\system32\ati2cqag.dll
----a-w 268,800 2007-08-22 02:07:59 C:\WINDOWS\system32\ati2dvag.dll
----a-w 43,520 2007-08-22 01:58:56 C:\WINDOWS\system32\ati2edxx.dll
----a-w 122,880 2007-08-22 01:58:42 C:\WINDOWS\system32\ati2evxx.dll
----a-w 487,424 2007-08-22 01:57:14 C:\WINDOWS\system32\ati2evxx.exe
----a-w 26,112 2007-08-22 01:59:04 C:\WINDOWS\system32\Ati2mdxx.exe
------w 593,920 2007-08-22 01:05:00 C:\WINDOWS\system32\ati2sgag.exe
----a-w 3,091,392 2007-08-22 01:47:23 C:\WINDOWS\system32\ati3duag.dll
----a-w 53,248 2007-08-22 01:56:19 C:\WINDOWS\system32\ATIDDC.DLL
----a-w 352,256 2007-08-22 02:09:12 C:\WINDOWS\system32\ATIDEMGX.dll
----a-w 156,671 2007-08-14 21:11:53 C:\WINDOWS\system32\atiicdxx.dat
----a-w 307,200 2007-08-22 02:07:22 C:\WINDOWS\system32\atiiiexx.dll
----a-w 266,240 2007-08-22 01:19:38 C:\WINDOWS\system32\atikvmag.dll
----a-w 8,306,688 2007-08-22 01:48:15 C:\WINDOWS\system32\atioglx2.dll
----a-w 5,435,392 2007-08-22 01:21:01 C:\WINDOWS\system32\atioglxx.dll
----a-w 172,032 2007-08-22 01:15:37 C:\WINDOWS\system32\atiok3x2.dll
----a-w 143,360 2007-08-22 01:59:26 C:\WINDOWS\system32\atipdlxx.dll
----a-w 17,408 2007-08-22 01:17:54 C:\WINDOWS\system32\atitvo32.dll
----a-w 3,107,788 2007-08-22 01:35:20 C:\WINDOWS\system32\ativva5x.dat
----a-w 972,072 2007-08-22 01:35:20 C:\WINDOWS\system32\ativva6x.dat
----a-w 3,107,788 2007-08-22 01:35:20 C:\WINDOWS\system32\ativvaxx.dat
----a-w 1,586,816 2007-08-22 01:35:39 C:\WINDOWS\system32\ativvaxx.dll
----a-w 484,352 2005-01-28 17:44:28 C:\WINDOWS\system32\Audiodev.dll
----a-w 294,912 2005-01-28 17:44:28 C:\WINDOWS\system32\blackbox.dll
----a-w 164,864 2005-01-28 17:44:28 C:\WINDOWS\system32\cewmdm.dll
----a-w 258,296 2005-01-28 17:44:28 C:\WINDOWS\system32\drmclien.dll
----a-w 96,768 2005-01-28 17:44:28 C:\WINDOWS\system32\drmstor.dll
----a-w 502,272 2005-01-28 17:44:28 C:\WINDOWS\system32\drmv2clt.dll
----a-w 135,168 2007-07-12 05:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 05:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 06:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 6,656 2005-01-28 17:44:28 C:\WINDOWS\system32\laprxy.dll
----a-w 96,768 2005-01-28 17:44:28 C:\WINDOWS\system32\logagent.exe
----a-w 142,336 2005-01-28 17:44:28 C:\WINDOWS\system32\msnetobj.dll
----a-w 25,088 2005-01-28 17:44:28 C:\WINDOWS\system32\MsPMSNSv.dll
----a-w 173,568 2005-01-28 17:44:28 C:\WINDOWS\system32\MsPMSP.dll
----a-w 364,784 2005-01-28 17:44:28 C:\WINDOWS\system32\MSSCP.dll
----a-w 315,904 2005-01-28 17:44:28 C:\WINDOWS\system32\MSWMDM.dll
----a-w 77,824 2007-03-23 20:23:23 C:\WINDOWS\system32\Oemdspif.dll
----a-w 58,596 2007-09-27 00:14:13 C:\WINDOWS\system32\perfc009.dat
----a-w 392,296 2007-09-27 00:14:14 C:\WINDOWS\system32\perfh009.dat
----a-w 221,184 2005-01-28 17:44:28 C:\WINDOWS\system32\qasf.dll
----a-w 47,104 2005-01-28 17:44:28 C:\WINDOWS\system32\uwdf.exe
----a-w 15,872 2005-01-28 17:44:28 C:\WINDOWS\system32\wdfapi.dll
----a-w 38,912 2005-01-28 17:44:28 C:\WINDOWS\system32\wdfmgr.exe
----a-w 396,528 2005-01-28 17:44:28 C:\WINDOWS\system32\wmadmod.dll
----a-w 716,288 2005-01-28 17:44:28 C:\WINDOWS\system32\wmadmoe.dll
----a-w 224,768 2005-01-28 17:44:28 C:\WINDOWS\system32\wmasf.dll
----a-w 28,160 2005-01-28 17:44:28 C:\WINDOWS\system32\WMDMLOG.dll
----a-w 33,792 2005-01-28 17:44:28 C:\WINDOWS\system32\WMDMPS.dll
