View Full Version : No internet no antivirus ...
sagittorius
2008-04-26, 17:53
Hi
I begin with the problems, I infected with malware after I download and run infected file from p2p and my antivirus don't recognize it.
My OS is Windows Vista Home Premium without SP1.
I have 3 problems:
1- Lost my internet connection because the win32 service which provided cant be started.
2-I Can't use or Install antivirus programs (norton, awg,..) and Spybot S&D and I get instead message said that the programs are not win32 applications.
3-Huge and permanent increase in resource usage (70%-80%)
What I did?
Unfortunately I read some guides about similar problems before I find this forum and try to fix the problem by myself, then I realized that I am so lucky cause my PC still running!! So I will try to summarize what I do and what I solve.
First I try to run "SuperAntiSpyware" then "Spybot S&D", they installed but they don't work. Then I successfully run "Malwarebytes Anti-Malware" and it can detect 29 malwares which are removed (I have log about that)
After that the problem with resource usage is solved but the other problems remain.
Then I use "SuperAntiSpyware" because its work now but it doesn't find anything.
then I try "combofix" (don't work) and "MGtools" and generate "MGlogs.zip"
then I use "Deckard's System Scanner" and generate "main.txt and extra.txt" and after that I run "Icesword" but I don't get any red entries except one in the SSDT tab and with KModule name "Unknown".
next I use "Icesword" and delete this files:
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\downld << folder
next 2 files are deleted before by "Malwarebytes Anti-Malware"
C:\WINDOWS\system32\drivers\hldrrr.exe
c:\windows\system32\drivers\srosa.sys
and this registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\WINDOWS\system32\drivers\hldrrr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
and finally when nothing from that work I find new version from "combofix" and use it and save the log file, but nothing help.
So you are my last chance, and I hope you don't kick me out form this forum after this post :red:
thanks
Rorschach112
2008-04-26, 19:42
Hello
Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
sagittorius
2008-04-26, 20:57
ComboFix 08-04-24.1 - R 2008-04-26 19:37:54.2 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6000.0.1256.963.1033.18.1261 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:48 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:49 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-26 03:49 --------- d-----w C:\ProgramData\FLEXnet
2008-04-26 03:49 --------- d-----w C:\Program Files\My Ebook Library
2008-04-26 03:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-26 03:49 --------- d-----w C:\Program Files\ChrisTV PVR
2008-04-26 03:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 19:52 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 09:49 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-04-10 09:48 --------- d-----w C:\Program Files\AVerMedia
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2008-03-19 11:27 --------- d-----w C:\Users\R\AppData\Roaming\Bytescout SWF To Video Scout
2008-03-17 11:37 --------- d-----w C:\Program Files\SWiSH v2.0
2008-03-16 16:11 --------- d-----w C:\Program Files\IMDBScanner
2008-03-15 10:07 --------- d-----w C:\Users\R\AppData\Roaming\Skype
2008-03-14 15:24 --------- d-----w C:\Program Files\Shareaza
2008-03-14 14:51 --------- d-----w C:\Program Files\Ares
2008-03-13 11:30 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-13 11:30 --------- d-----w C:\Program Files\AutoCAD Architecture 2008
2008-03-13 11:07 --------- d-----w C:\Program Files\Autodesk
2008-03-12 20:44 --------- d-----w C:\Users\R\AppData\Roaming\Media Player Classic
2008-03-12 20:32 --------- d-----w C:\Program Files\Gabest
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-04-26_15.14.22.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 13:02:43 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-26 17:31:20 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-26 12:56:45 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-04-26 17:02:09 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-26 13:02:48 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-26 17:31:24 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-26 13:02:48 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-04-26 17:31:24 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-26 13:03:17 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-26 17:33:26 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-26 13:04:13 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-26 17:33:31 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-26 17:33:31 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-26 12:50:48 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-26 17:33:32 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-26 12:50:48 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-26 17:33:32 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-26 12:50:48 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-26 17:33:32 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-26 07:03:04 122,410 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-26 15:23:25 122,410 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-26 07:03:04 659,754 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-26 15:23:25 659,754 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-26 13:05:08 12,934 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-04-26 17:33:38 13,114 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-26 13:05:07 110,408 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-26 17:33:38 110,652 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-26 12:45:29 69,828 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-26 17:33:35 69,932 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" [2004-09-23 07:01 638976 C:\Windows\System32\TOSCDSPD.EXE]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-26 08:08 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-26 08:08 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"= WinPrint.exe
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000004
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 09:15]
S3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00970afc-c98f-11dc-8650-c7323db7e0c8}]
\shell\AutoRun\command - D:\OpenType_Tour\win\files\OpenType_Tour.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20d17762-5e4b-11dc-9213-0016d4fad5f8}]
\shell\AutoRun\command - G:\Launcher.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-26 17:45:04 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 19:41:04
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
**************************************************************************
.
Completion time: 2008-04-26 19:45:38
ComboFix-quarantined-files.txt 2008-04-26 17:45:07
ComboFix2.txt 2008-04-26 13:15:48
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
279 --- E O F --- 2008-04-24 16:46:15
sagittorius
2008-04-26, 20:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48:59, on 26. 4. 2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\mdn2.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Wah] C:\Program Files\Common Files\Mdn2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Ê&ÕÏíÑ Åáì Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: ???C? ??? OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ??&?C? ??? OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\1\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CardBusService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - E:\2\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 13328 bytes
Rorschach112
2008-04-27, 15:07
Hello
Open notepad, click Format, uncheck wordwrap
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
G:\Launcher.exe
Folder::
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00970afc-c98f-11dc-8650-c7323db7e0c8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20d17762-5e4b-11dc-9213-0016d4fad5f8}]
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Also post a new HijackThis log
sagittorius
2008-04-27, 23:26
ComboFix 08-04-24.1 - R 2008-04-27 22:10:30.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1256.963.1033.18.1278 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\R\Desktop\CFScript.txt
* Created a new restore point
FILE ::
G:\Launcher.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 11:51 --------- d-----w C:\Program Files\ChrisTV PVR
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:48 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:49 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-26 03:49 --------- d-----w C:\ProgramData\FLEXnet
2008-04-26 03:49 --------- d-----w C:\Program Files\My Ebook Library
2008-04-26 03:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-26 03:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 19:52 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 09:49 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-04-10 09:48 --------- d-----w C:\Program Files\AVerMedia
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2008-03-19 11:27 --------- d-----w C:\Users\R\AppData\Roaming\Bytescout SWF To Video Scout
2008-03-17 11:37 --------- d-----w C:\Program Files\SWiSH v2.0
2008-03-16 16:11 --------- d-----w C:\Program Files\IMDBScanner
2008-03-15 10:07 --------- d-----w C:\Users\R\AppData\Roaming\Skype
2008-03-14 15:24 --------- d-----w C:\Program Files\Shareaza
2008-03-14 14:51 --------- d-----w C:\Program Files\Ares
2008-03-13 11:30 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-13 11:30 --------- d-----w C:\Program Files\AutoCAD Architecture 2008
2008-03-13 11:07 --------- d-----w C:\Program Files\Autodesk
2008-03-12 20:44 --------- d-----w C:\Users\R\AppData\Roaming\Media Player Classic
2008-03-12 20:32 --------- d-----w C:\Program Files\Gabest
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
------- Sigcheck -------
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\System32\drivers\tcpip.sys
2006-11-02 10:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-09 12:53 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys
2008-01-09 12:53 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
2008-02-13 18:13 806400 52a8bd6294f7d1443c6184c67ae13af4 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-26_15.14.22.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 13:02:43 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-27 20:02:58 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-26 12:56:45 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-04-27 20:01:43 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-26 13:02:48 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-27 20:03:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-26 13:02:48 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-04-27 20:03:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-26 13:03:17 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-27 20:04:47 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-26 13:04:13 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-27 20:04:54 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-04-26 12:50:48 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-27 20:05:14 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-26 12:50:48 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-27 20:05:14 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-26 12:50:48 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-27 20:05:14 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-26 07:03:04 122,410 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-26 15:23:25 122,410 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-26 07:03:04 659,754 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-26 15:23:25 659,754 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-26 13:05:08 12,934 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-04-27 20:05:10 13,262 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-26 13:05:07 110,408 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-27 20:05:09 111,066 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-22 04:00:26 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-04-27 20:01:41 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-04-26 12:45:29 69,828 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-27 20:05:07 70,092 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-26 08:08 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-26 08:08 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000004
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 09:15]
S3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-27 20:15:25 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 22:14:34
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
**************************************************************************
.
Completion time: 2008-04-27 22:18:33
ComboFix-quarantined-files.txt 2008-04-27 20:18:20
ComboFix2.txt 2008-04-26 17:45:39
ComboFix3.txt 2008-04-26 13:15:48
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
289 --- E O F --- 2008-04-24 16:46:15
sagittorius
2008-04-27, 23:27
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:26, on 27. 4. 2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\mdn2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Wah] C:\Program Files\Common Files\Mdn2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: ت&صدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: ???C? ??? OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ??&?C? ??? OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\1\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CardBusService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - E:\2\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 13309 bytes
Rorschach112
2008-04-28, 03:03
Are you still losing your internet connection ?
Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Download NIAP (http://niapsoft.com/blog/uploads/2008/04/niap-05.zip) to your desktop and unzip it to it's own folder
Close all windows and run NIAP_XRay_FileMgr
Click the Log tab at the top and click Create System log. Check the boxes beside Autorun.inf file. and System Critical Files and click OK. Save the log to your desktop and let the program run.
Exit out of NIAP_XRay_FileMgr
Next run NIAP_XRay_Regedit
Click the Log tab then click on Get log. Once it is finished scanning, click Save and call the log NiapReg, then save it to your desktop
Exit out of NIAP_XRay_Regedit
Finally run NIAP_XRay_System
Click the Log tab and click Create log. Check all the boxes and click Log, save it to your desktop. Let the program run. Once it is done close the program and post the log back here along with the other two logs.
sagittorius
2008-04-28, 11:49
Hi, and thanks for your willingness.
-Today I buy cable and try to connect to the Internet by my Lan adapter and its go fine but my wifi connection still not work and when I try to run the service "WLAN auto config" manually, I get this message
Error 1068:The dependency service or group failed to start.
however i check the dependency and everything is ok:scratch:
-I still cant run antivirus programs and everytime I start OS I get message told me that windowes defender can't be started
Application failed to intialize:0x800106b. Aproblem caused this program's service to stop.
I create the 3 logs you ask but when I creat the last one "NIAP_XRay_System.log", my vista crash... I see blue screen, dumping physical memory and the restart. I try it again and I window's crash and I get this when vista start after crash
info after the vista crash
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1051
Additional information about the problem:
BCCode: 50
BCP1: FFFEFE24
BCP2: 00000000
BCP3: A707D894
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\Mini042808-02.dmp
C:\Users\R\AppData\Local\Temp\WER-56019-0.sysdata.xml
C:\Users\R\AppData\Local\Temp\WER5994.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
sagittorius
2008-04-28, 11:52
# NIAP_XRay_FileMgr.exe 0.0.0.4
# 2008-04-28 10:00:40
# ------------------------------------------------------------------------
# Scan Autorun.inf in: G:\
# Scan Autorun.inf in: F:\
# Scan Autorun.inf in: E:\
# Not Found.
# Scan Autorun.inf in: C:\
# Not Found.
# Verify System Critical File
C:\Windows\explorer.exe;OK
C:\Windows\system32\win32k.sys;OK
C:\Windows\system32\watchdog.sys;Not found.
C:\Windows\system32\hal.dll;OK
C:\Windows\system32\ntkrnlpa.exe;OK
C:\Windows\system32\ntoskrnl.exe;OK
C:\Windows\system32\smss.exe;OK
C:\Windows\system32\csrss.exe;OK
C:\Windows\system32\winlogon.exe;OK
C:\Windows\system32\lsass.exe;OK
C:\Windows\system32\services.exe;OK
C:\Windows\system32\svchost.exe;OK
C:\Windows\system32\userinit.exe;OK
C:\Windows\system32\drivers\acpi.sys;OK
C:\Windows\system32\drivers\atapi.sys;OK
C:\Windows\system32\drivers\beep.sys;OK
C:\Windows\system32\drivers\cdfs.sys;OK
C:\Windows\system32\drivers\cdrom.sys;OK
C:\Windows\system32\drivers\disk.sys;OK
C:\Windows\system32\drivers\fastfat.sys;OK
C:\Windows\system32\drivers\fs_rec.sys;OK
C:\Windows\system32\drivers\ftdisk.sys;Not found.
C:\Windows\system32\drivers\i8042prt.sys;OK
C:\Windows\system32\drivers\kbdclass.sys;OK
C:\Windows\system32\drivers\mouclass.sys;OK
C:\Windows\system32\drivers\ndis.sys;OK
C:\Windows\system32\drivers\ntfs.sys;OK
C:\Windows\system32\drivers\null.sys;OK
C:\Windows\system32\drivers\partmgr.sys;OK
C:\Windows\system32\drivers\pci.sys;OK
C:\Windows\system32\drivers\pciidex.sys;OK
C:\Windows\system32\drivers\redbook.sys;Not found.
C:\Windows\system32\drivers\scsiport.sys;OK
C:\Windows\system32\drivers\sr.sys;Not found.
C:\Windows\system32\drivers\termdd.sys;OK
C:\Windows\system32\drivers\usbhub.sys;OK
C:\Windows\system32\drivers\usbport.sys;OK
C:\Windows\system32\drivers\volsnap.sys;OK
C:\Windows\system32\drivers\tcpip.sys;This file's Signatures is not right.
