core.cache.dsk [Archive] - Safer-Networking Forums

PDA

View Full Version : core.cache.dsk

Jambone

2008-02-04, 12:49

Ive tried everything and it just wont go away, I have attached logs of all tried tests.

Jambone

2008-02-04, 13:46

Oh yah, one more thing...any help would be much appreciated :) (sorry if i came across rude)

Jambone

2008-02-04, 17:00

Sorry my bad...i will copy and paste them

---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:44, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Comodo\Firewall\cfp.exe
D:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\Program Files\nHancer\nHancer.exe
D:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
d:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
D:\Program Files\nHancer\nHancerService.exe
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
D:\Program Files\Winamp Remote\bin\Orb.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - D:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SmartDefrag] "D:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [IntelliPoint] "d:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "d:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [SpybotDeletingA8871] command /c del "D:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3167] cmd /c del "D:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [NVIDIA nTune] "D:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "D:\Documents and Settings\James\Local Settings\Application Data\NVIDIA Corporation\nTune\Profiles\nvsutil.nsu"
O4 - HKCU\..\Run: "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "D:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [nHancer] "D:\Program Files\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1251] command /c del "D:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4046] cmd /c del "D:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Winamp Toolbar Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - D:\Documents and Settings\James\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CS2\Services\Tcpip\..\{0508402F-732B-49C8-BB04-4135A668E659}: NameServer = 62.31.144.39,195.168.53.175
O17 - HKLM\System\CS3\Services\Tcpip\..\{0508402F-732B-49C8-BB04-4135A668E659}: NameServer = 62.31.144.39,195.168.53.175
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - D:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - D:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - D:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - D:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 13543 bytes

[B]-------------------------------------------

SmitFraudFix v2.280

Scan done at 10:16:22.42, 04/02/2008
Run from D:\Documents and Settings\James\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0508402F-732B-49C8-BB04-4135A668E659}: DhcpNameServer=62.31.144.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0508402F-732B-49C8-BB04-4135A668E659}: DhcpNameServer=62.31.144.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0508402F-732B-49C8-BB04-4135A668E659}: DhcpNameServer=62.31.144.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0508402F-732B-49C8-BB04-4135A668E659}: NameServer=62.31.144.39,195.168.53.175
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0508402F-732B-49C8-BB04-4135A668E659}: NameServer=62.31.144.39,195.168.53.175
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.31.144.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.31.144.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.31.144.39 195.188.53.175 62.31.112.39

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

------------------------------------------

Jambone

2008-02-04, 17:01

ComboFix 08-02.03.1 - James 2008-02-04 9:35:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.499 [GMT 0:00]
Running from: D:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 7