----a-w 335,872 2005-01-28 17:44:28 C:\WINDOWS\system32\WMDRMdev.dll
----a-w 290,816 2005-01-28 17:44:28 C:\WINDOWS\system32\WMDRMNet.dll
----a-w 189,440 2005-01-28 17:44:28 C:\WINDOWS\system32\wmerror.dll
----a-w 150,016 2005-01-28 17:44:28 C:\WINDOWS\system32\wmidx.dll
----a-w 1,027,072 2005-01-28 17:44:28 C:\WINDOWS\system32\wmnetmgr.dll
----a-w 5,525,504 2005-01-28 17:44:28 C:\WINDOWS\system32\wmp.dll
----a-w 135,168 2005-01-28 17:44:28
ComboFix log part 3:
C:\WINDOWS\system32\wmpasf.dll
----a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\system32\wmpcd.dll
----a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\system32\wmpcore.dll
----a-w 282,624 2005-01-28 17:44:28 C:\WINDOWS\system32\wmpdxm.dll
----a-w 1,594,880 2005-01-28 17:44:28 C:\WINDOWS\system32\wmpencen.dll
----a-w 3,371,008 2005-01-28 17:44:28 C:\WINDOWS\system32\wmploc.dll
----a-w 86,016 2005-01-28 17:44:28 C:\WINDOWS\system32\wmpshell.dll
----a-w 175,104 2005-01-28 17:44:28 C:\WINDOWS\system32\wmpsrcwp.dll
----a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\system32\wmpui.dll
----a-w 774,904 2005-01-28 17:44:28 C:\WINDOWS\system32\wmsdmod.dll
----a-w 1,119,744 2005-01-28 17:44:28 C:\WINDOWS\system32\wmsdmoe2.dll
----a-w 413,944 2005-01-28 17:44:28 C:\WINDOWS\system32\wmspdmod.dll
----a-w 940,544 2005-01-28 17:44:28 C:\WINDOWS\system32\wmspdmoe.dll
----a-w 1,218,808 2005-01-28 17:44:28 C:\WINDOWS\system32\wmvadvd.dll
----a-w 1,512,448 2005-01-28 17:44:28 C:\WINDOWS\system32\WMVADVE.DLL
----a-w 2,370,296 2005-01-28 17:44:28 C:\WINDOWS\system32\wmvcore.dll
----a-w 895,736 2005-01-28 17:44:28 C:\WINDOWS\system32\wmvdmod.dll
----a-w 1,003,008 2005-01-28 17:44:28 C:\WINDOWS\system32\wmvdmoe2.dll
----a-w 61,952 2005-01-28 17:44:28 C:\WINDOWS\system32\wpdconns.dll
----a-w 114,176 2005-01-28 17:44:28 C:\WINDOWS\system32\wpdmtp.dll
----a-w 331,776 2005-01-28 17:44:28 C:\WINDOWS\system32\wpdmtpdr.dll
----a-w 66,560 2005-01-28 17:44:28 C:\WINDOWS\system32\wpdmtpus.dll
----a-w 331,264 2005-01-28 17:44:28 C:\WINDOWS\system32\wpdsp.dll
----a-w 10,752 2005-01-28 17:44:28 C:\WINDOWS\system32\wpdtrace.dll
----a-w 38,912 2005-01-28 17:44:28 C:\WINDOWS\system32\wpd_ci.dll
----a-w 16,384 2007-09-28 23:15:06 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-28 23:15:06 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 65,536 2007-09-28 23:15:06 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 8,192 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\asferror.dll
-c--a-w 268,800 2007-08-22 02:07:59 C:\WINDOWS\system32\dllcache\ati2dvag.dll
-c--a-w 2,417,664 2007-08-22 02:07:39 C:\WINDOWS\system32\dllcache\ati2mtag.sys
-c--a-w 294,912 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\blackbox.dll
-c--a-w 164,864 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\cewmdm.dll
-c--a-w 258,296 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\drmclien.dll
-c--a-w 96,768 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\drmstor.dll
-c--a-w 502,272 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\drmv2clt.dll
-c--a-w 6,656 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\laprxy.dll
-c--a-w 96,768 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\logagent.exe
-c--a-w 142,336 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\msnetobj.dll