C:\Windows\system32\drivers\tdi.sys;OK
sagittorius
2008-04-28, 11:53
Report:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:Windows Defender , Path:%ProgramFiles%\Windows Defender\MSASCui.exe -hide
Name:RtHDVCpl , Path:RtHDVCpl.exe
Name:TPwrMain , Path:%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
Name:HSON , Path:%ProgramFiles%\TOSHIBA\TBS\HSON.exe
Name:SmoothView , Path:%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
Name:00TCrdMain , Path:%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
Name:KeNotify , Path:C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
Name:HWSetup , Path:C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
Name:SVPWUTIL , Path:C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
Name:NDSTray.exe , Path:NDSTray.exe
Name:ccApp , Path:"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Name:osCheck , Path:"C:\Program Files\Norton Internet Security\osCheck.exe"
Name:NvSvc , Path:RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
Name:NvCplDaemon , Path:RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
Name:NvMediaCenter , Path:RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
Name:SynTPEnh , Path:C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Name:SynTPStart , Path:C:\Program Files\Synaptics\SynTP\SynTPStart.exe
Name:Wah , Path:C:\Program Files\Common Files\Mdn2.exe
Name:Acrobat Assistant 8.0 , Path:"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
Name:Symantec PIF AlertEng , Path:"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
Name:IgfxTray , Path:C:\Windows\system32\igfxtray.exe
Name:HotKeysCmds , Path:C:\Windows\system32\hkcmd.exe
Name:Persistence , Path:C:\Windows\system32\igfxpers.exe
Name:QuickTime Task , Path:"C:\Program Files\QuickTime\QTTask.exe" -atboottime
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:TOSCDSPD , Path:TOSCDSPD.EXE
Name:ehTray.exe , Path:C:\Windows\ehome\ehTray.exe
Name:msnmsgr , Path:"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
Name:WMPNSCFG , Path:C:\Program Files\Windows Media Player\WMPNSCFG.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\:
HKCC\Software\Microsoft\Windows NT\CurrentVersion\Windows\[Load]:
Value: None
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Userinit]:
Value: C:\Windows\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Shell]:
Value: Explorer.exe
HKLM\SYSTEM\ControlSet001\Control\Session Manager\[BootExecute]:
Value: autocheck autochk *
BHO Items List:
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
InprocServer32:None
ThreadingModel:None
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}
InprocServer32:C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
ThreadingModel:Apartment
ProgID:NppBHO.NppBHOObj.1
Programmable:
TypeLib:{954138ED-7951-433C-BAF9-AF1DAD0F4261}
VersionIndependentProgID:NppBHO.NppBHOObj
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}
InprocServer32:C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
ThreadingModel:Apartment
ProgID:ToolBand.SkypeIEHelper.1
Programmable:
TypeLib:{937936AF-28CA-4973-B8AE-F250406149A2}
VersionIndependentProgID:ToolBand.SkypeIEHelper
{3049C3E9-B461-4BC5-8870-4C09146192CA}
InprocServer32:C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
ThreadingModel:apartment
ProgID:rpbrowserrecordplugin.CRPRecordBrowse.1
Programmable:None
TypeLib:{333A04DC-E916-463C-9658-00CAF7A01728}
VersionIndependentProgID:rpbrowserrecordplugin.CRPRecordBrowserH
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
InprocServer32:C:\Program Files\AVG\AVG8\avgssie.dll
ThreadingModel:apartment
ProgID:LinkScannerIE.NavFilter.1
Programmable:None
TypeLib:{5DAB1D4C-D020-41CD-936F-D63FF662E9F7}
VersionIndependentProgID:LinkScannerIE.NavFilter
{53707962-6F74-2D53-2644-206D7942484F}
InprocServer32:E:\2\SDHelper.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
InprocServer32:C:\Program Files\Java\jre1.6.0\bin\ssv.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{9030D464-4C02-4ABF-8ECC-5164760863C6}
InprocServer32:C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
ThreadingModel:Apartment
ProgID:IDBHO.IDBrowserExtension.1
Programmable:None
TypeLib:{FD609BF1-0E01-403F-8F20-EA238F5CDCC3}
VersionIndependentProgID:IDBHO.IDBrowserExtension
{AE7CD045-E861-484f-8273-0445EE161910}
InprocServer32:None
ThreadingModel:None
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
File Links List:
.txt: no this file type
.exe: "%1" %*
.com: "%1" %*
.pif: "%1" %*
.bat: "%1" %*
.reg: regedit.exe "%1"
.chm: None
.hlp: %SystemRoot%\winhlp32.exe %1
.ini: %SystemRoot%\system32\NOTEPAD.EXE %1
.inf: %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs: "%SystemRoot%\System32\WScript.exe" "%1" %*
.js: no this file type
.lnk: CLSID: {00021401-0000-0000-C000-000000000046} shell32.dll
Image File Execution Options:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\[AppInit_DLLs]:
Value:
ShellExecuteHooks:
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} : SABShellExecuteHook Class
InProcServer32:E:\1\SASSEH.DLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\[Debugger]:
Value: "C:\Windows\system32\vsjitdebugger.exe" -p %ld -e %ld
Kernel Drivers:
blbdrive
DisplayName:None
Description:None
ImagePath:\SystemRoot\system32\drivers\blbdrive.sys [File not found]
ObjectName:None
Start:SERVICE_DISABLED(4)
Type:SERVICE_KERNEL_DRIVER(1)
BlueletAudio
DisplayName:Bluetooth Audio Service
Description:None
ImagePath:system32\DRIVERS\blueletaudio.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BlueletSCOAudio
DisplayName:Bluetooth SCO Audio Service
Description:None
ImagePath:system32\DRIVERS\BlueletSCOAudio.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BT
DisplayName:Bluetooth PAN Network Adapter
Description:None
ImagePath:system32\DRIVERS\btnetdrv.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTHidEnum
DisplayName:Bluetooth HID Enumerator
Description:None
ImagePath:System32\Drivers\vbtenum.sys [File not found]
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
BTHidMgr
DisplayName:Bluetooth HID Manager Service
Description:None
ImagePath:System32\Drivers\BTHidMgr.sys [File not found]
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
catchme
DisplayName:None
Description:None
ImagePath:\??\C:\Combo-Fix\catchme.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
gmer
DisplayName:None
Description:None
ImagePath:System32\DRIVERS\gmer.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
IpInIp
DisplayName:IP in IP Tunnel Driver
Description:IP in IP Tunnel Driver
ImagePath:system32\DRIVERS\ipinip.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NetworkX
DisplayName:NetworkX
Description:None
ImagePath:\SystemRoot\system32\ckldrv.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
NIAPSafe
DisplayName:NIAPSafe
Description:None
ImagePath:\??\C:\Users\R\Desktop\NIAP 0.5\NIAPMirrorSystem.sys
ObjectName:None
Start:SERVICE_DISABLED(4)
Type:SERVICE_KERNEL_DRIVER(1)
NwlnkFlt
DisplayName:IPX Traffic Filter Driver
Description:IPX Traffic Filter Driver
ImagePath:system32\DRIVERS\nwlnkflt.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NwlnkFwd
DisplayName:IPX Traffic Forwarder Driver
Description:IPX Traffic Forwarder Driver
ImagePath:system32\DRIVERS\nwlnkfwd.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
SASENUM
DisplayName:SASENUM
Description:None
ImagePath:\??\E:\1\SASENUM.SYS
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
SASKUTIL
DisplayName:SASKUTIL
Description:None
ImagePath:\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [File not found]
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
sptd
DisplayName:None
Description:None
ImagePath:System32\Drivers\sptd.sys
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
tap0801
DisplayName:TAP-Win32 Adapter V8
Description:None
ImagePath:system32\DRIVERS\tap0801.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
Tcpip
DisplayName:@%SystemRoot%\system32\tcpipcfg.dll,-50003
Description:@%SystemRoot%\system32\tcpipcfg.dll,-50003
ImagePath:System32\drivers\tcpip.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
Tcpip6
DisplayName:Microsoft IPv6 Protocol Driver
Description:Microsoft IPv6 Protocol Driver
ImagePath:system32\DRIVERS\tcpip.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
TpChoice
DisplayName:Touch Pad Detection Filter driver
Description:None
ImagePath:system32\DRIVERS\TpChoice.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
VComm
DisplayName:Virtual Serial port driver
Description:None
ImagePath:system32\DRIVERS\VComm.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
VcommMgr
DisplayName:Bluetooth VComm Manager Service
Description:None
ImagePath:System32\Drivers\VcommMgr.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
VPCAppSv
DisplayName:Virtual PC Application Services
Description:Provides application services for Virtual PC.
ImagePath:system32\DRIVERS\VPCAppSv.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
VPCNetS2
DisplayName:Virtual PC Emulated Ethernet Switch Driver
Description:None
ImagePath:system32\DRIVERS\VPCNetS2.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
Services:
Adobe LM Service
DisplayName:Adobe LM Service
Description:Adobe LM Service
ImagePath:"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
AppMgmt
DisplayName:None
Description:None
ImagePath:%SystemRoot%\system32\svchost.exe -k netsvcs
ServiceDll:%SystemRoot%\System32\appmgmts.dll [File not found]
ObjectName:None
Start:None
Type:None
AresChatServer
DisplayName:Ares Chatroom server
Description:Hosts your chatroom on the Ares network.
ImagePath:C:\Program Files\Ares\chatServer.exe
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:None
CardBusService
DisplayName:CardBusService
Description:Latency Timer Service
ImagePath:C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
CFSvcs
DisplayName:ConfigFree Service
Description:None
ImagePath:C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
Crypkey License
DisplayName:Crypkey License
Description:None
ImagePath:crypserv.exe [File not found]
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
FLEXnet Licensing Service
DisplayName:FLEXnet Licensing Service
Description:This service performs licensing functions on behalf of FLEXnet enabled products.
ImagePath:"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
ISPwdSvc
DisplayName:Symantec IS Password Validation
Description:User account management service
ImagePath:"C:\Program Files\Norton Internet Security\isPwdSvc.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
LiveUpdate
DisplayName:LiveUpdate
Description:LiveUpdate Core Engine
ImagePath:"C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
Symantec Core LC
DisplayName:Symantec Core LC
Description:Symantec Core LC
ImagePath:"C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
TODDSrv
DisplayName:TOSHIBA Optical Disc Drive Service
Description:None
ImagePath:C:\Windows\system32\TODDSrv.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
TOSHIBA Bluetooth Service
DisplayName:TOSHIBA Bluetooth Service
Description:None
ImagePath:c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
UleadBurningHelper
DisplayName:Ulead Burning Helper
Description:None
ImagePath:C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
WinHttpAutoProxySvc
DisplayName:@%SystemRoot%\system32\winhttp.dll,-100
Description:@%SystemRoot%\system32\winhttp.dll,-101
ImagePath:%SystemRoot%\system32\svchost.exe -k LocalService
ServiceDll:winhttp.dll [File not found]
ObjectName:NT AUTHORITY\LocalService
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_SHARE_PROCESS(32)
WLSetupSvc
DisplayName:Windows Live Setup Service
Description:Windows Live Setup Service
ImagePath:"C:\Program Files\Windows Live\installer\WLSetupSvc.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
sagittorius
2008-04-28, 11:55
NIAP_XRay_System Version 0.0.0.5 System log
Process:
PID | EPROCESS | Process Name | Module Path
00000004 84032940 System
00000230 868CBD90 smss.exe \SystemRoot\System32\smss.exe
00000294 87D82590 csrss.exe C:\Windows\system32\csrss.exe
000002BC 87CF3568 wininit.exe C:\Windows\system32\wininit.exe
000002C8 8643EC58 csrss.exe C:\Windows\system32\csrss.exe
000002E8 87D4BD90 services.exe C:\Windows\system32\services.exe
00000300 87D14AB8 lsass.exe C:\Windows\system32\lsass.exe
0000030C 87D0C450 lsm.exe C:\Windows\system32\lsm.exe
00000354 87E5AAD8 winlogon.exe C:\Windows\system32\winlogon.exe
000003C8 87ED6D90 svchost.exe C:\Windows\system32\svchost.exe
000003F0 87EEE020 PresentationFon C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
00000410 A872D340 sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
00000420 87F18D90 svchost.exe C:\Windows\system32\svchost.exe
00000440 87F34D90 svchost.exe C:\Windows\System32\svchost.exe
00000470 AC32AD90 CFSwMgr.exe C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
000004AC 87FC3D90 svchost.exe C:\Windows\System32\svchost.exe
000004BC AC26D8A0 ehmsas.exe C:\Windows\ehome\ehmsas.exe
000004C0 A8422020 svchost.exe C:\Windows\system32\svchost.exe
000004CC A87678E0 TODDSrv.exe C:\Windows\system32\TODDSrv.exe
00000508 A8470D90 audiodg.exe C:\Windows\system32\AUDIODG.EXE
00000554 84E2ED90 SLsvc.exe C:\Windows\system32\SLsvc.exe
00000574 A8453D90 svchost.exe C:\Windows\system32\svchost.exe
00000598 AC2F1150 wmpnetwk.exe C:\Program Files\Windows Media Player\wmpnetwk.exe
000005A4 AC2ACD90 msnmsgr.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe
00000618 A8784850 svchost.exe C:\Windows\system32\svchost.exe
0000062C A85324F8 svchost.exe C:\Windows\system32\svchost.exe
0000069C A85173F0 ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
000006C8 A874CD90 sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
00000708 A851FD90 spoolsv.exe C:\Windows\System32\spoolsv.exe
00000720 A8585C90 svchost.exe C:\Windows\system32\svchost.exe
00000758 A8750670 svchost.exe C:\Windows\system32\svchost.exe
000007A4 A876A3A8 sqlwriter.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
000007D4 A8643D90 CFSvcs.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
000007F4 A85AC888 Crypserv.exe C:\Windows\system32\crypserv.exe
0000080C A8774D90 TosCoSrv.exe C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
00000844 AC277D90 TOSCDSPD.exe C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
0000089C A879E4D8 TosBtSrv.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
000008BC A87A4020 ULCDRSvr.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
000008D4 A87A1388 svchost.exe C:\Windows\System32\svchost.exe
000008E0 AC2743C0 ehtray.exe C:\Windows\ehome\ehtray.exe
000008F4 A87B1AF8 SearchIndexer.e C:\Windows\system32\SearchIndexer.exe
0000091C AC2ABD90 unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe
0000094C AC290D90 wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnscfg.exe
00000968 A87C8D90 dwm.exe C:\Windows\system32\Dwm.exe
0000098C A87F4D90 taskeng.exe C:\Windows\system32\taskeng.exe
