View Full Version : Help with my hjt log
I have lots of popups in my system when on the internet and cant seem to get them stopped. One is named
core.cache.dsk. Not sure of the others.
__RiP_ChAiN_
2008-02-15, 08:43
Hello Russ234 :)
Please take a look here: http://forums.spybot.info/showthread.php?t=288
On my last post i attached the log. sorry
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:18 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webshots\webshots.scr
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lmtribune.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\mljjiih.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198982726031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: jkklmkj - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 8685 bytes
__RiP_ChAiN_
2008-02-15, 22:11
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
Please download ComboFix by sUBs from HERE (http://download.bleepingcomputer.com/sUBs/ComboFix.exe).
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix 08-02-16.2 - Russ 2008-02-15 15:53:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1564 [GMT -8:00]
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tdpipee.sys
C:\Documents and Settings\Russ\Application Data\inst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\system32\bjgykshd.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tdpipee.sys
C:\WINDOWS\system32\m1
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\p4
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\s5
C:\WINDOWS\system32\v9
C:\WINDOWS\system32\v9\rabs2135.exe
C:\WINDOWS\system32\z6
C:\WINDOWS\wbun.exe
2008-02-15 14:34 . 2008-02-15 14:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-14 16:13 . 2008-02-15 13:29 227 --a------ C:\WINDOWS\wininit.ini
2008-02-14 16:01 . 2008-02-14 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-14 16:01 . 2008-02-14 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-13 13:22 . 2008-02-13 13:22 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-13 13:10 . 2008-02-13 13:10 <DIR> d-------- C:\Program Files\Panicware
2008-02-12 15:06 . 2008-02-12 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-12 14:41 . 2008-02-12 15:12 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-02-12 14:41 . 2008-02-12 14:52 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Vso
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.sys
2008-02-10 14:04 . 2008-02-10 14:04 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-10 14:03 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-02-10 14:03 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-02-10 14:03 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-02-10 14:03 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-02-08 14:09 . 2008-02-08 14:09 <DIR> d-------- C:\Webshots Data
2008-02-08 13:11 . 2008-02-16 15:56 <DIR> d-------- C:\Program Files\LogMeIn
2008-02-08 13:11 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-02-08 13:11 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-02-08 13:11 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-02-06 23:15 . 2008-02-16 15:56 <DIR> d-------- C:\Program Files\SpywareDetector
2008-02-06 23:15 . 2007-03-19 12:39 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2008-02-06 23:15 . 2008-01-25 18:58 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2008-02-06 23:15 . 2008-01-30 11:03 6,144 --a------ C:\WINDOWS\system32\SDEarlyDelete.exe
2008-02-06 23:15 . 2005-02-06 09:02 104 --a------ C:\WINDOWS\system32\ProxySettings.ini
2008-02-06 20:34 . 2008-02-06 20:34 <DIR> d-------- C:\WINDOWS\system32\rp4
2008-02-06 20:34 . 2008-02-06 20:34 <DIR> d-------- C:\WINDOWS\system32\cz6
2008-02-06 09:22 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-02-06 09:22 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-02-06 09:22 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-02-06 09:22 . 2001-07-28 12:50 265,753 --a------ C:\WINDOWS\system32\AS-Exp2.ocx
2008-02-06 09:22 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-02-06 09:22 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-02-06 09:22 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\systray.ocx
2008-02-06 09:22 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-02-06 09:22 . 2006-05-31 15:38 10,752 --a------ C:\WINDOWS\system32\md5.dll
2008-02-05 22:22 . 2008-02-15 01:04 30,367 --a------ C:\WINDOWS\system32\SDRemoveDB.db
2008-02-05 22:22 . 2008-02-15 01:00 123 --a------ C:\WINDOWS\system\SysSD.dll
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-31 18:32 . 2008-01-31 17:49 732,056 --a------ C:\WINDOWS\system32\Splash.bmp
2008-01-31 18:08 . 2008-01-31 18:08 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Microsoft Games
2008-01-31 17:29 . 2008-01-31 17:29 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-31 12:40 . 2008-02-14 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 12:40 . 2008-01-31 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-31 12:40 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-31 12:40 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-31 12:40 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-31 12:40 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-31 12:40 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-31 12:40 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-31 10:35 . 2008-01-31 10:35 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-31 08:54 . 2008-01-31 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-31 08:53 . 2008-01-31 08:54 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\PrevxCSI
2008-01-29 12:31 . 2008-01-29 12:31 84,723 --a------ C:\WINDOWS\system32\instdump.dmp
2008-01-20 10:51 . 2008-01-20 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
Find3M Report
2008-02-14 21:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-14 21:13 --------- d-----w C:\Program Files\Google
2008-02-07 18:03 --------- d-----w C:\Documents and Settings\Russ\Application Data\Lavasoft
2008-02-05 19:09 --------- d-----w C:\Documents and Settings\Russ\Application Data\U3
2008-02-03 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-01 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 03:07 --------- d-----w C:\Program Files\HP