-c--a-w 173,568 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\mspmsp.dll
-c--a-w 364,784 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\msscp.dll
-c--a-w 315,904 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\mswmdm.dll
-c--a-w 221,184 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\qasf.dll
-c--a-w 819,200 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\setup_wm.exe
-c--a-w 192,512 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\unregmp2.exe
-c--a-w 396,528 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmadmod.dll
-c--a-w 716,288 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmadmoe.dll
-c--a-w 224,768 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmasf.dll
-c--a-w 28,160 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmdmlog.dll
-c--a-w 33,792 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmdmps.dll
-c--a-w 1,027,072 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmnetmgr.dll
-c--a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmpcd.dll
-c--a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmpcore.dll
-c--a-w 73,728 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmplayer.exe
-c--a-w 3,371,008 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmploc.dll
-c--a-w 86,016 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmpshell.dll
-c--a-w 20,480 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmpui.dll
-c--a-w 774,904 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmsdmod.dll
-c--a-w 2,370,296 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmvcore.dll
-c--a-w 895,736 2005-01-28 17:44:28 C:\WINDOWS\system32\dllcache\wmvdmod.dll
----a-w 18,944 2005-01-28 17:44:28 C:\WINDOWS\system32\drivers\wpdusb.sys
.----a-w 4,041 2005-08-09 01:54:21 C:\WINDOWS\mozver.dat
----a-w 249,856 2002-08-29 10:41:28 C:\WINDOWS\inf\unregmp2.exe
----a-w 161,792 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\cewmdm.dll
----a-w 25,088 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
----a-w 169,472 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSP.dll
-c--a-w 360,176 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSSCP.dll
----a-w 311,296 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSWMDM.dll
----a-w 30,208 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMLOG.dll
----a-w 34,304 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMPS.dll
-c--a-w 819,200 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\setup_wm.exe
----a-w 20,480 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{60204BB3-7078-4F70-8F69-68297621941C}\wmpcore.dll
----a-w 20,480 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{60204BB3-7078-4F70-8F69-68297621941C}\wmpui.dll
----a-w 47,104 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\uwdf.exe
----a-w 15,872 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfapi.dll
----a-w 38,912 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfmgr.exe
----a-w 61,952 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdconns.dll
----a-w 114,176 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtp.dll
----a-w 331,776 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpdr.dll
----a-w 66,560 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpus.dll
----a-w 327,680 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdsp.dll
