View Full Version : all security software neutralized... and more problems.
adifrank
2008-04-28, 02:22
Hi. Just about 2 hours ago I opened an .exe file on my computer. I scanned it with NOD32 prior to opening it. But it looks as though it had some kind of malicious files in it. about one minute after opening the .exe file, my computer restarted and hasn't been working normally since. There are many symptoms:
1. All my security software has been disabled: NOD32, Comodo firewall and Spybot S&D. They will not function.
2. It seems I can no longer logon as administrator.
3. I cannot startup in safe mode.
4. Computer is running very very very slow.
.... and all kinds of other strange behaviors.
After a few restarts, trying to figure it out, I suddenly got a blue Windows XP page and some kind of scheduled scan process started. In fact it's still scanning at this moment. I have no idea which application is performing this scan, but I noticed that the scan could not delete a particular file after several tries. the file name is: hldrrr.exe
I found a thread on this forum which describes problems very similar to what I am experiencing, but sadly, I couldn't really follow the jargon. The thread was just a bit over my level of understanding. The thread:
http://forums.spybot.info/showthread.php?t=22446
Please help me try to overcome this. Just let me know what information you need in order to try and solve the problem and I'll do my best to get it for you as quickly as possible.
Thanks.
some specs:
Windows xp
sp2
2.4 ghz
1gb ram
thanks again
Rorschach112
2008-04-28, 14:09
Hello
Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
adifrank
2008-04-29, 08:46
hi Rorschach.
thanks for responding. i followed all your directions: downloaded combofix, saved as combo-fix, disabled all antivirus, malware, ect. programs, closed browsers, disconnected from internet and then ran the application.
it guided me through a couple of standard questions, created a restore point and then began scanning - stage 1, stage 2.... and so on.
after around 5 minutes, my computer suddenly restarted. no indication, warning or standard shut down procedures. it just switched off and switched back on again.
while booting up a blue (light blue in the middle and dark blue at the top and bottom) screen appeared with the windows xp logo on the top-right hand corner. some text appeared. something about a boot-time spyware scan.
the boot-time spyware scan went on for quite a while. i googled "boot time spyware scan" on a different computer and from what i understand it has to do something with sunbelt software's counterspy. this reminded me that i once had a trial version of counter spy. i used it for a short while and then the trial period expired. after it had expired, it did not unintstall itself, it was still on my computer, so i tried to uninstall/remove the software manually. i recall this being a problem. i couldn't find any uninstall file and when opening the windows UNINSTALL SOFTWARE utility (and Revo Uninstaller), the program didn't show up in the list of programs that can be uninstalled. So i just left it alone.
The boot time spyware scan went on and on and looking at my clock i noticed it was already afer 2 am... so i went to sleep. in the morning when i woke, it completed scanning my computer and apparently windows started up normally except for two things. First, a blue window popped up with the words Find3m in the title bar. in the window it says "Preparing the log report. Do not run any programs until ComboFix has finished. I figured this to be normal after running ComboFix. But then, just a few seconds after the blue ComboFix window popped up, a 2nd thing that happened. For a short instant I saw another window pop up as well. I only had time to notice that the 2nd window had a black background rather than blue and I noticed the word "Sunbelt" within the text that was written there. It came up for about half a second and dissappeared.
So, the reason I'm writing all this is that I'm not sure if somehow Sunbelt CounterSpy could be running some kind of processes on my computer which might interfere with the ComboFix report.
So.... my questions are:
(1) should I just keep waiting until ComboFix completes creating its report and post it as it is?
(2) or should I first be sure that CounterSpy is completely disabled and not doing anything that could screw up the ComboFix report?
(3) and if the answer to (2) is YES. i'll need some help from someone with that. Because other than not being able to uninstall CounterSpy, I could not find any notable processes going on related to it... and as I mentioned above, I can't find any way to uninstall it.
I'll be near my computer all day today and looking forward to your reply.
Thanks!
Rorschach112
2008-04-29, 14:12
Hello
(1) should I just keep waiting until ComboFix completes creating its report and post it as it is?