((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 09:22 . 2008-02-04 09:25 <DIR> d-------- D:\MGtools
2008-02-04 09:18 . 2008-02-04 09:18 1,556 --a------ D:\WINDOWS\system32\tmp.reg
2008-02-04 08:44 . 2008-02-04 08:44 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avg7
2008-02-04 08:20 . 2008-02-04 08:19 1,238,736 --a------ D:\MGtools.exe
2008-02-04 08:20 . 2008-02-04 09:25 59,230 --a------ D:\MGlogs.zip
2008-02-04 08:16 . 2008-02-04 08:16 <DIR> d-------- D:\Program Files\Avira
2008-02-04 08:07 . 2008-02-04 08:08 <DIR> d-------- D:\Program Files\Unlocker
2008-02-03 18:02 . 2008-02-03 23:25 357 --a------ D:\WINDOWS\wininit.ini
2008-02-03 17:26 . 2008-02-03 17:27 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2008-02-03 17:26 . 2008-02-03 21:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 16:30 . 2008-02-03 21:10 <DIR> d-------- D:\Documents and Settings\James\Downloads
2008-02-03 14:30 . 2008-02-04 08:55 <DIR> d-------- D:\Documents and Settings\James\Application Data\CheckPoint
2008-02-03 14:29 . 2008-02-03 14:29 <DIR> d-------- D:\Program Files\CheckPoint
2008-02-02 23:36 . 2008-02-02 23:36 <DIR> d-------- D:\Program Files\Audacity
2008-02-02 21:29 . 2008-02-02 21:29 86,144 --a------ D:\WINDOWS\system32\drivers\ndiswann.sys
2008-02-02 20:28 . 2008-02-02 20:28 <DIR> d-------- D:\Program Files\ESET
2008-02-02 18:34 . 2008-02-02 18:34 <DIR> d-------- D:\Program Files\Common Files\Softwin
2008-02-02 17:26 . 2008-02-02 17:26 <DIR> d-------- D:\Program Files\Microsoft IntelliType Pro
2008-02-02 17:23 . 2007-08-31 12:01 1,421,736 --a------ D:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-02-02 17:23 . 2004-08-04 00:56 21,504 --a------ D:\WINDOWS\system32\drivers\hidserv.dll
2008-02-02 17:23 . 2007-08-31 11:58 18,856 --a------ D:\WINDOWS\system32\drivers\nuidfltr.sys
2008-02-02 17:23 . 2008-02-02 17:23 0 --ah----- D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-02 17:23 . 2008-02-02 17:23 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-02-02 17:22 . 2008-02-02 17:22 <DIR> d-------- D:\Program Files\Microsoft IntelliPoint
2008-02-02 17:22 . 2007-08-21 01:13 21,760 --a------ D:\WINDOWS\system32\drivers\point32.sys
2008-02-02 17:06 . 2008-02-02 17:06 139,008 --a------ D:\WINDOWS\system32\guard32.dll
2008-02-02 17:06 . 2008-02-02 17:06 81,272 --a------ D:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-02 17:06 . 2008-02-02 17:06 23,672 --a------ D:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-01 19:01 . 2008-02-01 19:01 <DIR> d-------- D:\Documents and Settings\James\Application Data\ieSpell
2008-01-27 12:47 . 2008-01-27 12:47 268 --ah----- D:\sqmdata09.sqm
2008-01-27 12:47 . 2008-01-27 12:47 244 --ah----- D:\sqmnoopt09.sqm
2008-01-27 11:52 . 2008-01-27 11:52 <DIR> d-------- D:\WINDOWS\system32\NtmsData
2008-01-27 11:38 . 2008-01-27 11:38 <DIR> d-------- D:\Program Files\MSXML 6.0
2008-01-27 08:53 . 2008-01-27 08:53 <DIR> d-------- D:\WINDOWS\1st JavaScript Editor
2008-01-26 23:53 . 2008-01-26 23:54 <DIR> d-------- D:\Program Files\uTorrent
2008-01-26 21:39 . 2008-02-03 21:49 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-01-26 21:39 . 2008-01-26 21:39 1,409 --a------ D:\WINDOWS\QTFont.for
2008-01-26 16:20 . 2008-01-26 16:20 <DIR> d-------- D:\Program Files\proDAD
2008-01-26 16:20 . 2007-01-27 09:28 <DIR> d-------- D:\Documents and Settings\James\Application Data\proDAD
2008-01-26 15:34 . 2008-01-26 15:34 <DIR> d-------- D:\Documents and Settings\James\Application Data\Publish Providers
2008-01-26 15:33 . 2008-01-26 17:04 <DIR> d-------- D:\Documents and Settings\James\Application Data\Sony
2008-01-26 15:30 . 2008-01-26 15:30 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Sony
2008-01-26 15:24 . 2008-01-26 15:24 <DIR> d-------- D:\WINDOWS\system32\XPSViewer
2008-01-26 15:23 . 2008-01-26 15:23 <DIR> d-------- D:\Program Files\Reference Assemblies
2008-01-26 15:22 . 2006-06-29 13:07 14,048 --------- D:\WINDOWS\system32\spmsg2.dll
2008-01-26 15:20 . 2008-01-26 15:20 <DIR> d-------- D:\Documents and Settings\James\Application Data\Sony Setup
2008-01-26 13:25 . 2008-02-02 21:32 <DIR> d-------- D:\Documents and Settings\James\Application Data\uTorrent
2008-01-20 23:21 . 2008-01-26 15:30 <DIR> d-------- D:\Program Files\Sony
2008-01-20 23:20 . 2008-01-26 16:06 <DIR> d-------- D:\Program Files\Sony Setup
2008-01-15 22:02 . 2008-01-15 22:02 <DIR> d-------- D:\Program Files\ImTOO
2008-01-11 23:01 . 2008-01-11 23:01 <DIR> d-------- D:\Program Files\AviSynth 2.5
2008-01-11 23:00 . 2008-01-11 23:00 <DIR> d-------- D:\Program Files\Red Kawa
2008-01-11 19:40 . 2008-01-11 19:43 <DIR> d-------- D:\Documents and Settings\James\Shared
2008-01-11 18:05 . 2007-12-17 13:53 159,458 --a------ D:\WINDOWS\system32\nvapps.nvb
2008-01-11 17:57 . 2008-01-11 17:57 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-07 18:45 . 2004-08-04 12:00 96,768 --a------ D:\WINDOWS\system32\dllcache\dpcdll.dll
2008-01-07 18:44 . 2008-01-08 18:11 <DIR> d-------- D:\WINDOWS\system32\en
2008-01-07 18:44 . 2008-01-08 18:11 <DIR> d-------- D:\WINDOWS\system32\bits
2008-01-07 18:44 . 2008-01-08 18:09 <DIR> d-------- D:\WINDOWS\l2schemas