----a-w 10,752 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdtrace.dll
----a-w 18,944 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdusb.sys
----a-w 38,912 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpd_ci.dll
-c--a-w 380,144 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmadmod.dll
-c--a-w 773,368 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmsdmod.dll
-c--a-w 531,192 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmspdmod.dll
-c--a-w 1,181,944 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvadvd.dll
-c--a-w 871,160 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvdmod.dll
----a-w 6,656 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\laprxy.dll
----a-w 96,768 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\logagent.exe
----a-w 221,184 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\qasf.dll
-c--a-w 712,704 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmadmoe.dll
----a-w 229,376 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmasf.dll
----a-w 344,064 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMdev.dll
----a-w 290,816 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMNet.dll
-c--a-w 150,016 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmidx.dll
-c--a-w 1,027,072 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmnetmgr.dll
-c--a-w 1,116,160 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmsdmoe2.dll
-c--a-w 936,960 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmspdmoe.dll
-c--a-w 1,509,376 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMVADVE.DLL
-c--a-w 2,362,104 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvcore.dll
----a-w 999,424 2004-08-11 05:45:06 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvdmoe2.dll
----a-w 233,472 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
-c--a-w 253,688 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmclien.dll
----a-w 95,232 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmstor.dll
----a-w 527,360 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
----a-w 141,312 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
----a-w 20,480 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\wmpcd.dll
----a-w 8,192 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\asferror.dll
----a-w 480,768 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\Audiodev.dll
----a-w 28,672 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\custsat.dll
-c--a-w 991,232 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\migrate.exe
----a-w 344,064 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\mpvis.dll
----a-w 192,512 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\unregmp2.exe
-c--a-w 189,440 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmerror.dll
----a-w 122,880 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmlaunch.exe
-c--a-w 5,550,080 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmp.dll
----a-w 135,168 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpasf.dll
----a-w 77,824 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpband.dll
----a-w 282,624 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpdxm.dll
----a-w 28,672 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpenc.exe
-c--a-w 1,589,760 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpencen.dll