Yes try that please
Let me know how it goes
adifrank
2008-04-29, 15:09
ComboFix Log
ComboFix 08-04-27.3 - Dog Machine 2008-04-29 2:16:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.587 [GMT 3:00]
Running from: C:\Documents and Settings\Dog Machine\Desktop\Combo-Fix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\aspi32.exe
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SROSA
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-27 19:34 . 2008-04-27 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\Last.fm
2008-04-09 23:41 . 2008-04-09 23:41 <DIR> d-------- C:\Program Files\WinPcap
2008-04-09 23:38 . 2008-04-09 23:48 <DIR> d-------- C:\Program Files\WMR11
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\SourceTec
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-04-07 10:54 . 2008-04-07 10:54 <DIR> d-------- C:\Program Files\iPod
2008-04-07 10:43 . 2008-04-07 10:46 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 20:16 --------- d-----w C:\Program Files\eMule
2008-04-24 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-21 10:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-07 07:54 --------- d-----w C:\Program Files\iTunes
2008-03-09 21:16 --------- d-----w C:\Program Files\Webteh
2008-03-01 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-01 14:42 --------- d-----w C:\Documents and Settings\Dog Machine\Application Data\GRETECH
2008-03-01 14:41 --------- d-----w C:\Program Files\GRETECH
2008-03-01 10:30 --------- d-----w C:\Program Files\Vertical Moon
2008-01-30 07:58 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-01-25 23:06 443,408 ----a-w C:\Documents and Settings\Dog Machine\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:07 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-29 02:21 949376]
"Matrox Powerdesk"="C:\WINDOWS\system32\PDesk\PDesk.exe" [2004-09-14 11:13 684032]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 22:44 196608]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 03:46 200069]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2006-05-24 18:39 2655272]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 01:37 1115728]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 13:13 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\Dog Machine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-04-27 19:33:40 106496]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-12-26 22:45:55 274432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"vidc.X264"= x264vfw.dll
"vidc.davc"= davcvfw.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.ACDV"= ACDV.dll
"midi1"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--------- 2004-08-05 16:19 118784 C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-01-14 03:20 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
--a------ 2007-06-15 16:17 699120 C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2005-01-10 07:08 638976 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Titan FTP Server Tray App]
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-15 13:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\ESET\\nod32.exe"=
"C:\\Program Files\\ESET\\nod32kui.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\RpcSandraSrv.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1770:TCP"= 1770:TCP:em
"1780:UDP"= 1780:UDP:em2
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"12120:TCP"= 12120:TCP:eMule
"13130:UDP"= 13130:UDP:eMule
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-01-24 18:25]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 10:10]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:07]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [1997-11-26 08:31]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 17:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 20:31]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 08:40]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 08:40]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 17:20]
S3 USBKS1X1;Midiman USB Keystation USB Driver;C:\WINDOWS\system32\drivers\usbks1x1.sys []
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys []
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\WINDOWS\system32\drivers\usbmidim.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 14:18:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-22 09:49:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 09:14:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\explorer.exe [1448] 0x871D2020
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-29 9:41:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 06:41:08
Pre-Run: 15,394,566,144 bytes free
Post-Run: 16,214,052,864 bytes free
190 --- E O F --- 2008-04-24 09:30:17
Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:17 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Documents and Settings\Dog Machine\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.il
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDFC83AF-9AEB-4405-A519-DBB9C85248B7}: NameServer = 192.168.1.1,62.90.42.110,212.150.49.10
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII\RpcSandraSrv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 11130 bytes
Rorschach112
2008-04-29, 15:23
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Sysrst::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
adifrank
2008-04-29, 16:27
okay. i created the notepad file, placed it comboFix.exe and it created a new log file.
i tried to run Kaspersky Online Scanner. in the initial page there is a disclaimer where i am prompted to either ACCEPT or DECLINE. I clicked ACCEPT, but nothing happened. Then I read in the fine print which says the following:
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you are using any other browser or any Internet Explorer extensions (such as AvantBrowser). If you use a different browser, you can use the Kaspersky File Scanner to scan individual files.
I normally use Firefox, but I do have IE7. So I closed Firefox and tried opening the Kaspersky Online Scanner page in IE7. Strangely, IE couldn't connect. It behaved very strangely and was extremely sluggish. It couldn't connect to any website and when I clicked to close it, IE took about one whole minute to close. I'm very sure this has to do with the attack on my computer.
Anyway, it seems I can't run the Kaspersky Online Scanner in the situation I'm in.
What should I do?? :sick:
Rorschach112
2008-04-29, 17:35
Can you post the ComboFix log and do these two scans instead
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
adifrank
2008-04-29, 18:27
i'm having problems with both Dr. Web CureIt AND F-Secure Online Scanner.
I clicked on the Dr. Web CureIt link and downloading started... very slowly, about 1 KB/sec and then just stops after downloading around 25 KB. No error messages or anything... just freezes at 1% complete.
The problem with F-Secure is that like Kaspersky, it only runs with IE. And as I mentioned, since running into this malicious file, my MS Internet Explorer browser just doesn't work.