2008-01-10 23:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-10 14:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-10 14:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 14:34 --------- d-----w C:\Documents and Settings\Russ\Application Data\InterTrust
2008-01-10 01:12 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2008-01-10 01:12 --------- d-----w C:\Program Files\CyberLink
2008-01-05 23:34 --------- d-----w C:\Documents and Settings\Russ\Application Data\Canon
2008-01-03 03:15 --------- d-----w C:\Documents and Settings\Russ\Application Data\ESET
2008-01-03 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-01 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-01 23:06 3,982 ----a-w C:\WINDOWSkj01d.sys
2008-01-01 19:48 49,420 ----a-w C:\WINDOWS\system32\drivers\XMS1563K.SYS
2007-12-31 15:51 --------- d-----w C:\Program Files\Macromedia
2007-12-31 04:57 --------- d-----w C:\Program Files\Rebellious Antics
2007-12-31 04:39 --------- d-----w C:\Program Files\Webshots
2007-12-31 04:39 --------- d-----w C:\Documents and Settings\Russ\Application Data\Webshots
2007-12-31 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-31 03:18 --------- d-----w C:\Program Files\SlySoft
2007-12-31 03:13 --------- d-----w C:\Program Files\DVD Shrink
2007-12-31 03:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-31 03:09 --------- d-----w C:\Program Files\Ahead
2007-12-30 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-30 22:28 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-30 22:22 --------- d-----w C:\Program Files\Canon
2007-12-30 22:20 --------- d-----w C:\Program Files\ScanSoft
2007-12-30 22:20 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\Russ\Application Data\ScanSoft
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanWizard
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2007-12-30 20:38 --------- d-----w C:\Program Files\Neato
2007-12-30 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fellowes
2007-12-30 17:40 --------- d-----w C:\Documents and Settings\Russ\Application Data\InstallShield Installation Information
2007-12-30 17:30 --------- d-----w C:\Program Files\Unreal Tournament 3
2007-12-30 17:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 17:30 --------- d-----w C:\Program Files\AGEIA Technologies
2007-12-30 17:06 --------- d-----w C:\Program Files\Razer
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\HP
2007-12-30 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-30 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-12-30 06:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-30 06:08 --------- d-----w C:\Documents and Settings\Russ\Application Data\HP
2007-12-30 02:43 --------- d-----w C:\Program Files\Siber Systems
2007-12-30 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm
2007-12-29 18:13 --------- d-----w C:\Program Files\Creative
2007-12-29 17:52 --------- d-----w C:\Program Files\Microsoft Works
2007-12-29 16:32 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-12-29 16:16 558,142 ----a-w C:\WINDOWS\java\Packages\MH71JBNB.ZIP
2007-12-29 16:16 155,995 ----a-w C:\WINDOWS\java\Packages\5R3TJDNR.ZIP
2007-12-29 16:16 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-21 12:15 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-11-16 02:46 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2007-11-16 02:46 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2005-05-12 07:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
Reg Loading Points .
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 14:33 1637312]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 16:36 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 16:36 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 02:58 3429904]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2008-02-01 18:31 423376]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2008-01-28 12:48 706000]
C:\Documents and Settings\Russ\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-30 20:39:33 157008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklmkj]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2008-01-28 11:30 167936 C:\Program Files\SpywareDetector\SDNotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80c6da8b]
C:\WINDOWS\system32\jabbnjwc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-08-13 01:00 40960 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2002-09-02 18:55 24576 C:\WINDOWS\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-09-11 11:04 53248 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET Smart Security\egui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 08:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2004-03-25 15:48 53248 C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 02:49 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2006-02-17 10:40 270336 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-08 16:36 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
-ra------ 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
--a------ 2005-09-06 11:52 155648 C:\Program Files\Razer\Copperhead\razerhid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
--a------ 2002-09-23 01:08 2752822 C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\Audigy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-02-14 13:09 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"TapiSrv"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
R0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys [2008-01-01 11:48]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-08-04 23:51]
R3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]
S0 MFX;MFX;C:\WINDOWS\system32\drivers\MFX.sys [2003-08-19 08:33]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 10:11]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ae30826-b636-11dc-a9ef-001d60a1ebe0}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 15:57:26
Windows 5.1.2600 Service Pack 2 NTFS
scan completed successfully
hidden files: 0
Other Running Processes .
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webshots\webshots.scr
Completion time: 2008-02-16 16:08:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 00:08:01
.
2007-12-30 11:05:02 --- E O F ---
Just wanted to say thank you for the help, problem seems to be solved. I have rebooted several times and all looks good. The only thing i have noticed is when i go to RUN and type in msconfig, it cant be found, i have to browse for it?