0000099C AC00E420 explorer.exe C:\Windows\Explorer.EXE
000009F0 A87B1020 SDWinSec.exe E:\2\SDWinSec.exe
00000AC8 84620498 taskeng.exe C:\Windows\system32\taskeng.exe
00000AD8 AC2D2270 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
00000BA8 AC06E4B8 RtHDVCpl.exe C:\Windows\RtHDVCpl.exe
00000BB4 AC138598 TPwrMain.exe C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
00000BD0 AC0F6B28 SmoothView.exe C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
00000BD8 AC0F27F8 TCrdMain.exe C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
00000BE0 AC0EE980 KeNotify.exe C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
00000BF8 AC109020 NDSTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
00000C24 A84BB8A8 FNPLicensingSer C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
00000C30 84A6AD90 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
00000C60 AC13CD90 rundll32.exe C:\Windows\System32\rundll32.exe
00000C68 AC358020 ehsched.exe C:\Windows\ehome\ehsched.exe
00000CB4 AC128380 SynTPEnh.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
00000D78 AC14BD90 mdn2.exe C:\Program Files\Common Files\mdn2.exe
00000D8C 845A4468 NIAP_XRay_Syste C:\Users\R\Desktop\NIAP 0.5\NIAP_XRay_System.exe
00000DCC AC20D518 SynToshiba.exe C:\Program Files\Synaptics\SynTP\SynToshiba.exe
00000E78 AC22EA48 Acrotray.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
00000EEC AC06AAD8 ehrecvr.exe C:\Windows\ehome\ehRecvr.exe
00000F84 AC131020 msfeedssync.exe C:\Windows\system32\msfeedssync.exe
00000F94 A8477D28 igfxsrvc.exe C:\Windows\system32\igfxsrvc.exe
00000FCC AC243D90 PIFSvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
00000FEC AC1A9670 hkcmd.exe C:\Windows\System32\hkcmd.exe
00000FF4 AC2472F0 igfxpers.exe C:\Windows\System32\igfxpers.exe
Kernel Module:
EntryPoint | Module Base | Image Size | Module Path
820DF000 82000000 00395000 ntoskrnl.exe \SystemRoot\system32\ntoskrnl.exe
823B7B3C 82395000 00034000 hal.dll \SystemRoot\system32\hal.dll
806C7A48 806C6000 00008000 kdcom.dll \SystemRoot\system32\kdcom.dll
806C3005 80666000 00060000 mcupdate.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll
8065E158 8065D000 00009000 PSHED.dll \SystemRoot\system32\PSHED.dll
806577BE 80655000 00008000 BOOTVID.dll \SystemRoot\system32\BOOTVID.dll
80650005 8061A000 0003B000 CLFS.SYS \SystemRoot\system32\CLFS.SYS
8053C7CC 80539000 000E1000 CI.dll \SystemRoot\system32\CI.dll
8052E005 804BE000 0007B000 Wdf01000.sys \SystemRoot\system32\drivers\Wdf01000.sys
804BB005 804B1000 0000D000 WDFLDR.SYS \SystemRoot\system32\drivers\WDFLDR.SYS
82BA1266 82B16000 000EA000 sptd.sys \SystemRoot\System32\Drivers\sptd.sys
804AE010 804A8000 00009000 WMILIB.SYS \SystemRoot\System32\Drivers\WMILIB.SYS
804A300F 80482000 00026000 SCSIPORT.SYS \SystemRoot\System32\Drivers\SCSIPORT.SYS
8047A490 8043F000 00043000 acpi.sys \SystemRoot\system32\drivers\acpi.sys
80438070 80437000 00008000 msisadrv.sys \SystemRoot\system32\drivers\msisadrv.sys
8043439B 80428000 0000F000 volmgr.sys \SystemRoot\system32\drivers\volmgr.sys
80425087 8041E000 0000A000 LPCFilter.sys \SystemRoot\system32\DRIVERS\LPCFilter.sys
82B10C91 82AF1000 00025000 pci.sys \SystemRoot\system32\drivers\pci.sys
8041CDD3 8041B000 00003000 compbatt.sys \SystemRoot\system32\DRIVERS\compbatt.sys
80417005 80411000 0000A000 BATTC.SYS \SystemRoot\system32\DRIVERS\BATTC.SYS
8040E255 80401000 00010000 mountmgr.sys \SystemRoot\System32\drivers\mountmgr.sys
82AEE005 82AEA000 00007000 intelide.sys \SystemRoot\system32\drivers\intelide.sys
82AE7010 82ADC000 0000E000 PCIIDEX.SYS \SystemRoot\system32\drivers\PCIIDEX.SYS
82AD783E 82AB2000 0002A000 pcmcia.sys \SystemRoot\system32\DRIVERS\pcmcia.sys
82AAF430 82AA9000 00009000 sfsync02.sys \SystemRoot\System32\drivers\sfsync02.sys
82AA265C 82A5F000 0004A000 volmgrx.sys \SystemRoot\System32\drivers\volmgrx.sys
82A5C005 82A57000 00008000 atapi.sys \SystemRoot\system32\drivers\atapi.sys
82A53010 82A39000 0001E000 ataport.SYS \SystemRoot\system32\drivers\ataport.SYS
82A329AB 82A08000 00031000 fltmgr.sys \SystemRoot\system32\drivers\fltmgr.sys
82A044C4 829F8000 00010000 fileinfo.sys \SystemRoot\system32\drivers\fileinfo.sys
829F491D 829EF000 00009000 PxHelp20.sys \SystemRoot\system32\DRIVERS\PxHelp20.sys
829E51ED 828EB000 00104000 ndis.sys \SystemRoot\system32\drivers\ndis.sys
828E8032 828C0000 0002B000 msrpc.sys \SystemRoot\system32\drivers\msrpc.sys
828BB112 82887000 00039000 NETIO.SYS \SystemRoot\system32\drivers\NETIO.SYS
883E592D 882F8000 00108000 Ntfs.sys \SystemRoot\System32\Drivers\Ntfs.sys
828812A1 8281D000 0006A000 ksecdd.sys \SystemRoot\System32\Drivers\ksecdd.sys
882EF633 882C2000 00036000 volsnap.sys \SystemRoot\system32\drivers\volsnap.sys
8281B505 82818000 00005000 TVALZ_O.SYS \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
82815331 82810000 00008000 spldr.sys \SystemRoot\System32\Drivers\spldr.sys
8280D300 82808000 00008000 sfhlp02.sys \SystemRoot\System32\drivers\sfhlp02.sys
882BE350 882AF000 00013000 sfdrv01.sys \SystemRoot\System32\drivers\sfdrv01.sys
882AC045 882A0000 0000F000 partmgr.sys \SystemRoot\System32\drivers\partmgr.sys
8829D048 88291000 0000F000 mup.sys \SystemRoot\System32\Drivers\mup.sys
8828C27E 8826C000 00025000 ecache.sys \SystemRoot\System32\drivers\ecache.sys
88268BBC 8825B000 00011000 disk.sys \SystemRoot\system32\drivers\disk.sys
8825700F 8823A000 00021000 CLASSPNP.SYS \SystemRoot\system32\drivers\CLASSPNP.SYS
88237065 88231000 00009000 crcdisk.sys \SystemRoot\system32\drivers\crcdisk.sys
8BD3F005 8BD37000 0000B000 tunnel.sys \SystemRoot\system32\DRIVERS\tunnel.sys
8BF31005 8BF2B000 00009000 tunmp.sys \SystemRoot\system32\DRIVERS\tunmp.sys
8BD142E2 8BD13000 0000E000 intelppm.sys \SystemRoot\system32\DRIVERS\intelppm.sys
8D3EE000 8CD45000 006BB000 igdkmd32.sys \SystemRoot\system32\DRIVERS\igdkmd32.sys
8BCDE005 8BC4A000 0009D000 dxgkrnl.sys \SystemRoot\System32\drivers\dxgkrnl.sys
8BC47005 8BC3D000 0000D000 watchdog.sys \SystemRoot\System32\drivers\watchdog.sys
8BC30BBA 8BC2B000 00012000 HDAudBus.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys
8CD3F005 8CC8B000 000BA000 athr.sys \SystemRoot\system32\DRIVERS\athr.sys
8BC280C9 8BC0A000 00021000 Rtlh86.sys \SystemRoot\system32\DRIVERS\Rtlh86.sys
8BD4A005 8BD42000 0000B000 usbuhci.sys \SystemRoot\system32\DRIVERS\usbuhci.sys
8CC86005 8CC4E000 0003D000 USBPORT.SYS \SystemRoot\system32\DRIVERS\USBPORT.SYS
8BD10005 8BD05000 0000E000 usbehci.sys \SystemRoot\system32\DRIVERS\usbehci.sys
8933B785 89330000 00010000 ohci1394.sys \SystemRoot\system32\DRIVERS\ohci1394.sys
8BD02D05 8BCF7000 0000E000 1394BUS.SYS \SystemRoot\system32\DRIVERS\1394BUS.SYS
8CC4A005 8CC20000 0002E000 tifm21.sys \SystemRoot\system32\drivers\tifm21.sys
8BEE838E 8BED4000 00018000 sdbus.sys \SystemRoot\system32\DRIVERS\sdbus.sys
8BF929BC 8BF90000 00004000 CmBatt.sys \SystemRoot\system32\DRIVERS\CmBatt.sys
890258E7 89024000 00003000 tosrfec.sys \SystemRoot\system32\DRIVERS\tosrfec.sys
8BFF7055 8BFE9000 00013000 i8042prt.sys \SystemRoot\system32\DRIVERS\i8042prt.sys
8BD547FC 8BD4D000 0000B000 kbdclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys
8CC1881C 8CBF3000 0002D000 SynTP.sys \SystemRoot\system32\DRIVERS\SynTP.sys
8928B105 8928A000 00002000 USBD.SYS \SystemRoot\system32\DRIVERS\USBD.SYS
8BD5F7DD 8BD58000 0000B000 mouclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys
8BFAB4B5 8BFA8000 00004000 tdcmdpst.sys \SystemRoot\system32\DRIVERS\tdcmdpst.sys
8CBF0005 8CBDB000 00018000 cdrom.sys \SystemRoot\system32\DRIVERS\cdrom.sys
8CB984F2 8CB74000 00067000 av0ix6ll.SYS \SystemRoot\System32\Drivers\av0ix6ll.SYS
893FE605 893F0000 00010000 tosrfcom.sys \SystemRoot\System32\Drivers\tosrfcom.sys
8CB70005 8CB49000 0002B000 msiscsi.sys \SystemRoot\system32\DRIVERS\msiscsi.sys
8CB45005 8CB09000 00040000 storport.sys \SystemRoot\system32\DRIVERS\storport.sys
8BD6B005 8BD63000 0000B000 TDI.SYS \SystemRoot\system32\DRIVERS\TDI.SYS
8CB06005 8CAF2000 00017000 rasl2tp.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys
8BD761B5 8BD6E000 0000B000 ndistapi.sys \SystemRoot\system32\DRIVERS\ndistapi.sys
8CAEC590 8CACF000 00023000 ndiswan.sys \SystemRoot\system32\DRIVERS\ndiswan.sys
8BE0607E 8BDFA000 0000F000 raspppoe.sys \SystemRoot\system32\DRIVERS\raspppoe.sys
8CACC005 8CABC000 00013000 raspptp.sys \SystemRoot\system32\DRIVERS\raspptp.sys
8BE15272 8BE09000 0000F000 termdd.sys \SystemRoot\system32\DRIVERS\termdd.sys
89280B5D 89280000 00002000 swenum.sys \SystemRoot\system32\DRIVERS\swenum.sys
8CAAA035 8CA85000 0002A000 ks.sys \SystemRoot\system32\DRIVERS\ks.sys
89066260 89064000 00007000 VPCAppSv.sys \SystemRoot\system32\DRIVERS\VPCAppSv.sys
8BFBA480 8BFB8000 00004000 VPCPOWER.SYS \SystemRoot\system32\DRIVERS\VPCPOWER.SYS
8BC0712A 8BC00000 0000A000 mssmbios.sys \SystemRoot\system32\DRIVERS\mssmbios.sys
8CAB07C5 8CAAF000 0000D000 umbus.sys \SystemRoot\system32\DRIVERS\umbus.sys
8C9A1005 8C971000 00034000 usbhub.sys \SystemRoot\system32\DRIVERS\usbhub.sys
8BD8BC29 8BD84000 0000B000 tosporte.sys \SystemRoot\system32\DRIVERS\tosporte.sys
893AD293 893A0000 00010000 NDProxy.SYS \SystemRoot\System32\Drivers\NDProxy.SYS
8D7F5B85 8D65B000 001A5000 RTKVHDA.sys \SystemRoot\system32\drivers\RTKVHDA.sys
8C95C005 8C934000 0002D000 portcls.sys \SystemRoot\system32\drivers\portcls.sys
8C930042 8C90F000 00025000 drmk.sys \SystemRoot\system32\drivers\drmk.sys
8D64AA40 8D53F000 0011C000 AGRSM.sys \SystemRoot\system32\DRIVERS\AGRSM.sys
8C9AF19B 8C9A5000 0000D000 modem.sys \SystemRoot\system32\drivers\modem.sys
8BF43256 8BF3D000 00009000 Fs_Rec.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS
89084083 89080000 00007000 Null.SYS \SystemRoot\System32\Drivers\Null.SYS
8908B005 89087000 00007000 Beep.SYS \SystemRoot\System32\Drivers\Beep.SYS
8BCF00C2 8BCE7000 0000C000 vga.sys \SystemRoot\System32\drivers\vga.sys
8C889D4A 8C86E000 00021000 VIDEOPRT.SYS \SystemRoot\System32\drivers\VIDEOPRT.SYS
891C5005 891C0000 00008000 RDPCDD.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys
891CD005 891C8000 00008000 rdpencdd.sys \SystemRoot\system32\drivers\rdpencdd.sys
8BD9729A 8BD8F000 0000B000 Msfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS
8C84B58A 8C840000 0000E000 Npfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS
8BF552B8 8BF4F000 00009000 rasacd.sys \SystemRoot\System32\DRIVERS\rasacd.sys
8D5331B9 8D46E000 000D1000 tcpip.sys \SystemRoot\System32\drivers\tcpip.sys
8C83D005 8C827000 00019000 fwpkclnt.sys \SystemRoot\System32\drivers\fwpkclnt.sys
8C824005 8C812000 00015000 tdx.sys \SystemRoot\system32\DRIVERS\tdx.sys
8D469C10 8D440000 0002E000 SYMTDI.SYS \SystemRoot\System32\Drivers\SYMTDI.SYS
8D43C0A7 8D41B000 00025000 SYMEVENT.SYS \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
8D4174FB 8D407000 00014000 smb.sys \SystemRoot\system32\DRIVERS\smb.sys
8DBF365E 8DBB9000 00047000 afd.sys \SystemRoot\system32\drivers\afd.sys
8DBB30B1 8DB87000 00032000 netbt.sys \SystemRoot\System32\DRIVERS\netbt.sys
8DB80005 8DB71000 00016000 pacer.sys \SystemRoot\system32\DRIVERS\pacer.sys
8DB6E04D 8DB65000 0000C000 nm3.sys \SystemRoot\system32\DRIVERS\nm3.sys
8DB62278 8DB57000 0000E000 netbios.sys \SystemRoot\system32\DRIVERS\netbios.sys
8DB534E1 8DB44000 00013000 wanarp.sys \SystemRoot\system32\DRIVERS\wanarp.sys
8DB415E7 8DB0F000 00035000 truecrypt.sys \SystemRoot\System32\drivers\truecrypt.sys
8C80FF6B 8C808000 0000A000 SRTSPX.SYS \SystemRoot\System32\Drivers\SRTSPX.SYS
8907A000 89079000 00007000 SASDIFSV.SYS \??\E:\1\SASDIFSV.SYS
8DA6C005 8DA58000 00017000 usbccgp.sys \SystemRoot\system32\DRIVERS\usbccgp.sys
8DA521CE 8DA1D000 0003B000 rdbss.sys \SystemRoot\system32\DRIVERS\rdbss.sys
8DA76038 8DA6F000 0000A000 nsiproxy.sys \SystemRoot\system32\drivers\nsiproxy.sys
8C8AE220 8C8AB000 00004000 ckldrv.sys \SystemRoot\system32\ckldrv.sys
8D9D9005 8D9AE000 0002F000 IDSvix86.sys \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys
8BEF2005 8BEEC000 00009000 UVCFTR_S.SYS \SystemRoot\system32\DRIVERS\UVCFTR_S.SYS
8D99CDFF 8D97F000 00021000 usbvideo.sys \SystemRoot\System32\Drivers\usbvideo.sys
8D96F074 8D91C000 00063000 eeCtrl.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
8D918078 8D8FD000 0001F000 EraserUtilRebootDrv.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
8D8F93E1 8D8E6000 00017000 dfsc.sys \SystemRoot\System32\Drivers\dfsc.sys
8C9BC005 8C9B2000 0000D000 crashdmp.sys \SystemRoot\System32\Drivers\crashdmp.sys
8BDAD005 8BDA5000 0000B000 dump_ataport.sys \SystemRoot\System32\Drivers\dump_dumpata.sys
891D5005 891D0000 00008000 dump_atapi.sys \SystemRoot\System32\Drivers\dump_atapi.sys
957E8C4D 95600000 001FF000 win32k.sys \SystemRoot\System32\win32k.sys
8DA94005 8DA8D000 0000A000 Dxapi.sys \SystemRoot\System32\drivers\Dxapi.sys
8BE38B12 8BE36000 0000F000 monitor.sys \SystemRoot\system32\DRIVERS\monitor.sys
95402145 95400000 00009000 TSDDD.dll \SystemRoot\System32\TSDDD.dll
95417B5C 95410000 0000E000 cdd.dll \SystemRoot\System32\cdd.dll
910F82CD 910E5000 0001B000 luafv.sys \SystemRoot\system32\drivers\luafv.sys
A6C881EF A6C00000 0008E000 spsys.sys \SystemRoot\system32\drivers\spsys.sys
893BC9E7 893B0000 00010000 lltdio.sys \SystemRoot\system32\DRIVERS\lltdio.sys
A8FBB3CE A8F95000 0002B000 nwifi.sys \SystemRoot\system32\DRIVERS\nwifi.sys
A6DCA41B A6DBB000 00013000 rspndr.sys \SystemRoot\system32\DRIVERS\rspndr.sys
A8DFD4F1 A8DAE000 00066000 HTTP.sys \SystemRoot\system32\drivers\HTTP.sys
A8D69040 A8D53000 0001B000 srvnet.sys \SystemRoot\System32\DRIVERS\srvnet.sys
A8D4F1E5 A8D3A000 00019000 bowser.sys \SystemRoot\system32\DRIVERS\bowser.sys
A8D35005 A8D1A000 00020000 mrxdav.sys \SystemRoot\system32\drivers\mrxdav.sys
A8D15005 A8CFC000 0001E000 mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys
A8CF6005 A8CC3000 00039000 mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys
A8CC0005 A8CB1000 00012000 mrxsmb20.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys
A8CAC005 A8C8D000 00024000 srv2.sys \SystemRoot\System32\DRIVERS\srv2.sys
AA3F8005 AA3B4000 0004C000 srv.sys \SystemRoot\System32\DRIVERS\srv.sys
AA155183 AA07C000 000DE000 peauth.sys \SystemRoot\system32\drivers\peauth.sys
8DAC605F 8DABF000 0000A000 secdrv.SYS \SystemRoot\System32\Drivers\secdrv.SYS
8BDC3005 8BDBB000 0000B000 tcpipreg.sys \SystemRoot\System32\drivers\tcpipreg.sys
8BD81005 8BD79000 0000B000 tdtcp.sys \SystemRoot\system32\drivers\tdtcp.sys
A8EF6005 A8EED000 0000C000 tssecsrv.sys \SystemRoot\System32\DRIVERS\tssecsrv.sys
A723D005 A7212000 0002E000 RDPWD.SYS \SystemRoot\System32\Drivers\RDPWD.SYS
A715E040 A714C000 00016000 cdfs.sys \SystemRoot\system32\DRIVERS\cdfs.sys
A7076B50 A7072000 0001A000 NIAPRkDetect.sys \??\C:\Users\R\Desktop\NIAP 0.5\NIAPRkDetect.sys
Rorschach112
2008-04-28, 15:04
Hello
Seems like we have removed the infection but it has done it's damage. Lets see if we can fix it
Please download LSPFix from here (http://www.cexx.org/LSPFix.exe).