2008-01-07 18:32 . 2007-10-26 03:34 8,460,288 --a------ D:\WINDOWS\system32\dllcache\shell32.dll
2008-01-07 15:55 . 2008-01-07 15:55 <DIR> d-------- D:\Program Files\HiFi
2008-01-07 15:55 . 2008-01-07 22:09 <DIR> d-------- D:\Documents and Settings\James\Application Data\HiFi
2008-01-07 15:11 . 2008-01-07 15:11 <DIR> d-------- D:\Program Files\Nibitor
2008-01-06 23:29 . 2008-01-12 00:10 23,392 --a------ D:\WINDOWS\system32\nscompat.tlb
2008-01-06 23:29 . 2008-01-12 00:10 16,832 --a------ D:\WINDOWS\system32\amcompat.tlb
2008-01-06 22:48 . 2008-01-06 22:48 <DIR> d-------- D:\Program Files\IObit
2008-01-06 18:14 . 2008-01-06 18:14 <DIR> d-------- D:\Program Files\Winamp Toolbar
2008-01-06 18:14 . 2008-01-06 18:14 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-01-06 12:01 . 2008-01-06 12:01 <DIR> d-------- D:\Program Files\DivX
2008-01-05 15:39 . 2008-01-05 15:39 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BitDefender
2008-01-05 14:46 . 2008-01-05 14:46 <DIR> d-------- D:\Program Files\iPod
2008-01-05 14:45 . 2008-01-05 14:46 <DIR> d-------- D:\Program Files\iTunes
2008-01-05 14:44 . 2008-01-05 14:44 <DIR> d-------- D:\Program Files\QuickTime
2008-01-05 12:43 . 2008-01-05 12:43 268 --ah----- D:\sqmdata08.sqm
2008-01-05 12:43 . 2008-01-05 12:43 244 --ah----- D:\sqmnoopt08.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 09:13 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-02-04 08:43 --------- d-----w D:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 08:16 --------- d-----w D:\Documents and Settings\All Users\Application Data\Avira
2008-02-03 20:33 --------- d-----w D:\Program Files\Winamp Remote
2008-02-03 20:24 --------- d-----w D:\Program Files\Mozilla Thunderbird
2008-02-03 17:44 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 14:21 --------- d-----w D:\Program Files\ASRC
2008-02-03 00:47 --------- d-----w D:\Program Files\mIRC
2008-02-03 00:45 --------- d-----w D:\Program Files\GameSpy Arcade
2008-02-02 17:41 --------- d-----w D:\Documents and Settings\All Users\Application Data\Comodo
2008-02-02 17:06 --------- d-----w D:\Program Files\Comodo
2008-02-02 17:06 --------- d-----w D:\Program Files\Common Files\Agnitum Shared
2008-02-02 17:06 --------- d-----w D:\Documents and Settings\James\Application Data\Comodo
2008-02-02 14:29 --------- d-----w D:\Program Files\Windows Live
2008-02-02 13:36 --------- d-----w D:\Program Files\Yahoo!
2008-02-02 13:36 --------- d-----w D:\Documents and Settings\James\Application Data\FrostWire
2008-02-02 13:26 --------- d-----w D:\Program Files\Winamp
2008-02-02 13:13 --------- d-----w D:\Program Files\Valve
2008-02-02 13:12 --------- d-----w D:\Program Files\AAS
2008-02-02 13:12 --------- d-----w D:\Program Files\3D Mailbox
2008-01-26 15:30 --------- d-----w D:\Program Files\VstPlugins
2008-01-26 15:26 --------- d-----w D:\Program Files\MSBuild
2008-01-26 15:17 --------- d-----w D:\Program Files\MagicISO
2008-01-10 20:59 --------- d-----w D:\Program Files\xchat
2008-01-07 14:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\nHancer
2008-01-06 23:28 --------- d-----w D:\Program Files\Windows Desktop Search
2008-01-06 16:00 --------- d-----w D:\Program Files\Microsoft Games
2008-01-06 15:37 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-01-06 15:20 --------- d-----w D:\Program Files\Windows Media Connect 2
2008-01-06 14:13 --------- d-----w D:\Program Files\FrostWire
2008-01-05 16:27 --------- d-----w D:\Program Files\Windows Live Safety Center
2008-01-05 15:41 --------- d-----w D:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-01-05 15:09 --------- d-----w D:\Documents and Settings\James\Application Data\Apple Computer
2008-01-05 12:43 --------- d-----w D:\Program Files\Messenger Plus! Live
2007-12-16 14:52 --------- d-----w D:\Documents and Settings\All Users\Application Data\GRETECH
2007-12-16 14:50 --------- d-----w D:\Documents and Settings\James\Application Data\GRETECH
2007-12-16 14:49 --------- d-----w D:\Program Files\GRETECH
2007-12-15 14:08 --------- d-----w D:\Documents and Settings\James\Application Data\Microsoft Games
2007-12-15 14:08 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Games
2007-12-15 13:16 --------- d-----w D:\Program Files\Image-Line
2007-12-14 17:58 --------- d-----w D:\Program Files\ATCA
2007-12-12 18:28 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-11 17:37 --------- d-----w D:\Program Files\VRC Runways
2007-12-11 12:56 --------- d-----w D:\Program Files\EuroScope
2007-12-10 16:31 --------- d-----w D:\Program Files\VRC
2007-12-10 11:43 --------- d-----w D:\Program Files\RivaTuner v2.06
2007-12-09 19:02 685,816 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2007-12-09 14:47 --------- d-----w D:\Program Files\Unreal3.2
2007-12-08 19:56 --------- d-----w D:\Program Files\Java
2007-12-08 16:44 --------- d-----w D:\Program Files\Lavasoft
2007-12-08 16:41 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 01:41 7,435,392 ----a-w D:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-29 08:58 96,374 ----a-w D:\Documents and Settings\All Users\Application Data\firstlsp.reg.dat
2007-08-02 23:43 90 --sh--w D:\WINDOWS\cnerolf.dat
.