__RiP_ChAiN_
2008-02-16, 21:23
Hello Russ234 :)
I'm glad your computer is running a bit better, but we still have a little bit of anti-malware work left to do.
Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)
WebBuying
SpywareDetector
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\jabbnjwc.dll
C:\WINDOWS\system32\CheckDll.dll
C:\WINDOWS\system32\SDEarlyDelete.exe
C:\WINDOWS\system32\ProxySettings.ini
C:\WINDOWS\system32\SDRemoveDB.db
C:\WINDOWS\system\SysSD.dll
C:\WINDOWSkj01d.sys
Folder::
C:\Program Files\Web Buying
C:\WINDOWS\system32\rp4
C:\WINDOWS\system32\cz6
C:\Program Files\SpywareDetector
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklmkj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80c6da8b]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
Combofix.txt
A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix 08-02-16.2 - Russ 2008-02-17 14:49:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1607 [GMT -8:00]
Running from: D:\SystemSetup\New SpyWare\ComboFix.exe
Command switches used :: C:\Documents and Settings\Russ\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\system32\CheckDll.dll
C:\WINDOWS\system32\jabbnjwc.dll
C:\WINDOWS\system32\ProxySettings.ini
C:\WINDOWS\system32\SDEarlyDelete.exe
C:\WINDOWS\system32\SDRemoveDB.db
C:\WINDOWSkj01d.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\SpywareDetector
C:\Program Files\SpywareDetector\Data\SD10.DB
C:\Program Files\SpywareDetector\SDLiveupdate\ServerVersion.txt
C:\Program Files\SpywareDetector\Setting\CurrentSettings.ini
C:\Program Files\SpywareDetector\Setting\English_Strings.ini
C:\Program Files\SpywareDetector\Setting\Export.ini
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\system32\cz6
C:\WINDOWS\system32\rp4
C:\WINDOWS\system32\SDRemoveDB.db
C:\WINDOWSkj01d.sys
.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.
2008-02-15 14:34 . 2008-02-15 14:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-14 16:13 . 2008-02-15 13:29 227 --a------ C:\WINDOWS\wininit.ini
2008-02-14 16:01 . 2008-02-14 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-14 16:01 . 2008-02-14 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-13 13:22 . 2008-02-13 13:22 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-13 13:10 . 2008-02-13 13:10 <DIR> d-------- C:\Program Files\Panicware
2008-02-12 15:06 . 2008-02-12 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-12 14:41 . 2008-02-12 15:12 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-02-12 14:41 . 2008-02-12 14:52 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Vso
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.sys
2008-02-10 14:04 . 2008-02-10 14:04 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-10 14:03 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-02-10 14:03 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-02-10 14:03 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-02-10 14:03 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-02-08 14:09 . 2008-02-08 14:09 <DIR> d-------- C:\Webshots Data
2008-02-08 13:11 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-02-08 13:11 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-02-08 13:11 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-02-06 09:22 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-02-06 09:22 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-02-06 09:22 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-02-06 09:22 . 2001-07-28 12:50 265,753 --a------ C:\WINDOWS\system32\AS-Exp2.ocx
2008-02-06 09:22 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-02-06 09:22 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-02-06 09:22 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\systray.ocx
2008-02-06 09:22 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-02-06 09:22 . 2006-05-31 15:38 10,752 --a------ C:\WINDOWS\system32\md5.dll
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-31 18:32 . 2008-01-31 17:49 732,056 --a------ C:\WINDOWS\system32\Splash.bmp
2008-01-31 18:08 . 2008-01-31 18:08 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Microsoft Games
2008-01-31 17:29 . 2008-01-31 17:29 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-31 12:40 . 2008-02-14 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 12:40 . 2008-01-31 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-31 12:40 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-31 12:40 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-31 12:40 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-31 12:40 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-31 12:40 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-31 12:40 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-31 10:35 . 2008-01-31 10:35 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-31 08:54 . 2008-01-31 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-31 08:53 . 2008-01-31 08:54 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\PrevxCSI
2008-01-29 12:31 . 2008-01-29 12:31 84,723 --a------ C:\WINDOWS\system32\instdump.dmp
2008-01-20 10:51 . 2008-01-20 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 01:45 --------- d-----w C:\Program Files\Google
2008-02-14 21:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-07 18:03 --------- d-----w C:\Documents and Settings\Russ\Application Data\Lavasoft
2008-02-05 19:09 --------- d-----w C:\Documents and Settings\Russ\Application Data\U3
2008-02-03 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-01 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 03:07 --------- d-----w C:\Program Files\HP
2008-01-10 23:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-10 14:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-10 14:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 14:34 --------- d-----w C:\Documents and Settings\Russ\Application Data\InterTrust
2008-01-10 01:12 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2008-01-10 01:12 --------- d-----w C:\Program Files\CyberLink
2008-01-05 23:34 --------- d-----w C:\Documents and Settings\Russ\Application Data\Canon
2008-01-03 03:15 --------- d-----w C:\Documents and Settings\Russ\Application Data\ESET
2008-01-03 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-01 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-01 19:48 49,420 ----a-w C:\WINDOWS\system32\drivers\XMS1563K.SYS