----a-w 73,728 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmplayer.exe
-c--a-w 3,371,008 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmploc.dll
----a-w 86,016 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpshell.dll
----a-w 175,104 2004-08-11 05:45:04 C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmpsrcwp.dll
----a-w 5,120 2002-08-29 10:40:06 C:\WINDOWS\system32\asferror.dll
----a-w 229,376 2004-07-11 01:19:21 C:\WINDOWS\system32\ati2cqag.dll
----a-w 202,496 2002-08-29 10:40:48 C:\WINDOWS\system32\ati2dvag.dll
----a-w 30,720 2004-07-11 01:35:20 C:\WINDOWS\system32\ati2edxx.dll
----a-w 86,016 2004-07-11 01:35:16 C:\WINDOWS\system32\ati2evxx.dll
----a-w 385,024 2004-07-11 01:35:10 C:\WINDOWS\system32\ati2evxx.exe
----a-w 65,536 2004-07-11 01:35:22 C:\WINDOWS\system32\Ati2mdxx.exe
----a-w 520,192 2006-05-03 15:57:00 C:\WINDOWS\system32\ati2sgag.exe
-c--a-w 2,155,712 2004-07-11 01:34:10 C:\WINDOWS\system32\ati3duag.dll
----a-w 81,920 2004-07-11 01:34:47 C:\WINDOWS\system32\ATIDDC.DLL
----a-w 79,320 2005-01-18 23:05:36 C:\WINDOWS\system32\atiicdxx.dat
----a-r 294,912 2004-07-11 02:24:32 C:\WINDOWS\system32\atiiiexx.dll
----a-w 131,072 2005-02-23 02:23:15 C:\WINDOWS\system32\atikvmag.dll
-c--a-w 6,524,928 2004-07-11 01:55:03 C:\WINDOWS\system32\atioglxx.dll
----a-w 118,784 2004-07-11 01:35:32 C:\WINDOWS\system32\atipdlxx.dll
----a-w 17,408 2004-07-11 01:21:09
C:\WINDOWS\system32\atitvo32.dll
-c--a-w 518,560 2004-07-11 01:23:58 C:\WINDOWS\system32\ativvaxx.dll
----a-w 480,768 2004-08-11 05:45:04 C:\WINDOWS\system32\Audiodev.dll
----a-w 204,800 2001-08-18 12:00:00 C:\WINDOWS\system32\blackbox.dll
----a-w 179,712 2002-08-29 10:40:50 C:\WINDOWS\system32\cewmdm.dll
----a-w 266,240 2002-08-29 10:40:50 C:\WINDOWS\system32\drmclien.dll
-c--a-w 76,830 2002-08-29 10:40:50 C:\WINDOWS\system32\drmstor.dll
----a-w 602,112 2002-08-29 10:40:50
ComboFix log part 4:
C:\WINDOWS\system32\drmv2clt.dll
----a-w 45,161 2004-06-04 01:09:14 C:\WINDOWS\system32\java.exe
----a-w 45,163 2004-06-04 01:09:20 C:\WINDOWS\system32\javaw.exe
----a-w 6,656 2002-08-29 10:41:00 C:\WINDOWS\system32\laprxy.dll
----a-w 24,576 2002-08-29 10:41:26 C:\WINDOWS\system32\logagent.exe
----a-w 174,592 2002-08-29 10:41:06 C:\WINDOWS\system32\msnetobj.dll
----a-w 25,088 2004-08-11 05:45:04 C:\WINDOWS\system32\MsPMSNSv.dll
----a-w 175,104 2002-08-29 10:41:06 C:\WINDOWS\system32\MsPMSP.dll
----a-w 245,760 2002-08-29 10:41:08 C:\WINDOWS\system32\MSSCP.dll
----a-w 155,648 2001-08-18 12:00:00 C:\WINDOWS\system32\MSWMDM.dll
----a-w 102,400 2004-07-11 01:35:27 C:\WINDOWS\system32\Oemdspif.dll
----a-w 58,596 2007-04-04 19:03:19 C:\WINDOWS\system32\perfc009.dat
----a-w 392,296 2007-04-04 19:03:19 C:\WINDOWS\system32\perfh009.dat
-c--a-w 152,576 2001-08-18 12:00:00 C:\WINDOWS\system32\qasf.dll
----a-w 47,104 2004-08-11 05:45:04 C:\WINDOWS\system32\uwdf.exe
----a-w 15,872 2004-08-11 05:45:04 C:\WINDOWS\system32\wdfapi.dll
----a-w 38,912 2004-08-11 05:45:04 C:\WINDOWS\system32\wdfmgr.exe
----a-w 184,320 2002-08-29 10:41:18 C:\WINDOWS\system32\wmadmod.dll
-c--a-w 442,398 2002-08-29 10:41:18 C:\WINDOWS\system32\wmadmoe.dll
----a-w 274,432 2002-08-29 10:41:18 C:\WINDOWS\system32\wmasf.dll
----a-w 22,528 2001-08-18 12:00:00 C:\WINDOWS\system32\WMDMLOG.dll
----a-w 20,480 2001-08-18 12:00:00 C:\WINDOWS\system32\WMDMPS.dll