Anyway....
hi. here's the new log I got from ComboFix:
ComboFix 08-04-27.3 - Dog Machine 2008-04-29 16:38:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.687 [GMT 3:00]
Running from: C:\Documents and Settings\Dog Machine\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Dog Machine\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\50429015.exe
C:\WINDOWS\system32\drivers\downld\50433671.exe
C:\WINDOWS\system32\drivers\downld\50438109.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-27 19:34 . 2008-04-27 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\Last.fm
2008-04-09 23:41 . 2008-04-09 23:41 <DIR> d-------- C:\Program Files\WinPcap
2008-04-09 23:38 . 2008-04-09 23:48 <DIR> d-------- C:\Program Files\WMR11
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\SourceTec
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-04-07 10:54 . 2008-04-07 10:54 <DIR> d-------- C:\Program Files\iPod
2008-04-07 10:43 . 2008-04-07 10:46 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 10:26 --------- d-----w C:\Documents and Settings\Dog Machine\Application Data\Babylon
2008-04-27 20:16 --------- d-----w C:\Program Files\eMule
2008-04-24 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-21 10:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-07 07:54 --------- d-----w C:\Program Files\iTunes
2008-03-09 21:16 --------- d-----w C:\Program Files\Webteh
2008-03-01 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-01 14:42 --------- d-----w C:\Documents and Settings\Dog Machine\Application Data\GRETECH
2008-03-01 14:41 --------- d-----w C:\Program Files\GRETECH
2008-03-01 10:30 --------- d-----w C:\Program Files\Vertical Moon
2008-01-30 07:58 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-01-29 09:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-25 23:06 443,408 ----a-w C:\Documents and Settings\Dog Machine\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-04-29_ 9.31.29.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 06:16:02 78,616 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-29 07:17:32 78,616 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-29 06:16:02 455,668 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-29 07:17:32 455,668 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2000-08-31 08:00 6741 C:\Combo-Fix\Boot.bat
2000-08-31 08:00 6741 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023145.bat
2008-04-28 21:14 334755 C:\Combo-Fix\C.bat
2008-04-28 21:14 334755 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023146.bat
2008-04-29 16:42 33 C:\Combo-Fix\CCS.bat
2008-04-29 02:22 33 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023147.bat
C:\Combo-Fix\CF9767.exe
2004-08-04 04:07 388608 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023148.exe
2008-04-29 16:38 21 C:\Combo-Fix\chcp.bat
2008-04-29 02:13 21 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023149.bat
2000-08-31 08:00 1024 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023150.sys
C:\Combo-Fix\Combobatch.bat
2000-08-31 08:00 6684 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023119.bat
2008-01-30 14:55 49 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP14\A0003912.drv
C:\Combo-Fix\Comspec.bat
2000-08-31 08:00 149 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0023113.bat
2000-08-31 08:00 149 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023229.bat
2000-08-31 08:00 1363 C:\Combo-Fix\DelClsid.bat
2000-08-31 08:00 1363 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023151.bat
C:\Combo-Fix\Disclaimer.bat
{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0023114.batC:\Combo-Fix\restore_pt.vbs
2000-08-31 08:00 232 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023115.vbs
2000-08-31 08:00 5883 C:\Combo-Fix\Exe.reg
2000-08-31 08:00 5883 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023153.reg
2000-08-31 08:00 62909 C:\Combo-Fix\FIND3M.bat
2000-08-31 08:00 62909 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023154.bat
2000-08-31 08:00 3815 C:\Combo-Fix\FIXLSP.bat
2000-08-31 08:00 3815 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023155.bat
2000-08-31 08:00 15399 C:\Combo-Fix\FProps.vbs
2000-08-31 08:00 15399 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023156.vbs
2000-08-31 08:00 2091 C:\Combo-Fix\history.bat
2000-08-31 08:00 2091 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023157.bat
2000-08-31 08:00 65098 C:\Combo-Fix\Lang.bat
2000-08-31 08:00 65098 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023120.bat
2008-04-29 02:23 65096 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023158.bat
2000-08-31 08:00 349 C:\Combo-Fix\LFN.vbs
2000-08-31 08:00 349 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023159.vbs
C:\Combo-Fix\List-C.bat
2000-08-31 08:00 185562 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023118.bat