2007-12-31 15:51 --------- d-----w C:\Program Files\Macromedia
2007-12-31 04:57 --------- d-----w C:\Program Files\Rebellious Antics
2007-12-31 04:39 --------- d-----w C:\Program Files\Webshots
2007-12-31 04:39 --------- d-----w C:\Documents and Settings\Russ\Application Data\Webshots
2007-12-31 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-31 03:18 --------- d-----w C:\Program Files\SlySoft
2007-12-31 03:13 --------- d-----w C:\Program Files\DVD Shrink
2007-12-31 03:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-31 03:09 --------- d-----w C:\Program Files\Ahead
2007-12-30 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-30 22:28 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-30 22:22 --------- d-----w C:\Program Files\Canon
2007-12-30 22:20 --------- d-----w C:\Program Files\ScanSoft
2007-12-30 22:20 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\Russ\Application Data\ScanSoft
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanWizard
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2007-12-30 20:38 --------- d-----w C:\Program Files\Neato
2007-12-30 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fellowes
2007-12-30 17:40 --------- d-----w C:\Documents and Settings\Russ\Application Data\InstallShield Installation Information
2007-12-30 17:30 --------- d-----w C:\Program Files\Unreal Tournament 3
2007-12-30 17:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 17:30 --------- d-----w C:\Program Files\AGEIA Technologies
2007-12-30 17:06 --------- d-----w C:\Program Files\Razer
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\HP
2007-12-30 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-30 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-12-30 06:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-30 06:08 --------- d-----w C:\Documents and Settings\Russ\Application Data\HP
2007-12-30 02:43 --------- d-----w C:\Program Files\Siber Systems
2007-12-30 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm
2007-12-29 18:13 --------- d-----w C:\Program Files\Creative
2007-12-29 17:52 --------- d-----w C:\Program Files\Microsoft Works
2007-12-29 16:32 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-12-29 16:16 558,142 ----a-w C:\WINDOWS\java\Packages\MH71JBNB.ZIP
2007-12-29 16:16 155,995 ----a-w C:\WINDOWS\java\Packages\5R3TJDNR.ZIP
2007-12-29 16:16 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-21 12:15 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2005-05-12 07:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 14:33 1637312]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 16:36 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 16:36 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 02:58 3429904]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [ ]
C:\Documents and Settings\Russ\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-30 20:39:33 157008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-08-13 01:00 40960 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2002-09-02 18:55 24576 C:\WINDOWS\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-09-11 11:04 53248 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET Smart Security\egui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 08:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2004-03-25 15:48 53248 C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 02:49 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2006-02-17 10:40 270336 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-08 16:36 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
-ra------ 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
--a------ 2005-09-06 11:52 155648 C:\Program Files\Razer\Copperhead\razerhid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
--a------ 2002-09-23 01:08 2752822 C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\Audigy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
C:\Program Files\SpywareDetector\LiveUpdateSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"TapiSrv"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
R0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys [2008-01-01 11:48]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-08-04 23:51]
R3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]
S0 MFX;MFX;C:\WINDOWS\system32\drivers\MFX.sys [2003-08-19 08:33]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 10:11]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ae30826-b636-11dc-a9ef-001d60a1ebe0}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 14:50:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-17 14:50:57
ComboFix-quarantined-files.txt 2008-02-17 22:50:43
ComboFix2.txt 2008-02-17 00:09:03
.
2007-12-30 11:05:02 --- E O F ---
__RiP_ChAiN_
2008-02-18, 07:05
Hello Russ234 :)
Please go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
Microsoft Windows XP Home Edition
Without Service Packs
http://www.microsoft.com/downloads/details...55-BD5AFEE126D8 (http://www.microsoft.com/downloads/details.aspx?FamilyID=E8FE6868-6E4F-471C-B455-BD5AFEE126D8)
Service Pack 1
http://www.microsoft.com/downloads/details...05-719F45C382A4 (http://www.microsoft.com/downloads/details.aspx?FamilyID=FBE5E4FC-695F-43E5-AF05-719F45C382A4)
Service Pack 2
http://www.microsoft.com/downloads/details...3D-81C2137FF464 (http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464)
Microsoft Windows XP Professional
Without Service Packs
http://www.microsoft.com/downloads/details...B7-4FED408EA73F (http://www.microsoft.com/downloads/details.aspx?FamilyID=55820EDB-5039-4955-BCB7-4FED408EA73F)
Service Pack 1
http://www.microsoft.com/downloads/details...C2-631504EF5E26 (http://www.microsoft.com/downloads/details.aspx?FamilyID=83F53BE9-28FA-40E8-8EC2-631504EF5E26)
Service Pack 2
http://www.microsoft.com/downloads/details...0C-0A0205368124 (http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124)
## Important ##
As we do not know the name of the file that's downloaded, you have to save the file as RC.exe to the root of SystemDrive e.g. C:\RC.exe
STEP #2
Download the latest copy of ComboFix.exe => http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Open notepad and copy/paste the text in the quotebox below into it:
RecoveryConsole::
C:\RC.EXE
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\CF-RC.txt. Post that log in your next reply.