----a-w 344,064 2004-08-11 05:45:04 C:\WINDOWS\system32\WMDRMdev.dll
----a-w 290,816 2004-08-11 05:45:04 C:\WINDOWS\system32\WMDRMNet.dll
----a-w 189,440 2004-08-11 05:45:04 C:\WINDOWS\system32\wmerror.dll
-c--a-w 150,016 2004-08-11 05:45:04 C:\WINDOWS\system32\wmidx.dll
----a-w 253,952 2002-08-29 10:41:18 C:\WINDOWS\system32\wmnetmgr.dll
----a-w 5,550,080 2004-08-11 05:45:04 C:\WINDOWS\system32\wmp.dll
----a-w 135,168 2004-08-11 05:45:04 C:\WINDOWS\system32\wmpasf.dll
----a-w 253,952 2002-08-29 10:41:18 C:\WINDOWS\system32\wmpcd.dll
-c--a-w 1,298,432 2002-08-29 10:41:18 C:\WINDOWS\system32\wmpcore.dll
----a-w 282,624 2004-08-11 05:45:04 C:\WINDOWS\system32\wmpdxm.dll
-c--a-w 1,589,760 2004-08-11 05:45:04 C:\WINDOWS\system32\wmpencen.dll
-c--a-w 1,998,848 2002-08-29 10:39:24 C:\WINDOWS\system32\wmploc.dll
----a-w 77,824 2002-08-29 10:41:18 C:\WINDOWS\system32\wmpshell.dll
----a-w 175,104 2004-08-11 05:45:04 C:\WINDOWS\system32\wmpsrcwp.dll
-c--a-w 1,404,928 2002-08-29 10:41:18 C:\WINDOWS\system32\wmpui.dll
----a-w 110,592 2002-08-29 10:41:18 C:\WINDOWS\system32\wmsdmod.dll
-c--a-w 1,116,160 2004-08-11 05:45:04 C:\WINDOWS\system32\wmsdmoe2.dll
----a-w 531,192 2004-08-11 05:45:06 C:\WINDOWS\system32\wmspdmod.dll
-c--a-w 936,960 2004-08-11 05:45:06 C:\WINDOWS\system32\wmspdmoe.dll
----a-w 1,181,944 2004-08-11 05:45:06 C:\WINDOWS\system32\wmvadvd.dll
-c--a-w 1,509,376 2004-08-11 05:45:06 C:\WINDOWS\system32\WMVADVE.DLL
-c--a-w 1,220,608 2002-08-29 10:41:20 C:\WINDOWS\system32\wmvcore.dll
----a-w 294,912 2002-08-29 10:41:20 C:\WINDOWS\system32\wmvdmod.dll
----a-w 999,424 2004-08-11 05:45:06 C:\WINDOWS\system32\wmvdmoe2.dll
----a-w 61,952 2004-08-11 05:45:06 C:\WINDOWS\system32\wpdconns.dll
----a-w 114,176 2004-08-11 05:45:06 C:\WINDOWS\system32\wpdmtp.dll
----a-w 331,776 2004-08-11 05:45:06 C:\WINDOWS\system32\wpdmtpdr.dll
----a-w 66,560 2004-08-11 05:45:06 C:\WINDOWS\system32\wpdmtpus.dll
----a-w 327,680 2004-08-11 05:45:06 C:\WINDOWS\system32\wpdsp.dll
----a-w 10,752 2004-08-11 05:45:06 C:\WINDOWS\system32\wpdtrace.dll
----a-w 38,912 2004-08-11 05:45:06 C:\WINDOWS\system32\wpd_ci.dll
----a-w 16,384 2007-09-26 23:59:01 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-26 23:59:01 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 65,536 2007-09-26 23:59:01 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 7,680 2002-12-11 20:16:58 C:\WINDOWS\system32\dllcache\asferror.dll
-c--a-w 207,360 2004-07-11 01:37:20 C:\WINDOWS\system32\dllcache\ati2dvag.dll
-c--a-w 1,540,608 2006-05-03 16:50:42 C:\WINDOWS\system32\dllcache\ati2mtag.sys
-c--a-w 233,472 2004-08-11 05:45:04
C:\WINDOWS\system32\dllcache\blackbox.dll
-c--a-w 161,792 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\cewmdm.dll
-c--a-w 253,688 2004-08-11 05:45:04
C:\WINDOWS\system32\dllcache\drmclien.dll
-c--a-w 95,232 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\drmstor.dll
-c--a-w 527,360 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\drmv2clt.dll
-c--a-w 6,656 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\laprxy.dll
-c--a-w 96,768 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\logagent.exe
-c--a-w 141,312 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\msnetobj.dll
-c--a-w 169,472 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\mspmsp.dll