<pre>
----a-w 35,842,012 2007-08-04 13:24:20 D:\Documents and Settings\James\My Documents\BitTorrent Downloads\OTHER DOWNLOADS\FlyTampa - St. Maarten for FS9 - .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 16:49 1185120 --a------ D:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{381FFDE8-2394-4F90-B10D-FC6124A40F8C}
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= D:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 16:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="D:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03 152872]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-08-16 15:19 5728112]
"Orb"="D:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 20:02 495616]
"nHancer"="D:\Program Files\nHancer\nHancer.exe" [2007-10-31 10:43 1519616]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartDefrag"="D:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-12-05 20:49 2895600]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"COMODO Firewall Pro"="D:\Program Files\Comodo\Firewall\cfp.exe" [2008-02-02 17:06 1481472]
"IntelliPoint"="d:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"itype"="d:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"UnlockerAssistant"="D:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 17:19 15872]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-04 08:23 249896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\D:^Documents and Settings^James^Start Menu^Programs^Startup^IMVU.lnk]
path=D:\Documents and Settings\James\Start Menu\Programs\Startup\IMVU.lnk
backup=D:\WINDOWS\pss\IMVU.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^James^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=D:\Documents and Settings\James\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=D:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^James^Start Menu^Programs^Startup^RemindMe.lnk]
path=D:\Documents and Settings\James\Start Menu\Programs\Startup\RemindMe.lnk
backup=D:\WINDOWS\pss\RemindMe.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^James^Start Menu^Programs^Startup^Xfire.lnk]
path=D:\Documents and Settings\James\Start Menu\Programs\Startup\Xfire.lnk
backup=D:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
D:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2007-08-02 17:00 4376328 D:\Program Files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
--a------ 2007-07-12 07:24 2928296 D:\FRAPS\FRAPS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 D:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 12:23 200704 D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 D:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-05-10 15:09 23395880 D:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-11-16 23:42 1271032 d:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2008-01-26 13:22 219952 D:\Program Files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-02 17:06]
S1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-02 17:06]
S1 ndiswann;ndiswann;D:\WINDOWS\system32\drivers\ndiswann.sys [2008-02-02 21:29]
S3 avfwim;AvFw Packet Filter Miniport;D:\WINDOWS\system32\DRIVERS\avfwim.sys []
S3 USB_RNDIS_XP;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver;D:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 12:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d360e3a-6602-11dc-8b23-00179a80aac4}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 19:35:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-03 22:00:00 D:\WINDOWS\Tasks\SmartDefrag.job"
- D:\Program Files\IObit\IObit SmartDefrag\schedule.exe
"2008-02-03 16:53:14 D:\WINDOWS\Tasks\ZoneAlarm Security.job"
- D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 10:10:03
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\system32\guard32.dll

PROCESS: D:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> D:\WINDOWS\system32\guard32.dll

PROCESS: D:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> D:\WINDOWS\system32\guard32.dll
-> D:\Program Files\WinRAR\rarext.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-02-04 10:15:49 - machine was rebooted
.
2008-02-02 18:22:22 --- E O F ---

[B]------------------------------------------