## Important ##
This is a precautionary measure. Please do not reboot the machine until we have reviewed the log & responded to you.
I went to the MS address you had listed, as i have Windows XP PRO SP-2 and it said to download this file. is the correct?
Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install
ComboFix 08-02-16.2 - Russ 2008-02-17 14:49:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1607 [GMT -8:00]
Running from: D:\SystemSetup\New SpyWare\ComboFix.exe
Command switches used :: C:\Documents and Settings\Russ\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\system32\CheckDll.dll
C:\WINDOWS\system32\jabbnjwc.dll
C:\WINDOWS\system32\ProxySettings.ini
C:\WINDOWS\system32\SDEarlyDelete.exe
C:\WINDOWS\system32\SDRemoveDB.db
C:\WINDOWSkj01d.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\SpywareDetector
C:\Program Files\SpywareDetector\Data\SD10.DB
C:\Program Files\SpywareDetector\SDLiveupdate\ServerVersion.txt
C:\Program Files\SpywareDetector\Setting\CurrentSettings.ini
C:\Program Files\SpywareDetector\Setting\English_Strings.ini
C:\Program Files\SpywareDetector\Setting\Export.ini
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\system32\cz6
C:\WINDOWS\system32\rp4
C:\WINDOWS\system32\SDRemoveDB.db
C:\WINDOWSkj01d.sys
.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.
2008-02-15 14:34 . 2008-02-15 14:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-14 16:13 . 2008-02-15 13:29 227 --a------ C:\WINDOWS\wininit.ini
2008-02-14 16:01 . 2008-02-14 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-14 16:01 . 2008-02-14 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-13 13:22 . 2008-02-13 13:22 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-13 13:10 . 2008-02-13 13:10 <DIR> d-------- C:\Program Files\Panicware
2008-02-12 15:06 . 2008-02-12 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-12 14:41 . 2008-02-12 15:12 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-02-12 14:41 . 2008-02-12 14:52 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Vso
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.sys
2008-02-10 14:04 . 2008-02-10 14:04 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-10 14:03 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-02-10 14:03 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-02-10 14:03 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-02-10 14:03 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-02-08 14:09 . 2008-02-08 14:09 <DIR> d-------- C:\Webshots Data
2008-02-08 13:11 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-02-08 13:11 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-02-08 13:11 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-02-06 09:22 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-02-06 09:22 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-02-06 09:22 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-02-06 09:22 . 2001-07-28 12:50 265,753 --a------ C:\WINDOWS\system32\AS-Exp2.ocx
2008-02-06 09:22 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-02-06 09:22 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-02-06 09:22 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\systray.ocx
2008-02-06 09:22 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-02-06 09:22 . 2006-05-31 15:38 10,752 --a------ C:\WINDOWS\system32\md5.dll
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-31 18:32 . 2008-01-31 17:49 732,056 --a------ C:\WINDOWS\system32\Splash.bmp
2008-01-31 18:08 . 2008-01-31 18:08 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Microsoft Games
2008-01-31 17:29 . 2008-01-31 17:29 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-31 12:40 . 2008-02-14 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 12:40 . 2008-01-31 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-31 12:40 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-31 12:40 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-31 12:40 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-31 12:40 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-31 12:40 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-31 12:40 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-31 10:35 . 2008-01-31 10:35 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-31 08:54 . 2008-01-31 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-31 08:53 . 2008-01-31 08:54 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\PrevxCSI
2008-01-29 12:31 . 2008-01-29 12:31 84,723 --a------ C:\WINDOWS\system32\instdump.dmp
2008-01-20 10:51 . 2008-01-20 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 01:45 --------- d-----w C:\Program Files\Google
2008-02-14 21:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-07 18:03 --------- d-----w C:\Documents and Settings\Russ\Application Data\Lavasoft
2008-02-05 19:09 --------- d-----w C:\Documents and Settings\Russ\Application Data\U3
2008-02-03 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-01 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 03:07 --------- d-----w C:\Program Files\HP
2008-01-10 23:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-10 14:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-10 14:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 14:34 --------- d-----w C:\Documents and Settings\Russ\Application Data\InterTrust
2008-01-10 01:12 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2008-01-10 01:12 --------- d-----w C:\Program Files\CyberLink