Run the LSPFix.exe that you have just finished downloading.
Check the I know what I'm doing box.
When you are done click Finish>>.
Go ahead and delete NIAP, reboot and do this
Please download and unzip Icesword (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)to its own folder on your desktop
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.
Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.
Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.
Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.
Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.
Now post all of the data collected under the headings for :
Processes
Win32 Services
Startup
SSDT
Message Hooks
sagittorius
2008-04-28, 17:12
Hi
LSP-Fix say that everything is ok and no problems found
IceSword:
Process: (nothing is red)
System Idle Process
System
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\lsm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\Crypserv.exe
C:\Windows\ehome\ehrecvr.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
E:\2\SDWinSec.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\mdn2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Users\R\Desktop\IceSword122en\IceSword.exe
Started Service: (nothing is red)
Service Name:AeLookupSvc Display Name:Application Experience
Service Name:AudioEndpointBuilder Display Name:Windows Audio Endpoint Builder
Service Name:Audiosrv Display Name:Windows Audio
Service Name:BFE Display Name:Base Filtering Engine
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:CertPropSvc Display Name:Certificate Propagation
Service Name:CFSvcs Display Name:ConfigFree Service
Service Name:CLTNetCnService Display Name:Symantec Lic NetConnect service
Service Name:Crypkey License Display Name:Crypkey License
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:DPS Display Name:Diagnostic Policy Service
Service Name:EapHost Display Name:Extensible Authentication Protocol
Service Name:ehRecvr Display Name:Windows Media Center Receiver Service
Service Name:ehSched Display Name:Windows Media Center Scheduler Service
Service Name:EMDMgmt Display Name:ReadyBoost
Service Name:Eventlog Display Name:Windows Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:fdPHost Display Name:Function Discovery Provider Host
Service Name:FDResPub Display Name:Function Discovery Resource Publication
Service Name:FLEXnet Licensing Service Display Name:FLEXnet Licensing Service
Service Name:FontCache3.0.0.0 Display Name:Windows Presentation Foundation Font Cache 3.0.0.0
Service Name:gpsvc Display Name:Group Policy Client
Service Name:IKEEXT Display Name:IKE and AuthIP IPsec Keying Modules
Service Name:iphlpsvc Display Name:IP Helper
Service Name:KeyIso Display Name:CNG Key Isolation
Service Name:KtmRm Display Name:KtmRm for Distributed Transaction Coordinator
Service Name:LanmanServer Display Name:Server
Service Name:LanmanWorkstation Display Name:Workstation
Service Name:LiveUpdate Notice Ex Display Name:LiveUpdate Notice Service Ex
Service Name:lmhosts Display Name:TCP/IP NetBIOS Helper
Service Name:MMCSS Display Name:Multimedia Class Scheduler
Service Name:MSSQL$SQLEXPRESS Display Name:SQL Server (SQLEXPRESS)
Service Name:Netman Display Name:Network Connections
Service Name:netprofm Display Name:Network List Service
Service Name:NlaSvc Display Name:Network Location Awareness
Service Name:nsi Display Name:Network Store Interface Service
Service Name:PcaSvc Display Name:Program Compatibility Assistant Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPsec Policy Agent
Service Name:ProfSvc Display Name:User Profile Service
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:SBSDWSCService Display Name:SBSD Security Center Service
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification Service
Service Name:SessionEnv Display Name:Terminal Services Configuration
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:slsvc Display Name:Software Licensing
Service Name:Spooler Display Name:Print Spooler
Service Name:SQLBrowser Display Name:SQL Server Browser
Service Name:SQLWriter Display Name:SQL Server VSS Writer
Service Name:SSDPSRV Display Name:SSDP Discovery
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:SysMain Display Name:Superfetch
Service Name:TabletInputService Display Name:Tablet PC Input Service
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TODDSrv Display Name:TOSHIBA Optical Disc Drive Service
Service Name:TosCoSrv Display Name:TOSHIBA Power Saver
Service Name:TOSHIBA Bluetooth Service Display Name:TOSHIBA Bluetooth Service
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:TrustedInstaller Display Name:Windows Modules Installer
Service Name:UleadBurningHelper Display Name:Ulead Burning Helper
Service Name:upnphost Display Name:UPnP Device Host
Service Name:usnjsvc Display Name:Messenger Sharing Folders USN Journal Reader service
Service Name:UxSms Display Name:Desktop Window Manager Session Manager
Service Name:W32Time Display Name:Windows Time
Service Name:WdiSystemHost Display Name:Diagnostic System Host
Service Name:WebClient Display Name:WebClient
Service Name:Wecsvc Display Name:Windows Event Collector
Service Name:WerSvc Display Name:Windows Error Reporting Service
Service Name:Winmgmt Display Name:Windows Management Instrumentation
Service Name:WMPNetworkSvc Display Name:Windows Media Player Network Sharing Service
Service Name:WPDBusEnum Display Name:Portable Device Enumerator Service
Service Name:wscsvc Display Name:Security Center
Service Name:WSearch Display Name:Windows Search
Service Name:wuauserv Display Name:Windows Update
Service Name:wudfsvc Display Name:Windows Driver Foundation - User-mode Driver Framework
Startup: (nothing is red)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
%ProgramFiles%\Windows Defender\MSASCui.exe -hide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RtHDVCpl
RtHDVCpl.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPwrMain
%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HSON
%ProgramFiles%\TOSHIBA\TBS\HSON.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SmoothView
%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
00TCrdMain
%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KeNotify
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HWSetup
C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVPWUTIL
C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NDSTray.exe
NDSTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
osCheck
"C:\Program Files\Norton Internet Security\osCheck.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvSvc
RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPStart
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Wah
C:\Program Files\Common Files\Mdn2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acrobat Assistant 8.0
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec PIF AlertEng
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
C:\Windows\system32\igfxtray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
C:\Windows\system32\hkcmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Persistence
C:\Windows\system32\igfxpers.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD
TOSCDSPD.EXE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ehTray.exe
C:\Windows\ehome\ehTray.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WMPNSCFG
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE (Remark£؛Microsoft Office StartUp)
C:\Users\R\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
desktop.ini
SSDT
one entry is red with KMoudle name "Unknown"
Message Hooks
one entry with type "WH_KEYBOARD_LL" and with pathname:
C:\Program Files\TOSHIBA\Utilities\keNotify.exe
Rorschach112
2008-04-29, 00:02
Perfect, the rootkit seems to be gone
Lets see if we can fix your other problems
Follow the steps here for repairing your net connection
http://www.cit.cornell.edu/security/spyware/WinFix/
Let me know how that goes and list any other problems you have
sagittorius
2008-04-29, 20:59
Hi
I can't fix my wifi connection with that manual because the tools are not compatible with windows vista.
Also I cant run Norton Internet Security, windows defender and can't install awg
thanks
Rorschach112
2008-04-29, 21:06
Hello
Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.
@echo off
dir "C:\WINDOWS\system32\drivers">C:\peek.txt
start C:\peek.txt
del peek.bat
Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in peek.bat
In the Save as type drop down box select All Files
Close Notepad.
Now, find peek.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.
Attach this report
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Don't attach the DSS logs
sagittorius
2008-04-29, 22:57
Volume in drive C is Vista
Volume Serial Number is BE63-54EE
Directory of C:\WINDOWS\system32\drivers
02. 11. 2006 10:55 53ے376 1394bus.sys
15. 11. 2007 04:05 258ے232 acpi.sys
02. 11. 2006 11:51 420ے968 adp94xx.sys
02. 11. 2006 11:51 297ے576 adpahci.sys
02. 11. 2006 11:50 98ے408 adpu160m.sys
02. 11. 2006 11:51 147ے048 adpu320.sys
02. 11. 2006 10:58 270ے336 afd.sys
02. 11. 2006 11:49 53ے864 AGP440.sys
28. 11. 2006 16:11 1ے161ے888 AGRSM.sys
02. 11. 2006 11:49 14ے952 aliide.sys
02. 11. 2006 11:49 54ے888 AMDAGP.SYS
02. 11. 2006 11:49 15ے464 amdide.sys
02. 11. 2006 10:30 38ے912 amdk7.sys
02. 11. 2006 10:30 40ے960 amdk8.sys
02. 11. 2006 11:50 67ے688 arc.sys
02. 11. 2006 11:50 67ے688 arcsas.sys
02. 11. 2006 10:58 17ے408 asyncmac.sys
13. 02. 2008 18:14 21ے560 atapi.sys
13. 02. 2008 18:14 109ے624 ataport.sys
14. 07. 2007 05:30 742ے400 athr.sys
16. 08. 2007 11:54 220ے672 AVerFx2hbtv.sys
15. 11. 2007 04:05 28ے344 battc.sys
02. 11. 2006 14:34 12ے288 bdasup.sys
02. 11. 2006 10:51 6ے144 beep.sys
02. 11. 2006 10:31 69ے632 bowser.sys
02. 11. 2006 10:24 13ے568 BrFiltLo.sys
02. 11. 2006 10:24 5ے248 BrFiltUp.sys
02. 11. 2006 11:23 93ے184 bridge.sys
02. 11. 2006 10:25 71ے808 BrSerId.sys
02. 11. 2006 10:24 62ے336 BrSerWdm.sys
02. 11. 2006 10:24 12ے160 BrUsbMdm.sys
02. 11. 2006 10:24 11ے904 BrUsbSer.sys
02. 11. 2006 10:55 39ے936 bthmodem.sys
02. 11. 2006 10:30 70ے144 cdfs.sys
02. 11. 2006 10:51 67ے072 cdrom.sys
02. 11. 2006 10:55 35ے328 circlass.sys
02. 11. 2006 11:50 125ے032 Classpnp.sys
15. 11. 2007 04:05 14ے208 CmBatt.sys
02. 11. 2006 11:49 16ے488 cmdide.sys
06. 03. 2008 22:32 10ے537 COH_Mon.cat
06. 03. 2008 22:32 706 COH_Mon.inf
06. 03. 2008 22:32 23ے904 COH_Mon.sys
15. 11. 2007 04:05 20ے920 compbatt.sys
02. 11. 2006 11:50 33ے384 crashdmp.sys
02. 11. 2006 11:49 22ے632 crcdisk.sys
02. 11. 2006 10:30 38ے912 crusoe.sys
02. 11. 2006 10:31 74ے752 dfsc.sys