2000-08-31 08:00 185562 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023243.bat
2000-08-31 08:00 737 C:\Combo-Fix\lnkread.vbs
2000-08-31 08:00 737 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023160.vbs
2000-08-31 08:00 805 C:\Combo-Fix\LocalDrive.vbs
2000-08-31 08:00 805 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023161.vbs
2008-04-29 16:43 94545 C:\Combo-Fix\LspFixed.reg
2008-04-29 02:23 94545 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023162.reg
2000-08-31 08:00 1822 C:\Combo-Fix\MoveIt.bat
2000-08-31 08:00 1822 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023163.bat
2000-08-31 08:00 1641 C:\Combo-Fix\ND_.bat
2000-08-31 08:00 1641 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023164.bat
2000-08-31 08:00 28160 C:\Combo-Fix\nircmd.com
2000-08-31 08:00 28160 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023165.com
2000-08-31 08:00 657 C:\Combo-Fix\OSid.vbs
2000-08-31 08:00 657 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023166.vbs
2000-08-31 08:00 3398 C:\Combo-Fix\Qoo.bat
2000-08-31 08:00 3398 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023167.bat
C:\Combo-Fix\restore_pt.vbs
2000-08-31 08:00 232 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023235.vbs
2000-08-31 08:00 1537 C:\Combo-Fix\RestoreO4.bat
2000-08-31 08:00 1537 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023168.bat
2000-08-31 08:00 15189 C:\Combo-Fix\SafeBootRepair.bat
2000-08-31 08:00 15189 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023169.bat
2000-08-31 08:00 10514 C:\Combo-Fix\SetEnvmt.bat
2000-08-31 08:00 10514 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023170.bat
2008-04-29 16:38 11016 C:\Combo-Fix\SetPath.bat
2008-04-29 02:15 10544 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023171.bat
2000-08-31 08:00 1128 C:\Combo-Fix\SvcDrv.vbs
2000-08-31 08:00 1128 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101\A0023172.vbs
C:\Documents and Settings\Dog Machine\Application Data\Mozilla\Firefox\Profiles\b1d9hef1.default\extensions\{825e6f35-d825-4fe9-b51c-f6911d00122e}-trash\components\FFAlert.dll
2008-01-29 19:09 11776 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP41\A0009050.dll
C:\Documents and Settings\Dog Machine\Application Data\Mozilla\Firefox\Profiles\b1d9hef1.default\extensions\{825e6f35-d825-4fe9-b51c-f6911d00122e}-trash\components\npmozax.dll
2008-01-29 19:09 114688 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP41\A0009051.dll
C:\Documents and Settings\Dog Machine\Application Data\U3\temp\cleanup.exe
2005-06-06 11:29 110592 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022953.exe
2008-01-31 14:56 8192 C:\Documents and Settings\Dog Machine\Desktop\magnify.exe
2008-01-31 14:56 8192 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP52\A0009584.exe
2008-02-07 21:40 77526944 C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Adobe\Updater5\Install\photoshop10-en_US\photoshop_10_0_1.exe
2008-01-31 16:04 4186112 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP21\A0006238.exe
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Apple\Apple Software Update\iTunesSetupAdmin.exe
2008-04-04 04:47 75048 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018601.exe
2004-08-04 04:07 25600 C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2004-08-04 04:07 25600 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004783.dll
2004-08-04 04:07 25600 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP98\A0020103.dll
2002-01-01 03:40 143872 C:\Program Files\Barak013\Barak013_L2TP\update.exe
2002-01-01 02:07 143872 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0022970.exe
2004-03-14 12:19 143872 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022954.exe
2008-03-25 12:48 906480 C:\Program Files\CCleaner\ccleaner.exe
2007-11-22 19:10 787696 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP73\A0017321.exe
2008-04-02 04:57 114122 C:\Program Files\CCleaner\uninst.exe
2007-12-11 20:58 111005 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP73\A0017323.exe
1999-01-12 16:19 851456 C:\Program Files\Common Files\Microsoft Shared\SpeechEngines\TTS\msttssyn.dll
1999-01-12 16:19 851456 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP17\A0005032.dll
1999-01-12 12:36 53760 C:\Program Files\Common Files\Microsoft Shared\SpeechEngines\TTS\wttsm22.dll
1999-01-12 12:36 53760 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP17\A0005034.dll
2008-02-25 17:00 397312 C:\Program Files\Common Files\SourceTec\SWF Catcher\SWFCatcher.dll
2007-06-07 11:00 397312 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP79\A0018958.dll
2008-02-25 17:00 397312 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP80\A0018975.dll
2002-01-01 03:51 361040 C:\Program Files\Comodo\Firewall\cmdagent.exe
2002-01-01 02:27 361040 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0022971.exe