2008-01-05 23:34 --------- d-----w C:\Documents and Settings\Russ\Application Data\Canon
2008-01-03 03:15 --------- d-----w C:\Documents and Settings\Russ\Application Data\ESET
2008-01-03 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-01 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-01 19:48 49,420 ----a-w C:\WINDOWS\system32\drivers\XMS1563K.SYS
2007-12-31 15:51 --------- d-----w C:\Program Files\Macromedia
2007-12-31 04:57 --------- d-----w C:\Program Files\Rebellious Antics
2007-12-31 04:39 --------- d-----w C:\Program Files\Webshots
2007-12-31 04:39 --------- d-----w C:\Documents and Settings\Russ\Application Data\Webshots
2007-12-31 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-12-31 03:18 --------- d-----w C:\Program Files\SlySoft
2007-12-31 03:13 --------- d-----w C:\Program Files\DVD Shrink
2007-12-31 03:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-31 03:09 --------- d-----w C:\Program Files\Ahead
2007-12-30 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-30 22:28 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-30 22:22 --------- d-----w C:\Program Files\Canon
2007-12-30 22:20 --------- d-----w C:\Program Files\ScanSoft
2007-12-30 22:20 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\Russ\Application Data\ScanSoft
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanWizard
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2007-12-30 20:38 --------- d-----w C:\Program Files\Neato
2007-12-30 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fellowes
2007-12-30 17:40 --------- d-----w C:\Documents and Settings\Russ\Application Data\InstallShield Installation Information
2007-12-30 17:30 --------- d-----w C:\Program Files\Unreal Tournament 3
2007-12-30 17:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 17:30 --------- d-----w C:\Program Files\AGEIA Technologies
2007-12-30 17:06 --------- d-----w C:\Program Files\Razer
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\HP
2007-12-30 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-30 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-12-30 06:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-30 06:08 --------- d-----w C:\Documents and Settings\Russ\Application Data\HP
2007-12-30 02:43 --------- d-----w C:\Program Files\Siber Systems
2007-12-30 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm
2007-12-29 18:13 --------- d-----w C:\Program Files\Creative
2007-12-29 17:52 --------- d-----w C:\Program Files\Microsoft Works
2007-12-29 16:32 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-12-29 16:16 558,142 ----a-w C:\WINDOWS\java\Packages\MH71JBNB.ZIP
2007-12-29 16:16 155,995 ----a-w C:\WINDOWS\java\Packages\5R3TJDNR.ZIP
2007-12-29 16:16 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-21 12:15 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2005-05-12 07:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 14:33 1637312]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 16:36 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 16:36 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 02:58 3429904]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [ ]
C:\Documents and Settings\Russ\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-30 20:39:33 157008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-08-13 01:00 40960 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2002-09-02 18:55 24576 C:\WINDOWS\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-09-11 11:04 53248 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET Smart Security\egui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 08:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2004-03-25 15:48 53248 C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 02:49 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2006-02-17 10:40 270336 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-08 16:36 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
-ra------ 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
--a------ 2005-09-06 11:52 155648 C:\Program Files\Razer\Copperhead\razerhid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
--a------ 2002-09-23 01:08 2752822 C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\Audigy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
C:\Program Files\SpywareDetector\LiveUpdateSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"TapiSrv"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
R0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys [2008-01-01 11:48]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-08-04 23:51]
R3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]
S0 MFX;MFX;C:\WINDOWS\system32\drivers\MFX.sys [2003-08-19 08:33]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 10:11]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ae30826-b636-11dc-a9ef-001d60a1ebe0}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 14:50:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-17 14:50:57
ComboFix-quarantined-files.txt 2008-02-17 22:50:43
ComboFix2.txt 2008-02-17 00:09:03
.
2007-12-30 11:05:02 --- E O F ---
__RiP_ChAiN_
2008-02-19, 10:46
I went to the MS address you had listed, as i have Windows XP PRO SP-2 and it said to download this file. is the correct?
Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install
Yes, that is correct. Combofix should have produced a short log from it, if done corrrectly. the log would be located at: C:\CF-RC.txt
I couldnt get it to make the log file CF.RC.txt, but here is the Combofix log.