02. 11. 2006 11:49 52ے840 disk.sys
02. 11. 2006 10:51 19ے456 Diskdump.sys
02. 11. 2006 11:50 71ے272 djsvs.sys
02. 11. 2006 11:20 130ے048 drmk.sys
02. 11. 2006 10:54 5ے632 drmkaud.sys
02. 11. 2006 11:49 26ے728 Dumpata.sys
02. 11. 2006 10:38 13ے312 dxapi.sys
02. 11. 2006 10:38 76ے288 dxg.sys
29. 08. 2007 10:07 619ے008 dxgkrnl.sys
02. 11. 2006 09:30 117ے760 E1G60I32.sys
02. 11. 2006 14:34 132ے200 ecache.sys
02. 11. 2006 11:51 316ے520 elxstor.sys
14. 02. 2008 04:17 <DIR> en-US
29. 04. 2008 21:20 <DIR> etc
02. 11. 2006 10:30 142ے336 fastfat.sys
02. 11. 2006 10:51 25ے088 fdc.sys
02. 11. 2006 11:49 56ے424 fileinfo.sys
02. 11. 2006 10:32 27ے648 filetrace.sys
02. 11. 2006 10:51 20ے480 flpydisk.sys
02. 11. 2006 11:51 183ے912 fltMgr.sys
04. 07. 2007 19:37 12ے800 fs_rec.sys
02. 11. 2006 10:57 84ے992 FWPKCLNT.SYS
02. 11. 2006 11:50 58ے984 GAGP30KX.SYS
18. 09. 2006 23:26 3ے440ے660 gm.dls
18. 09. 2006 23:26 646 gmreadme.txt
27. 08. 2007 11:32 25ے544 hamachi.sys
11. 07. 2007 10:30 53ے760 hdaudbus.sys
02. 11. 2006 09:36 235ے520 HdAudio.sys
02. 11. 2006 10:55 29ے184 hidbth.sys
02. 11. 2006 10:55 38ے912 hidclass.sys
02. 11. 2006 10:55 21ے504 hidir.sys
02. 11. 2006 10:55 25ے472 hidparse.sys
02. 11. 2006 10:55 12ے288 hidusb.sys
02. 11. 2006 11:50 37ے480 HpCISSs.sys
02. 11. 2006 10:57 385ے536 http.sys
02. 11. 2006 11:49 16ے488 i2omgmt.sys
02. 11. 2006 11:49 27ے752 i2omp.sys
14. 02. 2008 04:07 54ے784 i8042prt.sys
02. 11. 2006 11:51 232ے040 iaStorV.sys
11. 02. 2008 19:36 2ے302ے976 igdkmd32.sys
02. 11. 2006 11:50 41ے576 iirsp.sys
13. 02. 2008 18:14 17ے464 intelide.sys
02. 11. 2006 10:30 39ے424 intelppm.sys
02. 11. 2006 10:58 47ے104 ipfltdrv.sys
02. 11. 2006 10:42 65ے536 IPMIDrv.sys
02. 11. 2006 10:58 99ے840 ipnat.sys
02. 11. 2006 10:57 95ے744 irda.sys
02. 11. 2006 10:57 13ے312 irenum.sys
02. 11. 2006 11:50 47ے208 isapnp.sys
02. 11. 2006 11:50 35ے944 iteatapi.sys
02. 11. 2006 11:50 35ے944 iteraid.sys
14. 02. 2008 04:07 35ے384 kbdclass.sys
02. 11. 2006 10:51 15ے872 kbdhid.sys
18. 01. 2007 16:40 219ے392 KR10I.sys
18. 01. 2007 16:47 211ے072 KR10N.sys
08. 03. 2008 04:14 148ے992 ks.sys
02. 11. 2006 11:51 407ے144 ksecdd.sys
02. 11. 2006 10:56 47ے104 lltdio.sys
28. 07. 2006 18:25 19ے456 LPCFilter.sys
02. 11. 2006 11:50 65ے640 lsi_fc.sys
02. 11. 2006 11:50 65ے640 lsi_sas.sys
02. 11. 2006 11:50 65ے640 lsi_scsi.sys
02. 11. 2006 10:33 83ے456 luafv.sys
02. 11. 2006 10:52 18ے944 mcd.sys
02. 11. 2006 11:49 28ے776 megasas.sys
02. 11. 2006 10:58 31ے744 modem.sys
16. 12. 2007 11:56 41ے984 monitor.sys
14. 02. 2008 04:07 34ے360 mouclass.sys
14. 02. 2008 04:07 15ے872 mouhid.sys
02. 11. 2006 11:49 54ے888 mountmgr.sys
02. 11. 2006 11:50 78ے952 mpio.sys
11. 07. 2007 10:34 63ے488 mpsdrv.sys
02. 11. 2006 11:49 33ے384 Mraid35x.sys
13. 02. 2008 18:15 110ے080 mrxdav.sys
12. 12. 2007 12:20 101ے888 mrxsmb.sys
02. 11. 2006 10:31 211ے456 mrxsmb10.sys
12. 12. 2007 12:20 58ے368 mrxsmb20.sys
02. 11. 2006 11:49 23ے144 msahci.sys
02. 11. 2006 11:50 80ے488 msdsm.sys
02. 11. 2006 10:30 22ے528 msfs.sys
18. 09. 2006 23:43 3 MsftWdf_Kernel_01005_Inbox_Critical.Wdf
02. 11. 2006 11:49 13ے928 msisadrv.sys
02. 11. 2006 11:51 168ے552 msiscsi.sys
02. 11. 2006 10:51 8ے192 mskssrv.sys
02. 11. 2006 10:51 5ے888 mspclock.sys
02. 11. 2006 10:51 5ے504 mspqm.sys
02. 11. 2006 11:51 160ے872 msrpc.sys
02. 11. 2006 11:49 28ے776 mssmbios.sys
02. 11. 2006 10:51 6ے016 mstee.sys
02. 11. 2006 11:50 46ے696 mup.sys
02. 11. 2006 11:51 500ے840 ndis.sys
29. 08. 2007 10:07 20ے480 ndistapi.sys
02. 11. 2006 10:57 16ے896 ndisuio.sys
02. 11. 2006 10:58 118ے784 ndiswan.sys
29. 08. 2007 10:07 48ے640 ndproxy.sys
02. 11. 2006 10:57 35ے840 netbios.sys
02. 11. 2006 10:57 184ے320 netbt.sys
13. 02. 2008 18:13 216ے632 netio.sys
02. 11. 2006 09:30 1ے781ے760 NETw3v32.sys
02. 11. 2006 11:50 45ے160 nfrd960.sys
19. 06. 2007 09:59 39ے296 nm3.sys
02. 11. 2006 10:30 34ے816 npfs.sys
02. 11. 2006 10:57 16ے384 nsiproxy.sys
17. 12. 2007 00:50 1ے060ے920 ntfs.sys
02. 11. 2006 09:36 20ے608 ntrigdigi.sys
02. 11. 2006 10:51 4ے608 null.sys
13. 01. 2007 10:40 4ے452ے288 nvlddmkm.sys
02. 11. 2006 11:50 88ے680 nvraid.sys
02. 11. 2006 11:50 40ے040 nvstor.sys
02. 11. 2006 11:50 106ے600 NV_AGP.SYS
13. 02. 2008 18:14 154ے624 nwifi.sys
02. 11. 2006 10:55 62ے080 ohci1394.sys
29. 08. 2007 10:07 70ے144 pacer.sys
02. 11. 2006 10:51 79ے360 parport.sys
02. 11. 2006 11:50 49ے256 partmgr.sys
02. 11. 2006 10:51 8ے704 parvdm.sys
02. 11. 2006 11:50 140ے392 pci.sys
02. 11. 2006 11:49 13ے416 pciide.sys
13. 02. 2008 18:14 45ے112 pciidex.sys
02. 11. 2006 11:51 167ے528 pcmcia.sys
02. 11. 2006 11:04 878ے080 PEAuth.sys
02. 11. 2006 10:55 167ے424 portcls.sys
02. 11. 2006 10:30 38ے400 processr.sys
09. 01. 2008 13:18 43ے528 pxhelp20.sys
02. 11. 2006 11:51 900ے712 ql2300.sys
02. 11. 2006 11:50 106ے088 ql40xx.sys
02. 11. 2006 14:34 31ے232 qwavedrv.sys
02. 11. 2006 10:58 11ے776 rasacd.sys
02. 11. 2006 10:58 75ے776 rasl2tp.sys
02. 11. 2006 10:58 41ے472 raspppoe.sys
02. 11. 2006 10:58 61ے440 raspptp.sys
02. 11. 2006 10:31 222ے208 rdbss.sys
02. 11. 2006 11:02 6ے144 RDPCDD.sys
02. 11. 2006 11:03 242ے688 rdpdr.sys
02. 11. 2006 11:02 6ے144 RDPENCDD.sys
02. 11. 2006 11:02 160ے256 rdpwd.sys
02. 11. 2006 10:57 113ے664 rmcast.sys
02. 11. 2006 10:57 32ے768 RNDISMP.sys
02. 11. 2006 10:58 8ے192 rootmdm.sys
02. 11. 2006 10:56 60ے416 rspndr.sys
04. 02. 2007 21:37 176 RTHDAEQ0.dat
07. 02. 2007 18:16 176 RTHDAEQ1.dat
18. 01. 2007 19:56 1ے729ے632 RTKVHDA.sys
14. 02. 2008 07:56 118ے784 Rtlh86.sys
02. 11. 2006 11:50 76ے392 sbp2port.sys
02. 11. 2006 11:50 140ے392 scsiport.sys
10. 07. 2007 09:40 82ے432 sdbus.sys
02. 11. 2006 08:37 20ے480 secdrv.sys
02. 11. 2006 10:51 17ے920 serenum.sys
02. 11. 2006 10:51 83ے456 serial.sys
14. 02. 2008 04:07 19ے968 sermouse.sys
05. 07. 2006 14:39 59ے256 sfdrv01.sys
05. 07. 2006 14:46 63ے352 sfdrv01a.sys
02. 11. 2006 10:51 13ے312 sffdisk.sys
02. 11. 2006 10:51 12ے800 sffp_mmc.sys
02. 11. 2006 10:51 12ے800 sffp_sd.sys
14. 06. 2006 16:56 13ے680 sfhlp02.sys
02. 11. 2006 10:51 13ے312 sfloppy.sys
10. 07. 2006 18:19 27ے032 sfsync02.sys
02. 11. 2006 11:49 53ے352 SISAGP.SYS
02. 11. 2006 11:50 38ے504 sisraid2.sys
02. 11. 2006 11:50 71ے784 sisraid4.sys
02. 11. 2006 10:57 66ے048 smb.sys
02. 11. 2006 10:51 17ے408 smclib.sys
02. 11. 2006 11:49 18ے536 spldr.sys
02. 11. 2006 09:16 551ے936 spsys.sys
08. 09. 2007 22:34 685ے816 sptd.sys
01. 12. 2007 00:57 10ے545 srtsp.cat
01. 12. 2007 00:57 1ے415 srtsp.inf
01. 12. 2007 00:57 279ے088 srtsp.sys
01. 12. 2007 00:57 10ے549 srtspl.cat
01. 12. 2007 00:57 1ے430 srtspl.inf
01. 12. 2007 00:57 317ے616 srtspl.sys
01. 12. 2007 00:57 10ے549 srtspx.cat
01. 12. 2007 00:57 1ے421 srtspx.inf
01. 12. 2007 00:57 43ے696 srtspx.sys
02. 11. 2006 10:31 290ے304 srv.sys
12. 12. 2007 12:20 130ے048 srv2.sys
12. 12. 2007 12:20 84ے992 srvnet.sys
02. 11. 2006 11:50 117ے864 Storport.sys
02. 11. 2006 10:55 52ے864 stream.sys
02. 11. 2006 11:49 12ے776 swenum.sys
02. 11. 2006 11:50 35ے944 symc8xx.sys
30. 10. 2007 20:55 12ے848 symdns.sys
05. 12. 2007 12:44 10ے740 SYMEVENT.CAT
05. 12. 2007 12:44 805 SYMEVENT.INF
05. 12. 2007 12:44 123ے952 SYMEVENT.SYS
30. 10. 2007 20:55 145ے968 symfw.sys
30. 10. 2007 20:55 39ے856 symids.sys
30. 10. 2007 20:55 37ے936 symndisv.sys
30. 10. 2007 20:24 12ے963 SymRedir.cat
30. 10. 2007 20:24 1ے358 SymRedir.inf
30. 10. 2007 20:55 27ے696 symredrv.sys
30. 10. 2007 20:55 191ے536 symtdi.sys
02. 11. 2006 11:49 31ے848 sym_hi.sys
02. 11. 2006 11:50 34ے920 sym_u3.sys
27. 07. 2007 05:32 188ے336 SynTP.sys
01. 10. 2006 14:37 26ے624 tap0801.sys
02. 11. 2006 10:51 24ے576 tape.sys
13. 02. 2008 18:13 803ے328 tcpip.original
09. 04. 2007 09:27 802ے816 tcpip.sys
02. 11. 2006 10:57 27ے648 tcpipreg.sys
18. 10. 2006 13:50 16ے128 tdcmdpst.sys
02. 11. 2006 10:58 20ے992 tdi.sys
02. 11. 2006 11:02 17ے920 tdpipe.sys
02. 11. 2006 11:02 28ے672 tdtcp.sys
02. 11. 2006 10:57 68ے096 tdx.sys
02. 11. 2006 11:50 50ے792 termdd.sys
06. 07. 2006 14:44 168ے448 tifm21.sys
10. 10. 2006 21:33 41ے600 tosporte.sys
12. 01. 2007 23:41 113ے792 tosrfbd.sys
20. 11. 2006 19:55 36ے480 tosrfbnp.sys
01. 08. 2005 18:45 64ے896 tosrfcom.sys
23. 10. 2006 18:32 9ے216 tosrfec.sys
24. 01. 2007 16:57 73ے728 Tosrfhid.sys
06. 01. 2005 15:42 18ے612 tosrfnds.sys
22. 01. 2007 12:43 53ے376 TosRfSnd.sys
12. 01. 2007 23:16 40ے576 tosrfusb.sys
31. 03. 2008 02:25 223ے424 truecrypt.sys
02. 11. 2006 11:02 23ے552 tssecsrv.sys
11. 07. 2007 10:34 15ے360 TUNMP.SYS
11. 07. 2007 10:34 23ے040 tunnel.sys
06. 10. 2006 00:22 16ے768 TVALZ_O.SYS
02. 11. 2006 11:49 56ے936 UAGP35.SYS
02. 11. 2006 10:30 225ے280 udfs.sys
02. 11. 2006 11:50 58ے472 ULIAGPKX.SYS
02. 11. 2006 11:51 235ے112 uliahci.sys
02. 11. 2006 11:50 98ے408 ulsata.sys
02. 11. 2006 11:50 115ے816 ulsata2.sys
02. 11. 2006 10:55 34ے816 umbus.sys
08. 03. 2007 15:41 <DIR> UMDF
02. 11. 2006 10:55 7ے168 umpass.sys
02. 11. 2006 10:57 14ے848 usb8023.sys
02. 11. 2006 10:55 25ے728 USBCAMD.sys
02. 11. 2006 10:55 25ے728 USBCAMD2.sys
15. 11. 2007 04:03 73ے216 usbccgp.sys
02. 11. 2006 10:55 68ے608 usbcir.sys
15. 11. 2007 04:03 5ے888 usbd.sys
15. 11. 2007 04:03 38ے400 usbehci.sys
15. 11. 2007 04:03 193ے536 usbhub.sys
02. 11. 2006 10:55 19ے456 usbohci.sys
15. 11. 2007 04:03 224ے768 usbport.sys
02. 11. 2006 11:14 18ے944 usbprint.sys
02. 11. 2006 11:14 35ے328 usbscan.sys
10. 07. 2007 09:40 55ے296 USBSTOR.SYS
15. 11. 2007 04:03 23ے040 usbuhci.sys
02. 11. 2006 10:55 132ے352 usbvideo.sys
26. 01. 2007 16:13 17ے712 UVCFTR_S.SYS
02. 11. 2006 10:53 25ے088 vga.sys
02. 11. 2006 10:53 26ے112 vgapnp.sys
02. 11. 2006 11:49 54ے376 VIAAGP.SYS
02. 11. 2006 10:30 39ے424 viac7.sys
02. 11. 2006 11:49 17ے512 viaide.sys
02. 11. 2006 10:54 109ے056 videoprt.sys
02. 11. 2006 11:50 50ے280 volmgr.sys
02. 11. 2006 11:51 290ے408 volmgrx.sys
09. 01. 2008 12:49 211ے000 volsnap.sys
10. 10. 2002 23:10 15ے416 VPCAppSv.sys
10. 10. 2002 23:10 34ے944 VPCNetS2.sys
10. 10. 2002 23:10 17ے360 VPCPower.sys
02. 11. 2006 11:50 112ے232 vsmraid.sys
02. 11. 2006 10:52 20ے608 wacompen.sys
29. 08. 2007 10:07 61ے952 wanarp.sys
02. 11. 2006 10:37 32ے256 watchdog.sys
02. 11. 2006 11:49 19ے560 wd.sys
14. 02. 2008 04:07 495ے160 Wdf01000.sys
14. 02. 2008 04:07 35ے384 WdfLdr.sys
02. 11. 2006 10:35 11ے264 wmiacpi.sys
02. 11. 2006 11:49 15ے464 wmilib.sys
02. 11. 2006 10:58 15ے872 ws2ifsl.sys
02. 11. 2006 10:54 51ے712 WUDFPf.sys
02. 11. 2006 10:54 82ے560 WUDFRd.sys
316 File(s) 43ے230ے947 bytes
3 Dir(s) 19ے491ے143ے680 bytes free
sagittorius
2008-04-29, 23:01
dss not seem to work properly hed odnt accept my insatlled HijakThis niether the one he installed and when he use the internal clone of HijakThis he suddenly end. then I repeat the stepsseveral time again and get main.txt only.