-c--a-w 360,176 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\msscp.dll
-c--a-w 311,296 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\mswmdm.dll
-c--a-w 173,056 2002-12-12 04:14:32 C:\WINDOWS\system32\dllcache\qasf.dll
-c--a-w 819,200 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\setup_wm.exe
-c--a-w 192,512 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\unregmp2.exe
-c--a-w 380,144 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmadmod.dll
-c--a-w 712,704 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmadmoe.dll
-c--a-w 229,376 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmasf.dll
-c--a-w 30,208 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmdmlog.dll
-c--a-w 34,304 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmdmps.dll
-c--a-w 1,027,072 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmnetmgr.dll
-c--a-w 20,480 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmpcd.dll
-c--a-w 20,480 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmpcore.dll
-c--a-w 73,728 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmplayer.exe
-c--a-w 3,371,008 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmploc.dll
-c--a-w 86,016 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmpshell.dll
-c--a-w 20,480 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmpui.dll
-c--a-w 773,368 2004-08-11 05:45:04 C:\WINDOWS\system32\dllcache\wmsdmod.dll
-c--a-w 2,362,104 2004-08-11 05:45:06 C:\WINDOWS\system32\dllcache\wmvcore.dll
-c--a-w 871,160 2004-08-11 05:45:06 C:\WINDOWS\system32\dllcache\wmvdmod.dll
----a-w 18,944 2004-08-11 05:45:06 C:\WINDOWS\system32\drivers\wpdusb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 18:56 C:\WINDOWS\system32\CTHELPER.EXE]
"VTTimer"="VTTimer.exe" [2003-08-19 23:56 C:\WINDOWS\system32\VTTimer.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 04:54 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-03 15:02]
"PCTVOICE"="pctspk.exe" [2002-06-05 02:17 C:\WINDOWS\system32\pctspk.exe]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-06-04 12:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-09 20:19]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-14 19:29]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-11-14 19:29]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 22:05]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 23:17]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 07:43]
"ATI Launchpad"="" []
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-17 22:04:00]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless PCI Card Configuration Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless PCI Card Configuration Utility.lnk
backup=C:\WINDOWS\pss\Wireless PCI Card Configuration Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
R0 viasraid;viasraid;C:\WINDOWS\System32\DRIVERS\viasraid.sys
R2 X4HSX32;X4HSX32;\??\E:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\System32\DRIVERS\WMP11V27.sys
S3 cdrmkaun;cdrmkaun;\??\C:\DOCUME~1\Dave\LOCALS~1\Temp\cdrmkaun.sys
.
Contents of the 'Scheduled Tasks' folder
"2004-09-10 21:26:29 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 19:15:33
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-28 19:17:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-28 19:17
.