ComboFix 08-02-18.1 - Russ 2008-02-20 15:26:24.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1532 [GMT -8:00]
Running from: C:\Documents and Settings\Russ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Russ\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\poof
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-19 16:25 . 2008-02-20 10:00 <DIR> d-------- C:\RC.exe
2008-02-17 14:59 . 2008-02-20 09:48 2,443 --a------ C:\WINDOWS\system32\SDRemoveDB.db
2008-02-17 14:58 . 2008-02-20 15:28 <DIR> d-------- C:\Program Files\SpywareDetector
2008-02-17 14:58 . 2007-03-19 12:39 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2008-02-17 14:58 . 2008-01-25 18:58 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2008-02-17 14:58 . 2008-01-30 11:03 6,144 --a------ C:\WINDOWS\system32\SDEarlyDelete.exe
2008-02-17 14:58 . 2008-02-20 09:41 123 --a------ C:\WINDOWS\system\SysSD.dll
2008-02-17 14:58 . 2005-02-06 09:02 104 --a------ C:\WINDOWS\system32\ProxySettings.ini
2008-02-15 14:34 . 2008-02-15 14:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-14 16:13 . 2008-02-15 13:29 227 --a------ C:\WINDOWS\wininit.ini
2008-02-14 16:01 . 2008-02-14 16:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-14 16:01 . 2008-02-14 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-13 13:22 . 2008-02-13 13:22 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-13 13:10 . 2008-02-13 13:10 <DIR> d-------- C:\Program Files\Panicware
2008-02-12 15:06 . 2008-02-12 15:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vsosdk
2008-02-12 14:41 . 2008-02-12 15:12 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-02-12 14:41 . 2008-02-18 10:44 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Vso
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-12 14:41 . 2008-02-12 14:41 47,360 --a------ C:\Documents and Settings\Russ\Application Data\pcouffin.sys
2008-02-10 14:04 . 2008-02-10 14:04 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-10 14:03 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-02-10 14:03 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-02-10 14:03 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-02-10 14:03 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-02-10 14:03 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-02-08 14:09 . 2008-02-08 14:09 <DIR> d-------- C:\Webshots Data
2008-02-08 13:11 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-02-08 13:11 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-02-08 13:11 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-02-06 09:22 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-02-06 09:22 . 2002-03-04 12:27 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2008-02-06 09:22 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-02-06 09:22 . 2001-07-28 12:50 265,753 --a------ C:\WINDOWS\system32\AS-Exp2.ocx
2008-02-06 09:22 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-02-06 09:22 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-02-06 09:22 . 2001-04-20 01:28 28,672 --a------ C:\WINDOWS\system32\systray.ocx
2008-02-06 09:22 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-02-06 09:22 . 2006-05-31 15:38 10,752 --a------ C:\WINDOWS\system32\md5.dll
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-05 18:07 . 2008-02-05 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-01-31 18:32 . 2008-01-31 17:49 732,056 --a------ C:\WINDOWS\system32\Splash.bmp
2008-01-31 18:08 . 2008-01-31 18:08 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\Microsoft Games
2008-01-31 17:29 . 2008-01-31 17:29 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-31 12:40 . 2008-02-14 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 12:40 . 2008-01-31 12:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2008-01-31 12:40 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-31 12:40 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-31 12:40 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-31 12:40 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-31 12:40 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-31 12:40 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-31 10:35 . 2008-01-31 10:35 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-31 08:54 . 2008-01-31 08:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2008-01-31 08:53 . 2008-01-31 08:54 <DIR> d-------- C:\Documents and Settings\Russ\Application Data\PrevxCSI
2008-01-29 12:31 . 2008-01-29 12:31 84,723 --a------ C:\WINDOWS\system32\instdump.dmp
2008-01-20 10:51 . 2008-01-20 10:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 01:45 --------- d-----w C:\Program Files\Google
2008-02-14 21:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-07 18:03 --------- d-----w C:\Documents and Settings\Russ\Application Data\Lavasoft
2008-02-05 19:09 --------- d-----w C:\Documents and Settings\Russ\Application Data\U3
2008-02-03 02:36 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2008-02-01 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 03:07 --------- d-----w C:\Program Files\HP
2008-01-10 23:54 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-01-10 14:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-10 14:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 01:12 --------- d-----w C:\Program Files\CyberLink
2008-01-05 23:34 --------- d-----w C:\Documents and Settings\Russ\Application Data\Canon
2008-01-03 03:15 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\ESET
2008-01-01 23:25 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2008-01-01 19:48 49,420 ----a-w C:\WINDOWS\system32\drivers\XMS1563K.SYS
2007-12-31 15:51 --------- d-----w C:\Program Files\Macromedia
2007-12-31 04:57 --------- d-----w C:\Program Files\Rebellious Antics
2007-12-31 04:39 --------- d-----w C:\Program Files\Webshots
2007-12-31 04:39 --------- d-----w C:\Documents and Settings\Russ\Application Data\Webshots
2007-12-31 03:20 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-12-31 03:18 --------- d-----w C:\Program Files\SlySoft
2007-12-31 03:13 --------- d-----w C:\Program Files\DVD Shrink
2007-12-31 03:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-31 03:09 --------- d-----w C:\Program Files\Ahead