Deckard's System Scanner v20071014.68
Run by R on 2008-04-29 21:50:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-29 21:50:32
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal
Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\mdn2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\conime.exe
C:\totalcmd\TOTALCMD.EXE
C:\Windows\System32\SearchFilterHost.exe
C:\Users\R\Desktop\dss.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Wah] C:\Program Files\Common Files\Mdn2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: AVerQuick.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: ت&صدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: إرسال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: إر&سال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\1\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: CardBusService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\System32\Crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - E:\2\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\System32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 14631 bytes
-- Files created between 2008-03-29 and 2008-04-29 -----------------------------
2008-04-29 20:55:42 3456 -r------- C:\Windows\system32\AVerIO.sys
2008-04-29 20:55:42 49152 -r------- C:\Windows\system32\AVerIO.dll <Not Verified; ; AVerIO>
2008-04-29 20:55:40 73728 -r------- C:\Windows\system32\CardID.dll <Not Verified; AVerMedia Technologies, Inc.; >
2008-04-29 20:55:36 253952 -r------- C:\Windows\system32\sptlib02.dll
2008-04-29 20:55:36 262144 -r------- C:\Windows\system32\sptlib01.dll
2008-04-29 20:22:29 68478 --a------ C:\Windows\system32\mdelk.exe
2008-04-29 10:58:59 638976 --ah----- C:\Windows\system32\TOSCDSPD.EXE
2008-04-28 21:33:36 0 d-------- C:\Program Files\QuickMediaConverter
2008-04-27 22:14:29 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-27 22:09:35 0 d-------- C:\Combo-Fix
2008-04-26 19:33:45 0 d-------- C:\Program Files\Trend Micro
2008-04-26 14:45:34 68096 --a------ C:\Windows\zip.exe
2008-04-26 14:45:34 49152 --a------ C:\Windows\VFind.exe
2008-04-26 14:45:34 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-26 14:45:34 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-26 14:45:34 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-26 14:45:34 98816 --a------ C:\Windows\sed.exe
2008-04-26 14:45:34 80412 --a------ C:\Windows\grep.exe
2008-04-26 14:45:34 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-26 14:45:24 0 d-------- C:\k
2008-04-26 13:44:00 0 d-------- C:\Program Files\CCleaner
2008-04-26 09:51:13 11254 --a------ C:\Windows\system32\locate.com
2008-04-26 09:49:23 0 d-------- C:\MGtools
2008-04-26 09:49:09 1238055 --a------ C:\MGtools.exe
2008-04-26 08:06:37 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-26 08:06:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 08:04:44 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-26 08:01:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 07:54:36 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-26 05:35:23 0 d-------- C:\Program Files\AVG
2008-04-26 05:35:21 0 d-------- C:\Users\All Users\avg8
2008-04-26 03:09:03 0 d-------- C:\Program Files\Celtx
2008-04-26 02:00:36 414272 --a------ C:\Windows\system32\DivXc32f.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-26 02:00:35 414272 --a------ C:\Windows\system32\DivXc32.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-26 02:00:34 626688 --a------ C:\Windows\system32\xvid.dll
2008-04-26 02:00:34 0 d-------- C:\Program Files\WinVDRPRO
2008-04-26 01:41:04 0 d-------- C:\Program Files\MatroskaProp
2008-04-16 10:37:18 0 d-------- C:\Program Files\QuickTime
2008-04-16 10:37:15 0 d-------- C:\Users\All Users\Apple Computer
2008-04-16 10:33:31 0 d-------- C:\Users\All Users\Apple
2008-04-16 10:33:31 0 d-------- C:\Program Files\Apple Software Update
2008-04-15 20:19:20 0 d-------- C:\Program Files\DivXLand
2008-04-13 02:28:01 0 d-------- C:\Poker
2008-04-13 02:09:25 0 d-------- C:\Microgaming
2008-04-11 01:24:17 0 d-------- C:\Programs
2008-04-11 01:02:16 0 d-------- C:\Program Files\LearnPoker
2008-04-07 20:16:12 0 d-------- C:\Program Files\ChrisTV
2008-04-07 19:01:22 0 d-------- C:\Program Files\Common Files\NacreWare
2008-04-07 17:38:49 0 d-------- C:\Program Files\ChrisTV PVR
2008-04-07 16:47:00 0 d-------- C:\ChrisTV PVR
2008-04-06 14:31:36 205792 --a------ C:\GDIPFONTCACHEV1.DAT
2008-04-06 12:26:28 0 d-------- C:\Program Files\Common Files\AVerMedia
2008-04-05 16:37:19 0 d-------- C:\Users\All Users\Team MediaPortal
2008-04-05 16:36:23 0 d-------- C:\Program Files\Team MediaPortal
2008-04-05 12:41:02 0 d-------- C:\Windows\Driver Cache
2008-04-05 12:39:15 0 d-------- C:\Program Files\AVerMedia
2008-04-04 17:28:36 0 d-------- C:\Program Files\AMC2000
2008-03-31 23:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 23:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 23:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 23:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 23:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-30 19:15:02 0 d-------- C:\Program Files\CD Audio Reader Filter
2008-03-30 19:14:47 0 d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 19:14:32 0 d-------- C:\Program Files\RealMedia
2008-03-30 19:12:54 0 d-------- C:\Program Files\SHOUTcast Source
2008-03-30 19:12:46 0 d-------- C:\Program Files\DSP-worx
2008-03-30 19:12:36 0 d-------- C:\Program Files\DirectVobSub
-- Find3M Report ---------------------------------------------------------------
2008-04-29 21:20:52 0 d-------- C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 21:20:29 0 d-------- C:\Program Files\Norton Internet Security
2008-04-29 21:20:28 0 d-------- C:\Program Files\My Ebook Library
2008-04-29 21:20:28 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-29 21:20:26 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 21:20:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-28 21:51:31 0 d-------- C:\Program Files\Common Files
2008-04-26 08:06:49 0 d-------- C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 07:54:08 0 d-------- C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 04:35:05 0 d-------- C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 03:09:52 0 d-------- C:\Users\R\AppData\Roaming\Greyfirst
2008-04-25 02:29:45 0 d-------- C:\Program Files\Movienizer
2008-04-20 01:45:29 0 d-------- C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 12:35:37 0 d-------- C:\Program Files\KeyScrambler
2008-04-15 19:49:57 0 d-------- C:\Users\R\AppData\Roaming\Jubler
2008-04-15 18:58:03 0 d-------- C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 21:44:26 0 d-------- C:\Program Files\DivX
2008-04-10 05:02:10 0 d-------- C:\Program Files\Windows Mail
2008-04-06 12:30:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-05 10:05:57 0 d-------- C:\Program Files\EMDB
2008-04-02 15:40:29 0 d-------- C:\Program Files\Aspell
2008-04-02 10:49:13 0 d-------- C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 05:33:04 0 d-------- C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 05:02:48 0 d-------- C:\Users\R\AppData\Roaming\tor
2008-03-28 16:45:04 0 d-------- C:\Program Files\DC++
2008-03-28 02:35:16 0 d-------- C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 02:35:11 0 d-------- C:\Program Files\Uniblue
2008-03-25 17:45:17 0 d-------- C:\Users\R\AppData\Roaming\Autodesk
2008-03-21 22:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 22:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 22:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 22:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-21 00:36:06 0 d-------- C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 11:24:30 0 d-------- C:\Program Files\Crown Forex Trading Station 4
2008-03-19 13:27:39 0 d-------- C:\Users\R\AppData\Roaming\Bytescout SWF To Video Scout
2008-03-17 13:37:50 0 d-------- C:\Program Files\SWiSH v2.0
2008-03-16 18:11:00 0 d-------- C:\Program Files\IMDBScanner
2008-03-15 12:07:24 0 d-------- C:\Users\R\AppData\Roaming\Skype
2008-03-14 17:24:41 0 d-------- C:\Program Files\Shareaza
2008-03-14 16:51:31 0 d-------- C:\Program Files\Ares
2008-03-13 13:30:59 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-13 13:30:27 0 d-------- C:\Program Files\AutoCAD Architecture 2008
2008-03-13 13:07:59 0 d-------- C:\Program Files\Autodesk
2008-03-12 22:44:15 0 d-------- C:\Users\R\AppData\Roaming\Media Player Classic
2008-03-12 22:32:28 0 d-------- C:\Program Files\Gabest
2008-03-12 22:18:25 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-03-12 22:03:39 0 d-------- C:\Program Files\MKVtoolnix
2008-03-12 02:52:26 0 d-------- C:\Users\R\AppData\Roaming\Axosoft
2008-03-12 02:52:16 0 d-------- C:\Program Files\TBFDropZone
2008-03-10 17:05:47 0 d-------- C:\Program Files\uTorrent
2008-03-07 19:42:25 0 d-------- C:\Users\R\AppData\Roaming\Flock
2008-03-07 19:42:23 0 d-------- C:\Program Files\Flock
2008-03-01 12:57:53 0 d-------- C:\Program Files\ICQ6
2008-02-29 23:47:19 0 d-------- C:\Program Files\Windows Live
2008-02-29 23:27:25 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-02-29 23:26:44 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-02-29 22:48:41 0 d-------- C:\Program Files\Microsoft SQL Server
2008-01-31 15:29:06 37888 --a------ C:\Windows\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-01-30 14:58:44 33 --a------ C:\Users\R\AppData\Roaming\TexPoint.lic
2008-01-30 14:58:44 150 --a------ C:\Users\R\AppData\Roaming\TexPoint.ini
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10. 07. 2007 09:40]
"RtHDVCpl"="RtHDVCpl.exe" [18. 01. 2007 15:46 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [20. 12. 2006 01:16]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07. 12. 2006 18:49]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [29. 01. 2007 13:43]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [17. 01. 2007 15:46]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [06. 11. 2006 19:14]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [01. 11. 2006 10:06]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [01. 11. 2006 13:08]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [29. 04. 2008 21:26]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [29. 04. 2008 21:26]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [13. 01. 2007 10:40]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [13. 01. 2007 10:40]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [13. 01. 2007 10:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [27. 07. 2007 05:32]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [27. 07. 2007 05:00]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [21. 09. 2007 21:21]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11. 01. 2008 20:54]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [28. 11. 2007 20:51]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11. 02. 2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11. 02. 2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11. 02. 2008 20:13]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28. 03. 2008 23:37]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" [23. 09. 2004 07:01 C:\Windows\System32\TOSCDSPD.EXE]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02. 11. 2006 14:35]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18. 10. 2007 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02. 11. 2006 14:36]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [29. 4. 2008 20:55:51]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17. 2. 1999 20:05:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [20. 12. 2006 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 19. 04. 2007 12:41 294912 E:\1\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
schedule
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41f09ae9-2947-11dc-a879-0016d4fad5f8}]
AutoRun\command- D:\nideiect.com
explore\Command- D:\nideiect.com
open\Command- D:\nideiect.com
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-04-29 21:51:13 ------------
Rorschach112
2008-04-30, 01:14
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\system32\mdelk.exe
D:\nideiect.com
DirLook::
C:\k
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41f09ae9-2947-11dc-a879-0016d4fad5f8}]
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
sagittorius
2008-04-30, 19:47
ComboFix 08-04-24.1 - R 2008-04-30 0:59:28.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1256.963.1033.18.1150 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\R\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Windows\system32\mdelk.exe
D:\nideiect.com
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\ban_list.txt
C:\Windows\system32\drivers\downld
C:\Windows\system32\drivers\downld\142038.exe
C:\Windows\system32\drivers\downld\166967.exe
C:\Windows\system32\drivers\downld\185500.exe
C:\Windows\system32\drivers\downld\188652.exe
C:\Windows\system32\drivers\downld\193612.exe
C:\Windows\system32\drivers\downld\196935.exe
C:\Windows\system32\drivers\downld\197856.exe
C:\Windows\system32\drivers\downld\203846.exe
C:\Windows\system32\drivers\downld\209431.exe
C:\Windows\system32\drivers\downld\214750.exe
C:\Windows\system32\drivers\downld\235811.exe
C:\Windows\system32\drivers\downld\243720.exe
C:\Windows\system32\drivers\downld\247667.exe
C:\Windows\system32\drivers\downld\254843.exe
C:\Windows\system32\drivers\downld\296074.exe
C:\Windows\system32\drivers\downld\306042.exe
C:\Windows\system32\drivers\downld\311268.exe
C:\Windows\system32\drivers\downld\325449.exe
C:\Windows\system32\drivers\downld\337726.exe
C:\Windows\system32\drivers\downld\343202.exe
C:\Windows\system32\drivers\downld\356446.exe
C:\Windows\system32\drivers\downld\368739.exe
C:\Windows\system32\drivers\downld\380221.exe
C:\Windows\system32\drivers\downld\395821.exe
C:\Windows\system32\drivers\downld\406101.exe
C:\Windows\system32\drivers\downld\408285.exe
C:\Windows\system32\drivers\downld\410532.exe
C:\Windows\system32\drivers\downld\412794.exe
C:\Windows\system32\drivers\downld\4237876.exe
C:\Windows\system32\drivers\downld\4240559.exe
C:\Windows\system32\drivers\downld\4242103.exe
C:\Windows\system32\drivers\downld\430172.exe
C:\Windows\system32\drivers\downld\434883.exe
C:\Windows\system32\drivers\downld\443604.exe
C:\Windows\system32\drivers\downld\483681.exe
C:\Windows\system32\drivers\downld\514007.exe
C:\Windows\system32\drivers\downld\527564.exe
C:\Windows\system32\drivers\downld\534428.exe
C:\Windows\system32\drivers\downld\534802.exe
C:\Windows\system32\drivers\downld\547610.exe
C:\Windows\system32\drivers\downld\777430.exe
C:\Windows\system32\drivers\downld\782017.exe
C:\Windows\system32\drivers\hldrrr.exe
C:\Windows\system32\drivers\mdelk.exe
C:\Windows\system32\drivers\srosa.sys
C:\Windows\system32\mdelk.exe
C:\Windows\system32\wintems.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SROSA
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 22:29 --------- d-----w C:\Program Files\ChrisTV PVR
2008-04-29 21:43 --------- d-----w C:\Program Files\DScaler
2008-04-29 21:37 --------- d-----w C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:37 --------- d-----w C:\ProgramData\River Past G5
2008-04-29 21:32 161,140 ----a-w C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 21:32 --------- d-----w C:\Program Files\River Past
2008-04-29 21:32 --------- d-----w C:\Program Files\Common Files\River Past
2008-04-29 21:12 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 21:11 --------- d-----w C:\Program Files\DVDVideoSoft
2008-04-29 19:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 19:20 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 19:20 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-29 19:20 --------- d-----w C:\ProgramData\FLEXnet
2008-04-29 19:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-29 19:20 --------- d-----w C:\Program Files\My Ebook Library
2008-04-29 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-04-29 19:20 --------- d-----w C:\Program Files\AVerMedia
2008-04-28 19:39 --------- d-----w C:\Program Files\QuickMediaConverter
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2008-03-19 11:27 --------- d-----w C:\Users\R\AppData\Roaming\Bytescout SWF To Video Scout
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\k ----
------- Sigcheck -------
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\System32\drivers\tcpip.sys
2006-11-02 10:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-09 12:53 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys
2008-01-09 12:53 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
2008-02-13 18:13 806400 52a8bd6294f7d1443c6184c67ae13af4 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-04-27_22.17.51,16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 20:02:58 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-29 23:08:25 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-29 18:55:34 57,344 ----a-r C:\Windows\Installer\{799A3CB8-DCD5-4B48-ACAD-4D5FABCC7B21}\ARPPRODUCTICON.exe
- 2008-04-27 20:01:43 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-04-29 23:07:07 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-27 20:03:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-27 20:03:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-27 20:04:47 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-29 23:20:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-27 20:04:54 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-29 23:20:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-29 23:20:38 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-27 20:05:14 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-27 20:05:14 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 19:27:04 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-27 20:05:14 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-26 15:23:25 122,410 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-29 21:07:03 122,410 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-26 15:23:25 659,754 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-29 21:07:03 659,754 ----a-w C:\Windows\System32\perfh009.dat
- 2006-11-17 12:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
+ 2006-11-17 05:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
- 2007-03-16 02:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
+ 2007-03-15 19:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
+ 2004-09-23 05:01:00 638,976 ---ha-w C:\Windows\System32\TOSCDSPD.EXE
- 2008-04-27 20:05:10 13,262 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-04-29 19:25:10 13,646 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-27 20:05:09 111,066 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-29 19:25:09 111,978 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-27 20:01:41 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-04-28 21:57:17 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-04-27 20:05:07 70,092 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-29 19:25:07 70,494 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-16 08:27:44 415,072 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-28 01:12:37 417,276 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" [2004-09-23 07:01 638976 C:\Windows\System32\TOSCDSPD.EXE]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-30 01:03 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-30 01:03 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2008-04-29 20:55:51 618496]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 02:15]
S2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]
\shell\AutoRun\command - F:\Autorun.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-04-29 23:40:04 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 01:32:41
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\Crypserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\conime.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehrecvr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-04-30 1:40:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 23:40:28
ComboFix2.txt 2008-04-27 20:18:34
ComboFix3.txt 2008-04-26 17:45:39
ComboFix4.txt 2008-04-26 13:15:48
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
390 --- E O F --- 2008-04-24 16:46:15
DrWeb.csv
MGtools.exe;C:\;Adware.Borlander.231;;
_SetupPoker.exe;C:\Poker\CDPoker;Adware.Casino.49;;
process.exe;C:\Program Files\myphotobook\xtras;Tool.Prockill;;
188652.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
209431.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
4240559.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
430172.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
PSEXESVC.EXE;C:\Windows;Program.PsExec.170;;
SetupPoker.exe;E:\download\Poker\Online;Adware.Casino.49;;
viewer.exe;E:\download\Virtual Network\vnc;Program.RemoteAdmin;;
MGtools.exe;E:\rescue;Adware.Borlander.231;;
Rorschach112
2008-04-30, 21:34
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
F:\Autorun.exe
SysRst::
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Let me know if you can do these scans
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
sagittorius
2008-05-01, 15:32
Hi
the scaners work for me but they take time to do the full system scan, I will post the reports as soon as possible.
Here is combofix log
ComboFix 08-04-24.1 - R 2008-05-01 13:44:54.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1256.963.1033.18.1143 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\R\Desktop\CFScript.txt
* Created a new restore point
FILE ::
F:\Autorun.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 23:53 --------- d-----w C:\Program Files\boost
2008-04-30 23:36 --------- d-----w C:\Program Files\ChrisTV PVR
2008-04-29 23:49 --------- d-----w C:\Program Files\DScaler
2008-04-29 21:37 --------- d-----w C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:37 --------- d-----w C:\ProgramData\River Past G5
2008-04-29 21:32 161,140 ----a-w C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 21:32 --------- d-----w C:\Program Files\River Past
2008-04-29 21:32 --------- d-----w C:\Program Files\Common Files\River Past
2008-04-29 21:12 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 21:11 --------- d-----w C:\Program Files\DVDVideoSoft
2008-04-29 19:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 19:20 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 19:20 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-29 19:20 --------- d-----w C:\ProgramData\FLEXnet
2008-04-29 19:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-29 19:20 --------- d-----w C:\Program Files\My Ebook Library
2008-04-29 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-04-29 19:20 --------- d-----w C:\Program Files\AVerMedia
2008-04-28 19:39 --------- d-----w C:\Program Files\QuickMediaConverter
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
------- Sigcheck -------
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\System32\drivers\tcpip.sys
2006-11-02 10:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-09 12:53 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys
2008-01-09 12:53 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
2008-02-13 18:13 806400 52a8bd6294f7d1443c6184c67ae13af4 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-04-30_ 1.40.02.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 23:08:25 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-01 10:33:15 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-29 23:07:07 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-05-01 04:16:17 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-29 23:20:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-01 10:39:46 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-29 23:20:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-01 10:39:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-01 10:33:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-29 19:27:04 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 10:33:22 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-01 10:33:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-29 19:25:10 13,646 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-05-01 10:40:33 13,798 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-29 19:25:09 111,978 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:32 112,304 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-28 21:57:17 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-05-01 04:16:13 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-04-29 19:25:07 70,494 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:30 70,706 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-28 01:12:37 417,276 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-30 19:34:39 419,558 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" [2004-09-23 07:01 638976 C:\Windows\System32\TOSCDSPD.EXE]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-30 01:03 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-30 01:03 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2008-04-29 20:55:51 618496]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 02:15]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-05-01 11:50:10 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 13:49:24
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
**************************************************************************
.