--- E O F ---
Kaspersky report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 28, 2007 10:06:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 29/09/2007
Kaspersky Anti-Virus database records: 424844
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 128260
Number of viruses found: 9
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:42:31
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ATI MMC\RemoteWonder.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Confdntl.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\Spam.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton Personal Firewall\Log\WebHist.log Object is locked skipped
C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\f2zqa5dt.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\f2zqa5dt.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\f2zqa5dt.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\f2zqa5dt.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\f2zqa5dt.default\history.dat Object is locked skipped
C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\f2zqa5dt.default\parent.lock Object is locked skipped
C:\Documents and Settings\Dave\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\History\History.IE5\MSHist012007092820070929\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dave\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dave\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1000.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1001.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1002.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1003.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1004.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymNeti1005.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Norton Personal Firewall\nisum.dat Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\retadpu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.cpj skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\capcom\nab22011.exe.vir/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\capcom\nab22011.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cfig322\icm33o.exe.vir Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drvr2\bbc002nws.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\qoobox\Quarantine\catchme2007-09-26_201256.32.zip/opnmnmn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\catchme2007-09-26_201256.32.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP666\A0065656.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP683\A0071676.exe Infected: Trojan-Downloader.Win32.Agent.cpj skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP683\A0071677.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP683\A0071679.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP688\A0072089.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP688\A0072090.exe Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP688\A0072091.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP688\A0072091.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP688\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP688\change.log Object is locked skipped
F:\System Volume Information\_restore{823F857B-7DEA-4843-93BF-9635631C2224}\RP688\change.log Object is locked skipped
Scan process completed.
Angelfire777
2007-09-29, 11:15
Hi,
Using windows explorer, delete the following folders:
C:\Documents and Settings\Dave\Desktop\SmitfraudFix
C:\qoobox <<Combofix's quarantine.
Empty your recycle bin.
Reboot, post a fresh HijackThis log and tell me how's your machine running.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:58 PM, on 9/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\FUCKSP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 4435 bytes
Everything's running fine now. I really appreciate your help.
Angelfire777
2007-09-30, 02:21
Congratulations! Your log looks clean!
One last thing I want you to do is to update your machine to Sp2 but before we do that, can you do this first:
Download a diagnostic tool (MGADiag.exe) from >here< (http://go.microsoft.com/fwlink/?linkid=56062) and save this to your Desktop.
Double-click on MGADiag.exe.
When the program has finished, click on the Validation tab and then click on Copy to Clipboard
Please post the results in your next reply.
Angelfire777
2007-10-04, 14:47
buffoon?
Diagnostic Report (1.7.0039.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Detailed Status: N/A
Cached / Grace status: N/A, N/A
Windows Product Key: *****-*****-CFFCC-J8GFP-Y6RVG
Windows Product Key Hash: 4BrUPwxpQagfcB3QKvlGyuZaDkU=
Windows Product ID: 55277-OEM-2115336-15582
Windows Product ID Type: 3
CSVLK Server: N/A
CSVLK PID: N/A
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {A7128E6B-A952-412E-BA02-9DDA0A783AB6}(3)
Is Admin: Yes
Commit / Reboot / BRT: N/A, N/A, N/A
WGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A
Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2993-80070002
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A7128E6B-A952-412E-BA02-9DDA0A783AB6}</UGUID><Version>1.7.0039.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-Y6RVG</PKey><PID>55277-OEM-2115336-15582</PID><PIDType>3</PIDType><SID>S-1-5-21-1454471165-492894223-839522115</SID><SYSTEM><Manufacturer>VIA Technologies, Inc.</Manufacturer><Model>PM800-8237</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20040525******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>D71132D701842263</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/></MachineData> <Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults>
Angelfire777
2007-10-05, 16:13
Hi,
Not sure why validation won't work but I want you to be honest with me..Is this a legit copy of Windows XP?
Angelfire777
2007-10-07, 02:42
Ok. Make sure you download SP2 with IE7 from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&DisplayLang=en
and install it. If you don't, chances of reinfection is very high.
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
MVPS Hosts File
~You can download it from here (http://www.mvps.org/winhelp2002/hosts.zip)
~I highly recommend this hosts file. You can learn more about this here (http://www.mvps.org/winhelp2002/hosts.htm)
IESpyAds
~Instructions on downloading and using it here (http://www.techsupportforum.com/articles-tutorials-reviews/computer-security-articles/168444-installation-guide-ie-spyad.html#post1068846)
Note: This only works for Internet Explorer.
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!z
Angelfire777
2007-10-07, 15:53
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.