2007-12-30 22:29 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-12-30 22:28 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-30 22:22 --------- d-----w C:\Program Files\Canon
2007-12-30 22:20 --------- d-----w C:\Program Files\ScanSoft
2007-12-30 22:20 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-30 22:20 --------- d-----w C:\Documents and Settings\Russ\Application Data\ScanSoft
2007-12-30 22:20 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SSScanWizard
2007-12-30 22:20 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\SSScanAppDataDir
2007-12-30 20:38 --------- d-----w C:\Program Files\Neato
2007-12-30 20:38 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Fellowes
2007-12-30 17:40 --------- d-----w C:\Documents and Settings\Russ\Application Data\InstallShield Installation Information
2007-12-30 17:30 --------- d-----w C:\Program Files\Unreal Tournament 3
2007-12-30 17:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 17:30 --------- d-----w C:\Program Files\AGEIA Technologies
2007-12-30 17:06 --------- d-----w C:\Program Files\Razer
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-30 06:21 --------- d-----w C:\Program Files\Common Files\HP
2007-12-30 06:21 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-12-30 06:21 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-12-30 06:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-30 06:08 --------- d-----w C:\Documents and Settings\Russ\Application Data\HP
2007-12-30 02:43 --------- d-----w C:\Program Files\Siber Systems
2007-12-30 02:39 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\RoboForm
2007-12-29 18:13 --------- d-----w C:\Program Files\Creative
2007-12-29 17:52 --------- d-----w C:\Program Files\Microsoft Works
2007-12-29 16:32 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-12-29 16:16 558,142 ----a-w C:\WINDOWS\java\Packages\MH71JBNB.ZIP
2007-12-29 16:16 155,995 ----a-w C:\WINDOWS\java\Packages\5R3TJDNR.ZIP
2007-12-29 16:16 --------- d-----w C:\Program Files\microsoft frontpage
2005-05-12 07:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 16:36 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 16:36 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 02:58 3429904]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2005-09-26 16:34 169984]
C:\Documents and Settings\Russ\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-30 20:39:33 157008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2008-01-28 11:30 167936 C:\Program Files\SpywareDetector\SDNotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Russ\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2007-12-14 14:33 1637312 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-08-13 01:00 40960 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2002-09-02 18:55 24576 C:\WINDOWS\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2002-09-11 11:04 53248 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET Smart Security\egui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 08:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2004-03-25 15:48 53248 C:\Program Files\Neato\MediaFACE 4.0\SetHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 02:49 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2006-02-17 10:40 270336 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-08 16:36 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
-ra------ 2003-07-07 10:29 729088 C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
--a------ 2005-09-06 11:52 155648 C:\Program Files\Razer\Copperhead\razerhid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
--a------ 2002-09-23 01:08 2752822 C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\Audigy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
--a------ 2008-02-01 18:31 423376 C:\Program Files\SpywareDetector\LiveUpdateSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
C:\Program Files\SpyNoMore\SNM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]
--a------ 2008-01-28 12:48 706000 C:\Program Files\SpywareDetector\SDSystemTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"TapiSrv"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
R0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys [2008-01-01 11:48]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-08-04 23:51]
R3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]
S0 MFX;MFX;C:\WINDOWS\system32\drivers\MFX.sys [2003-08-19 08:33]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 10:11]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ae30826-b636-11dc-a9ef-001d60a1ebe0}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 15:28:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webshots\webshots.scr
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\imapi.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
.
**************************************************************************
.
Completion time: 2008-02-20 15:31:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 23:31:30
ComboFix2.txt 2008-02-20 18:09:09
ComboFix3.txt 2008-02-20 17:55:10
ComboFix4.txt 2008-02-20 16:56:08
ComboFix5.txt 2008-02-17 22:50:57
.
2007-12-30 11:05:02 --- E O F ---
__RiP_ChAiN_
2008-02-20, 23:15
Hello Russ234 :)
Let's try running through it one more time, real quick :)
Download the latest copy of ComboFix.exe => http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
RecoveryConsole::
C:\RC.EXE
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\CF-RC.txt. Post that log in your next reply.
## Important ##
This is a precautionary measure. Please do not reboot the machine until we have reviewed the log & responded to you.
I copy the KillAll::
RecoveryConsole::
C:\RC.EXE into note pad save as CFScript.txt then drag that into Combofix on my desk top, then click RUN and combo fix starts and starts to scan and system, then it reboots and no txt file in C:\
I would like to thank you for the help in the past. I am going to format my hard drive.
__RiP_ChAiN_
2008-02-22, 21:42
Hello Russ234 :)
Are you sure you want to go down that route? I'm fairly sure we can still clean out your computer from the malware infestations. If you do decide to to continue cleaning your PC here, please follow this next set of instructions.
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report