Completion time: 2008-05-01 13:53:06
ComboFix-quarantined-files.txt 2008-05-01 11:52:27
ComboFix2.txt 2008-04-29 23:40:36
ComboFix3.txt 2008-04-27 20:18:34
ComboFix4.txt 2008-04-26 17:45:39
ComboFix5.txt 2008-04-26 13:15:48
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
288 --- E O F --- 2008-04-24 16:46:15
Rorschach112
2008-05-01, 15:48
It is worth it
Can you run this scan after Kaspersky
Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
sagittorius
2008-05-02, 00:12
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 01, 2008 11:09:21 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 734019
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 290524
Number of viruses found: 9
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 08:32:47
Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080429214531\backup\Users\R\AppData\Local\Temp\FD3.tmp/data0005 Infected: not-a-virus:AdWare.Win32.BHO.ya skipped
C:\Deckard\System Scanner\20080429214531\backup\Users\R\AppData\Local\Temp\FD3.tmp NSIS: infected - 1 skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_191.trc Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\51f7e9db8cfb930fc0966fba351a8b83_b49eb2c3-5962-4fc7-96ae-fddc52592233 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fed42419e485e6ba3bdb56159f33a896_b49eb2c3-5962-4fc7-96ae-fddc52592233 Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010021.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy21.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5A9E.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5A9F.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\80C3DCE9.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\A8FE730D.TMP Object is locked skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\166967.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\196935.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\214750.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\306042.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\412794.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\C\Windows\System32\drivers\downld\4242103.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/srosa.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/wintems.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip/mdelk.exe.1 Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-30_ 10506,65.zip ZIP: infected - 5 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\R\AppData\Local\Flock\Browser\Profiles\savu57pw.default\XUL.mfl Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Working\database_10BE_6378_BE63_54EE\dfsr.db Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Working\database_10BE_6378_BE63_54EE\fsrtmp.log Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Messenger\ramiko82@hotmail.com\SharingMetadata\Working\database_10BE_6378_BE63_54EE\tmp.edb Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008050120080502\index.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat{183412de-2945-11dc-8b50-0016d4fad5f8}.TM.blf Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat{183412de-2945-11dc-8b50-0016d4fad5f8}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows\UsrClass.dat{183412de-2945-11dc-8b50-0016d4fad5f8}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows Live Contacts\ramiko82@hotmail.com\real\members.stg Object is locked skipped
C:\Users\R\AppData\Local\Microsoft\Windows Live Contacts\ramiko82@hotmail.com\shadow\members.stg Object is locked skipped
C:\Users\R\AppData\Local\Temp\flaFEA6.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\IMGDCE1.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFD979.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFD9A6.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFF01B.tmp Object is locked skipped
C:\Users\R\AppData\Local\Temp\~DFF020.tmp Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\blogdrafts.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\cert8.db Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\feedcontent.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\flock-data.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\history.dat Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\key3.db Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\log.txt Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\parent.lock Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\search.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Flock\Browser\Profiles\savu57pw.default\webdetective.sqlite Object is locked skipped
C:\Users\R\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Users\R\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\R\ntuser.dat Object is locked skipped
C:\Users\R\ntuser.dat.LOG1 Object is locked skipped
C:\Users\R\ntuser.dat.LOG2 Object is locked skipped
C:\Users\R\ntuser.dat{73b339e6-93c5-11dc-8a86-0016d4fad5f8}.TM.blf Object is locked skipped
C:\Users\R\ntuser.dat{73b339e6-93c5-11dc-8a86-0016d4fad5f8}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\R\ntuser.dat{73b339e6-93c5-11dc-8a86-0016d4fad5f8}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ehmsdri.log Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\ehRecvr.log Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\Ikeext.etl Object is locked skipped
C:\Windows\System32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\TOSCDSPD.EXE Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\tracing\BAP.LOG Object is locked skipped
C:\Windows\tracing\IpHlpSvc.LOG Object is locked skipped
C:\Windows\tracing\kerberos\FRANCIS_kerberos_1_6_0_6000_0_0__300_6_0_6000_16386__vista_rtm_061101_2205_.etl Object is locked skipped
C:\Windows\tracing\KMDDSP.LOG Object is locked skipped
C:\Windows\tracing\NDPTSP.LOG Object is locked skipped
C:\Windows\tracing\PPP.LOG Object is locked skipped
C:\Windows\tracing\RASAPI32.LOG Object is locked skipped
C:\Windows\tracing\RASBACP.LOG Object is locked skipped
C:\Windows\tracing\RASCCP.LOG Object is locked skipped
C:\Windows\tracing\RASDLG.LOG Object is locked skipped
C:\Windows\tracing\RASEAP.LOG Object is locked skipped
C:\Windows\tracing\RASIPCP.LOG Object is locked skipped
C:\Windows\tracing\RASIPHLP.LOG Object is locked skipped
C:\Windows\tracing\RASIPV6CP.LOG Object is locked skipped
C:\Windows\tracing\RASMAN.LOG Object is locked skipped
C:\Windows\tracing\RASPAP.LOG Object is locked skipped
C:\Windows\tracing\RASQEC.LOG Object is locked skipped
C:\Windows\tracing\RASTAPI.LOG Object is locked skipped
C:\Windows\tracing\svchost_RASCHAP.LOG Object is locked skipped
C:\Windows\tracing\svchost_RASTLS.LOG Object is locked skipped
C:\Windows\tracing\tapi32.LOG Object is locked skipped
C:\Windows\tracing\tapisrv.LOG Object is locked skipped
E:\download\PDF\pwdremover.exe/file01 Infected: not-a-virus:PSWTool.Win32.PdfCracker.c skipped
E:\download\PDF\pwdremover.exe Inno: infected - 1 skipped
E:\download\Schedule\dshutdown.zip/DShutdown/DShutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.h skipped
E:\download\Schedule\dshutdown.zip ZIP: infected - 1 skipped
E:\download\usb\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.a skipped
E:\download\Virtual Network\vnc\vnc-E4_1_6-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.414 skipped
E:\download\Virtual Network\vnc\vnc-E4_1_6-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.414 skipped
E:\download\Virtual Network\vnc\vnc-E4_1_6-x86_win32.exe Inno: infected - 2 skipped
E:\recorded tv\TempRec\TempSBE\MSDVRMM_2456189272_458752_10251 Object is locked skipped
E:\recorded tv\TempRec\TempSBE\MSDVRMM_2456189272_917504_10246 Object is locked skipped
E:\recorded tv\TempRec\TempSBE\SBE2E11.tmp Object is locked skipped
E:\recorded tv\TempRec\TempSBE\SBE30E0.tmp Object is locked skipped
E:\recorded tv\TempRec\{1138983E-D83B-4A98-AE37-D9B7054A25A9}.TmpSBE Object is locked skipped
E:\recorded tv\TempRec\{456AC601-B6CD-47CD-9086-816896749508}.TmpSBE Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Rorschach112
2008-05-02, 00:36
Ok post the F-Secure report and a new HijackThis log
sagittorius
2008-05-02, 11:21
Result: 3 malware found
Tracking Cookie (spyware)
* System
Trojan-Downloader.Win32.Bagle (virus)
* System
Trojan-Downloader.Win32.Bagle.nu (virus)
* C:\WINDOWS\SYSTEM32\TOSCDSPD.EXE
Files not scanned:
* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\51F7E9DB8CFB930FC0966FBA351A8B83_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FED42419E485E6BA3BDB56159F33A896_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\51F7E9DB8CFB930FC0966FBA351A8B83_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FED42419E485E6BA3BDB56159F33A896_B49EB2C3-5962-4FC7-96AE-FDDC52592233
* E:\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2456189272_458752_10251
* E:\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2456189272_917504_10246
sagittorius
2008-05-02, 13:46
Hi
I can't run HijakThis I got message that he is not win32 application!!
Rorschach112
2008-05-02, 14:04
Well good news is that we found the file dropper
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\System32\TOSCDSPD.EXE
E:\download\PDF\pwdremover.exe
Folder::
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"=-
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Then reboot and run the F-Secure Online Scan again and post a new HijackThis log, and the ComboFix log
sagittorius
2008-05-02, 19:20
Hi
F-Secure didn't find anything
I can't run HijackThis
ComboFix 08-04-24.1 - R 2008-05-02 14:18:18.6 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1256.963.1033.18.1154 [GMT 2:00]
Running from: C:\Users\R\Desktop\Combo-Fix.exe
Command switches used :: C:\Users\R\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Windows\System32\TOSCDSPD.EXE
E:\download\PDF\pwdremover.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\download\PDF\pwdremover.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 12:15 --------- d-----w C:\Program Files\ChrisTV PVR
2008-05-02 12:13 --------- d-----w C:\Program Files\Common Files\AVerMedia
2008-05-02 12:12 --------- d-----w C:\Program Files\AVerMedia
2008-04-30 23:53 --------- d-----w C:\Program Files\boost
2008-04-29 23:49 --------- d-----w C:\Program Files\DScaler
2008-04-29 21:37 --------- d-----w C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:37 --------- d-----w C:\ProgramData\River Past G5
2008-04-29 21:32 161,140 ----a-w C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 21:32 --------- d-----w C:\Program Files\River Past
2008-04-29 21:32 --------- d-----w C:\Program Files\Common Files\River Past
2008-04-29 21:12 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 21:11 --------- d-----w C:\Program Files\DVDVideoSoft
2008-04-29 19:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 19:20 --------- d-----w C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 19:20 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-29 19:20 --------- d-----w C:\ProgramData\FLEXnet
2008-04-29 19:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-29 19:20 --------- d-----w C:\Program Files\My Ebook Library
2008-04-29 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 19:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-28 19:39 --------- d-----w C:\Program Files\QuickMediaConverter
2008-04-26 17:33 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 15:27 --------- d-----w C:\Users\Guest\AppData\Roaming\Flock
2008-04-26 11:44 --------- d-----w C:\Program Files\CCleaner
2008-04-26 07:51 87,497 ----a-w C:\MGlogs.zip
2008-04-26 06:06 --------- d-----w C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-04-26 06:06 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 06:04 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-26 06:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 05:54 --------- d-----w C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 05:54 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 05:35 1,238,055 ----a-w C:\MGtools.exe
2008-04-26 03:36 --------- d-----w C:\ProgramData\avg8
2008-04-26 03:35 10,520 ------w C:\Windows\System32\avgrsstx.dll
2008-04-26 03:35 --------- d-----w C:\Program Files\AVG
2008-04-26 02:35 --------- d-----w C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 02:35 --------- d-----w C:\Program Files\WinVDRPRO
2008-04-26 01:09 --------- d-----w C:\Users\R\AppData\Roaming\Greyfirst
2008-04-26 01:09 --------- d-----w C:\Program Files\Celtx
2008-04-25 23:42 --------- d-----w C:\Program Files\MatroskaProp
2008-04-25 00:29 --------- d-----w C:\Program Files\Movienizer
2008-04-19 23:45 --------- d-----w C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 10:35 --------- d-----w C:\Program Files\KeyScrambler
2008-04-16 08:38 --------- d-----w C:\Program Files\QuickTime
2008-04-16 08:37 --------- d-----w C:\ProgramData\Apple Computer
2008-04-16 08:33 --------- d-----w C:\ProgramData\Apple
2008-04-16 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 18:19 --------- d-----w C:\Program Files\DivXLand
2008-04-15 17:49 --------- d-----w C:\Users\R\AppData\Roaming\Jubler
2008-04-15 16:58 --------- d-----w C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 23:02 --------- d-----w C:\Program Files\LearnPoker
2008-04-10 19:44 --------- d-----w C:\Program Files\DivX
2008-04-10 03:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-07 18:16 --------- d-----w C:\Program Files\ChrisTV
2008-04-07 17:01 --------- d-----w C:\Program Files\Common Files\NacreWare
2008-04-07 14:16 --------- d-----w C:\ProgramData\Team MediaPortal
2008-04-07 14:15 --------- d-----w C:\Program Files\Team MediaPortal
2008-04-06 12:31 205,792 ----a-w C:\GDIPFONTCACHEV1.DAT
2008-04-06 10:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 08:05 --------- d-----w C:\Program Files\EMDB
2008-04-05 00:01 --------- d-----w C:\Program Files\AMC2000
2008-04-02 13:40 --------- d-----w C:\Program Files\Aspell
2008-04-02 08:49 --------- d-----w C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-31 03:33 --------- d-----w C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 03:02 --------- d-----w C:\Users\R\AppData\Roaming\tor
2008-03-31 00:25 223,424 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-03-30 17:15 --------- d-----w C:\Program Files\CD Audio Reader Filter
2008-03-30 17:14 --------- d-----w C:\Program Files\RealMedia
2008-03-30 17:14 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 17:12 --------- d-----w C:\Program Files\SHOUTcast Source
2008-03-30 17:12 --------- d-----w C:\Program Files\DSP-worx
2008-03-30 17:12 --------- d-----w C:\Program Files\DirectVobSub
2008-03-28 14:45 --------- d-----w C:\Program Files\DC++
2008-03-28 00:35 --------- d-----w C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 00:35 --------- d-----w C:\Program Files\Uniblue
2008-03-25 15:45 --------- d-----w C:\Users\R\AppData\Roaming\Autodesk
2008-03-25 15:45 --------- d-----w C:\ProgramData\Autodesk
2008-03-25 00:52 --------- d-----w C:\ProgramData\Symantec
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 22:36 --------- d-----w C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 09:24 --------- d-----w C:\Program Files\Crown Forex Trading Station 4
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-04 13:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-04 13:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
------- Sigcheck -------
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\System32\drivers\tcpip.sys
2006-11-02 10:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-09 12:53 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2007-04-09 09:27 802816 8828315f2976c705d5a668de1aa58555 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16627_none_5f90b964923d030a\tcpip.sys
2008-01-09 12:53 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
2008-02-13 18:13 806400 52a8bd6294f7d1443c6184c67ae13af4 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20752_none_5ff4e4f9ab7777f4\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-04-30_ 1.40.02.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 23:08:25 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-01 10:33:15 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-02-27 13:59:28 290,816 ----a-w C:\Windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 13:59:28 495,616 ----a-w C:\Windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 14:00:12 262,144 ----a-w C:\Windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 13:59:16 588,392 ----a-w C:\Windows\Downloaded Program Files\gatelauncher.exe
+ 2008-05-02 12:13:22 3,638 ----a-r C:\Windows\Installer\{FC87BEA8-5582-476C-A754-41F3A9D976D4}\ARPPRODUCTICON.exe
- 2008-04-29 23:07:07 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-05-01 04:16:17 9,967,920 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-29 23:08:29 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-01 10:33:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-29 23:20:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-01 10:39:46 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-29 23:20:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-01 10:39:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-02 11:45:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-29 19:27:04 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-02 11:45:22 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-29 19:27:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-02 11:45:22 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-17 05:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
+ 2006-11-17 12:35:06 262,144 ------r C:\Windows\System32\sptlib01.dll
- 2007-03-15 19:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
+ 2007-03-16 02:27:36 253,952 ------r C:\Windows\System32\sptlib02.dll
- 2008-04-29 19:25:10 13,646 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
+ 2008-05-01 10:40:33 13,798 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-750633413-4032638155-1365244786-1000_UserData.bin
- 2008-04-29 19:25:09 111,978 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:32 112,304 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-28 21:57:17 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-05-01 04:16:13 4,790 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-04-29 19:25:07 70,494 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-01 10:40:30 70,706 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-28 01:12:37 417,276 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-30 19:34:39 419,558 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-10 09:40 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 15:46 4349952 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 01:16 411768]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 18:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-01-29 13:43 509496]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-01-17 15:46 534648]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 19:14 34352]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 10:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-11-01 13:08 438272]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-30 01:03 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-04-30 01:03 22696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 10:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 10:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 10:40 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 05:32 898344]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 05:00 204800]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [2007-09-21 21:21 298496]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2008-05-02 14:13:41 618496]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 2007-04-19 12:41 294912 E:\1\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.l3codec"= l3codecp.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-750633413-4032638155-1365244786-1000]
"EnableNotificationsRef"=dword:00000009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62FA87DF-113A-453C-BCA0-ACA385B5EE65}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{5EA8B303-9DAE-4E1A-A73D-1A127FE16BBC}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{58125C7D-B430-4BD9-B491-87389DDE2A81}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{63A173B0-C9AD-46CB-A81D-9A324C6056B0}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{47D27F1D-EA25-4C77-A137-ED1CAF387567}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7D7F429-D75D-4C48-9920-9296AFDE1EFD}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5750A28D-0251-49F5-BC8B-9D36237D45D5}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CBD0881F-E7E7-4490-8A2C-947A16395419}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{6B90128A-8526-4C76-8527-E22B4BC09273}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{04C7A7AE-3C28-4FF4-AF86-3AD0B9CD0FF7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69D4F31B-E0C4-4DA3-B9C4-632E9F3D34A5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4ED654C1-BF0F-4353-AEC0-AF1C7495251B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{03605E4F-77E3-4095-ADBE-30D00693D00B}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B8926958-DA97-4F8E-998B-34CABFC7FC82}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{D4155DA4-5FEA-42D6-B07E-6C4EFA616C14}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071002.003\IDSvix86.sys [2007-09-13 16:49]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys [2007-06-19 09:59]
R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2007-08-29 10:07]
R2 SBSDWSCService;SBSD Security Center Service;E:\2\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 16:56]
R2 VPCAppSv;Virtual PC Application Services;C:\Windows\system32\DRIVERS\VPCAppSv.sys [2002-10-10 23:10]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 AVerFx2hbtv;AVerMedia USB SW Hybrid Tuner;C:\Windows\system32\drivers\AVerFx2hbtv.sys [2007-08-16 11:54]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
R3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 16:13]
S2 CardBusService;CardBusService;C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe [2007-04-24 09:15]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-18 16:40]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-18 16:47]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]
\shell\AutoRun\command - F:\Autorun.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 18:43:00 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - R.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-05-02 12:25:28 C:\Windows\Tasks\User_Feed_Synchronization-{FB15F4EB-BD17-472F-8975-5C236FC8AC98}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 14:23:12
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Users\R\AppData\Local\Temp\~DF22F2.tmp 16384 bytes
C:\Users\R\AppData\Local\Temp\~DF2319.tmp 512 bytes
scan completed successfully
hidden files: 6
**************************************************************************
.
Completion time: 2008-05-02 14:27:15
ComboFix-quarantined-files.txt 2008-05-02 12:26:40
ComboFix2.txt 2008-05-01 11:53:07
ComboFix3.txt 2008-04-29 23:40:36
ComboFix4.txt 2008-04-27 20:18:34
ComboFix5.txt 2008-04-26 17:45:39
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
307 --- E O F --- 2008-04-24 16:46:15
Rorschach112
2008-05-03, 00:14
Can you do this
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Also tell me how your PC is running
sagittorius
2008-05-04, 15:44
main.txt
Deckard's System Scanner v20071014.68
Run by R on 2008-05-04 14:41:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-04 14:41:23
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal
Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\mdn2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\System32\conime.exe
C:\Users\R\Desktop\dss.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Wah] C:\Program Files\Common Files\Mdn2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: AVerQuick.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: ت&صدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: إرسال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: إر&سال إلى OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\2\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\1\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: CardBusService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\CardBusService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\System32\Crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - E:\2\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\System32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 14648 bytes
-- Files created between 2008-04-04 and 2008-05-04 -----------------------------
2008-05-02 14:16:33 0 d-------- C:\Combo-Fix
2008-05-02 14:13:31 3456 -r------- C:\Windows\system32\AVerIO.sys
2008-05-02 14:13:31 49152 -r------- C:\Windows\system32\AVerIO.dll <Not Verified; ; AVerIO>
2008-05-02 14:13:29 73728 -r------- C:\Windows\system32\CardID.dll <Not Verified; AVerMedia Technologies, Inc.; >
2008-05-02 14:13:26 253952 -r------- C:\Windows\system32\sptlib02.dll
2008-05-02 14:13:26 262144 -r------- C:\Windows\system32\sptlib01.dll
2008-05-02 14:12:49 0 d-------- C:\Program Files\Common Files\AVerMedia
2008-05-01 14:28:56 0 d-------- C:\fsaua.data
2008-05-01 01:53:31 0 d-------- C:\Program Files\boost
2008-04-30 11:56:16 0 d-------- C:\Users\R\DoctorWeb
2008-04-30 02:07:00 0 d-------- C:\CTV_TEMP
2008-04-29 23:38:32 0 d-------- C:\Program Files\DScaler
2008-04-29 23:32:52 161140 --a------ C:\Windows\DirectShow Detective Uninstaller.exe
2008-04-29 23:32:52 0 d-------- C:\Users\All Users\River Past G5
2008-04-29 23:32:52 0 d-------- C:\Program Files\Common Files\River Past
2008-04-29 23:32:51 0 d-------- C:\Program Files\River Past
2008-04-29 23:12:01 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-04-29 23:11:55 0 d-------- C:\Program Files\DVDVideoSoft
2008-04-28 21:33:36 0 d-------- C:\Program Files\QuickMediaConverter
2008-04-26 19:33:45 0 d-------- C:\Program Files\Trend Micro
2008-04-26 14:45:34 68096 --a------ C:\Windows\zip.exe
2008-04-26 14:45:34 49152 --a------ C:\Windows\VFind.exe
2008-04-26 14:45:34 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-26 14:45:34 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-26 14:45:34 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-26 14:45:34 98816 --a------ C:\Windows\sed.exe
2008-04-26 14:45:34 80412 --a------ C:\Windows\grep.exe
2008-04-26 14:45:34 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-26 14:45:24 0 d-------- C:\k
2008-04-26 13:44:00 0 d-------- C:\Program Files\CCleaner
2008-04-26 09:51:13 11254 --a------ C:\Windows\system32\locate.com
2008-04-26 09:49:23 0 d-------- C:\MGtools
2008-04-26 09:49:09 1238055 --a------ C:\MGtools.exe
2008-04-26 08:06:37 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-26 08:06:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 08:04:44 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-26 08:01:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 07:54:36 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-26 05:35:23 0 d-------- C:\Program Files\AVG
2008-04-26 05:35:21 0 d-------- C:\Users\All Users\avg8
2008-04-26 03:09:03 0 d-------- C:\Program Files\Celtx
2008-04-26 02:00:36 414272 --a------ C:\Windows\system32\DivXc32f.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-26 02:00:35 414272 --a------ C:\Windows\system32\DivXc32.dll <Not Verified; Hacked with Joy !; DivX ;-) MPEG-4 Video Codec>
2008-04-26 02:00:34 626688 --a------ C:\Windows\system32\xvid.dll
2008-04-26 02:00:34 0 d-------- C:\Program Files\WinVDRPRO
2008-04-26 01:41:04 0 d-------- C:\Program Files\MatroskaProp
2008-04-16 10:37:18 0 d-------- C:\Program Files\QuickTime
2008-04-16 10:37:15 0 d-------- C:\Users\All Users\Apple Computer
2008-04-16 10:33:31 0 d-------- C:\Users\All Users\Apple
2008-04-16 10:33:31 0 d-------- C:\Program Files\Apple Software Update
2008-04-15 20:19:20 0 d-------- C:\Program Files\DivXLand
2008-04-13 02:28:01 0 d-------- C:\Poker
2008-04-13 02:09:25 0 d-------- C:\Microgaming
2008-04-11 01:24:17 0 d-------- C:\Programs
2008-04-11 01:02:16 0 d-------- C:\Program Files\LearnPoker
2008-04-07 20:16:12 0 d-------- C:\Program Files\ChrisTV
2008-04-07 19:01:22 0 d-------- C:\Program Files\Common Files\NacreWare
2008-04-07 17:38:49 0 d-------- C:\Program Files\ChrisTV PVR
2008-04-07 16:47:00 0 d-------- C:\ChrisTV PVR
2008-04-06 14:31:36 205792 --a------ C:\GDIPFONTCACHEV1.DAT
2008-04-05 16:37:19 0 d-------- C:\Users\All Users\Team MediaPortal
2008-04-05 16:36:23 0 d-------- C:\Program Files\Team MediaPortal
2008-04-05 12:41:02 0 d-------- C:\Windows\Driver Cache
2008-04-05 12:39:15 0 d-------- C:\Program Files\AVerMedia
2008-04-04 17:28:36 0 d-------- C:\Program Files\AMC2000
-- Find3M Report ---------------------------------------------------------------
2008-05-02 14:12:49 0 d-------- C:\Program Files\Common Files
2008-04-29 23:37:20 0 d-------- C:\Users\R\AppData\Roaming\River Past G5
2008-04-29 21:20:52 0 d-------- C:\Users\R\AppData\Roaming\GHISLER
2008-04-29 21:20:29 0 d-------- C:\Program Files\Norton Internet Security
2008-04-29 21:20:28 0 d-------- C:\Program Files\My Ebook Library
2008-04-29 21:20:28 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-29 21:20:26 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 21:20:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-26 08:06:49 0 d-------- C:\Users\R\AppData\Roaming\Malwarebytes
2008-04-26 07:54:08 0 d-------- C:\Users\R\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 04:35:05 0 d-------- C:\Users\R\AppData\Roaming\TrueCrypt
2008-04-26 03:09:52 0 d-------- C:\Users\R\AppData\Roaming\Greyfirst
2008-04-25 02:29:45 0 d-------- C:\Program Files\Movienizer
2008-04-20 01:45:29 0 d-------- C:\Users\R\AppData\Roaming\Microgaming
2008-04-18 12:35:37 0 d-------- C:\Program Files\KeyScrambler
2008-04-15 19:49:57 0 d-------- C:\Users\R\AppData\Roaming\Jubler
2008-04-15 18:58:03 0 d-------- C:\Users\R\AppData\Roaming\Aegisub
2008-04-10 21:44:26 0 d-------- C:\Program Files\DivX
2008-04-10 05:02:10 0 d-------- C:\Program Files\Windows Mail
2008-04-06 12:30:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-05 10:05:57 0 d-------- C:\Program Files\EMDB
2008-04-02 15:40:29 0 d-------- C:\Program Files\Aspell
2008-04-02 10:49:13 0 d-------- C:\Users\R\AppData\Roaming\Movienizer
2008-03-31 23:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 23:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 23:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 23:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 23:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 05:33:04 0 d-------- C:\Users\R\AppData\Roaming\Vidalia
2008-03-31 05:02:48 0 d-------- C:\Users\R\AppData\Roaming\tor
2008-03-30 19:15:02 0 d-------- C:\Program Files\CD Audio Reader Filter
2008-03-30 19:14:47 0 d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-03-30 19:14:34 0 d-------- C:\Program Files\RealMedia
2008-03-30 19:12:54 0 d-------- C:\Program Files\SHOUTcast Source
2008-03-30 19:12:46 0 d-------- C:\Program Files\DSP-worx
2008-03-30 19:12:36 0 d-------- C:\Program Files\DirectVobSub
2008-03-28 16:45:04 0 d-------- C:\Program Files\DC++
2008-03-28 02:35:16 0 d-------- C:\Users\R\AppData\Roaming\Uniblue
2008-03-28 02:35:11 0 d-------- C:\Program Files\Uniblue
2008-03-25 17:45:17 0 d-------- C:\Users\R\AppData\Roaming\Autodesk
2008-03-21 22:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 22:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 22:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 22:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-21 00:36:06 0 d-------- C:\Users\R\AppData\Roaming\uTorrent
2008-03-20 11:24:30 0 d-------- C:\Program Files\Crown Forex Trading Station 4
2008-03-19 13:27:39 0 d-------- C:\Users\R\AppData\Roaming\Bytescout SWF To Video Scout
2008-03-17 13:37:50 0 d-------- C:\Program Files\SWiSH v2.0
2008-03-16 18:11:00 0 d-------- C:\Program Files\IMDBScanner
2008-03-15 12:07:24 0 d-------- C:\Users\R\AppData\Roaming\Skype
2008-03-14 17:24:41 0 d-------- C:\Program Files\Shareaza
2008-03-14 16:51:31 0 d-------- C:\Program Files\Ares
2008-03-13 13:30:59 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-13 13:30:27 0 d-------- C:\Program Files\AutoCAD Architecture 2008
2008-03-13 13:07:59 0 d-------- C:\Program Files\Autodesk
2008-03-12 22:44:15 0 d-------- C:\Users\R\AppData\Roaming\Media Player Classic
2008-03-12 22:32:28 0 d-------- C:\Program Files\Gabest
2008-03-12 22:18:25 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-03-12 22:03:39 0 d-------- C:\Program Files\MKVtoolnix
2008-03-12 02:52:26 0 d-------- C:\Users\R\AppData\Roaming\Axosoft
2008-03-12 02:52:16 0 d-------- C:\Program Files\TBFDropZone
2008-03-10 17:05:47 0 d-------- C:\Program Files\uTorrent
2008-03-07 19:42:25 0 d-------- C:\Users\R\AppData\Roaming\Flock
2008-03-07 19:42:23 0 d-------- C:\Program Files\Flock
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10. 07. 2007 09:40]
"RtHDVCpl"="RtHDVCpl.exe" [18. 01. 2007 15:46 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [20. 12. 2006 01:16]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [07. 12. 2006 18:49]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [29. 01. 2007 13:43]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [17. 01. 2007 15:46]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [06. 11. 2006 19:14]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [01. 11. 2006 10:06]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [01. 11. 2006 13:08]
"NDSTray.exe"="NDSTray.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [30. 04. 2008 01:03]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [30. 04. 2008 01:03]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [13. 01. 2007 10:40]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [13. 01. 2007 10:40]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [13. 01. 2007 10:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [27. 07. 2007 05:32]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [27. 07. 2007 05:00]
"Wah"="C:\Program Files\Common Files\Mdn2.exe" [21. 09. 2007 21:21]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11. 01. 2008 20:54]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [28. 11. 2007 20:51]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [11. 02. 2008 20:13]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [11. 02. 2008 20:13]
"Persistence"="C:\Windows\system32\igfxpers.exe" [11. 02. 2008 20:13]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28. 03. 2008 23:37]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02. 11. 2006 14:35]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18. 10. 2007 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02. 11. 2006 14:36]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2. 5. 2008 14:13:41]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17. 2. 1999 20:05:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\1\SASSEH.DLL [20. 12. 2006 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\1\SASWINLO.dll 19. 04. 2007 12:41 294912 E:\1\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
schedule
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c27c1af2-294a-11dc-a41c-806e6f6e6963}]
AutoRun\command- F:\Autorun.exe
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-05-04 14:41:42 ------------
Rorschach112
2008-05-04, 16:37
Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
sagittorius
2008-05-05, 21:50
Thank you very much for your help and advice.
everything seems clean now and I can Install and run S&D and avg.
only the win32 services (windows defender and WLAN) seems to be corrupted and need windows reinstall to work, but its not the big problem now.
Thanks
Rorschach112
2008-05-05, 23:58
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.