2002-01-01 01:23 361040 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022955.exe
2008-01-05 00:56 69632 C:\Program Files\DivX\DivX Codec\config.exe
2007-12-12 01:32 69632 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004818.exe
2008-01-05 00:57 341504 C:\Program Files\DivX\DivX Codec\DivX EKG.exe
2007-12-12 01:33 341504 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004819.exe
2008-01-05 00:57 270336 C:\Program Files\DivX\DivX Codec\DivXDRA1031.dll
2007-12-12 01:33 270336 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004820.dll
2008-01-05 00:57 262144 C:\Program Files\DivX\DivX Codec\DivXDRA1033.dll
2007-12-12 01:33 262144 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004821.dll
2008-01-05 00:57 270336 C:\Program Files\DivX\DivX Codec\DivXDRA1036.dll
2007-12-12 01:33 270336 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004822.dll
2008-01-05 00:57 237568 C:\Program Files\DivX\DivX Codec\DivXDRA1041.dll
2007-12-12 01:33 237568 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004823.dll
2008-01-05 00:56 1933312 C:\Program Files\DivX\DivX Content Uploader\ContentUploadCheck.dll
2007-12-12 01:32 1933312 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004929.dll
2008-01-05 00:56 845824 C:\Program Files\DivX\DivX Content Uploader\libxml2.dll
2007-12-12 01:32 845824 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004930.dll
2008-01-05 00:56 1359872 C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
2007-12-12 01:32 1359872 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004932.dll
2008-01-08 04:16 1355776 C:\Program Files\DivX\DivX Converter\Converter.exe
2007-12-12 01:32 1552384 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004844.exe
2008-01-08 04:16 61440 C:\Program Files\DivX\DivX Converter\dpil100.dll
2007-12-12 01:32 61440 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004845.dll
2008-01-08 04:16 892928 C:\Program Files\DivX\DivX Converter\DSConverter1031.dll
2007-12-12 01:32 1196032 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004846.dll
2008-01-08 04:16 888832 C:\Program Files\DivX\DivX Converter\DSConverter1033.dll
2007-12-12 01:32 1040384 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004847.dll
2008-01-08 04:16 892928 C:\Program Files\DivX\DivX Converter\DSConverter1036.dll
2007-12-12 01:32 1196032 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004848.dll
2008-01-08 04:16 884736 C:\Program Files\DivX\DivX Converter\DSConverter1041.dll
2007-12-12 01:32 1191936 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004849.dll
2008-01-08 04:16 278528 C:\Program Files\DivX\DivX Converter\dvd2divxsub.dll
2007-12-12 01:32 81920 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004850.dll
2008-01-08 04:16 895488 C:\Program Files\DivX\DivX Converter\libxml2.dll
2007-12-12 01:32 895488 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004851.dll
2008-01-05 00:58 479232 C:\Program Files\DivX\DivX Converter\Microsoft.VC80.CRT\msvcm80.dll
2007-12-12 01:33 479232 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004859.dll
2008-01-05 00:58 548864 C:\Program Files\DivX\DivX Converter\Microsoft.VC80.CRT\msvcp80.dll
2007-12-12 01:33 548864 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004857.dll
2008-01-05 00:58 626688 C:\Program Files\DivX\DivX Converter\Microsoft.VC80.CRT\msvcr80.dll
2007-12-12 01:33 626688 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004858.dll
2008-01-05 00:58 1101824 C:\Program Files\DivX\DivX Converter\Microsoft.VC80.MFC\mfc80.dll
2007-12-12 01:33 1101824 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004860.dll
2008-01-05 00:58 1093120 C:\Program Files\DivX\DivX Converter\Microsoft.VC80.MFC\mfc80u.dll
2007-12-12 01:33 1093120 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004861.dll
2008-01-05 00:58 69632 C:\Program Files\DivX\DivX Converter\Microsoft.VC80.MFC\mfcm80.dll
2007-12-12 01:33 69632 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004862.dll
2008-01-05 00:58 57856 C:\Program Files\DivX\DivX Converter\Microsoft.VC80.MFC\mfcm80u.dll
2007-12-12 01:33 57856 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004863.dll
2008-01-08 04:16 122880 C:\Program Files\DivX\DivX Converter\xdclm.dll
2007-12-12 01:32 122880 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004852.dll
2008-01-08 04:16 880640 C:\Program Files\DivX\DivX Converter\xdsbp.dll
2007-12-12 01:32 1085440 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004853.dll
2008-01-08 04:16 479232 C:\Program Files\DivX\DivX Converter\xdsbv.dll
2007-12-12 01:32 479232 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004854.dll
C:\Program Files\DivX\DivX Player\ContentUploadCheck.dll
2007-12-12 01:35 1933312 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004881.dll
C:\Program Files\DivX\DivX Player\ConverterPlugin.dll
2007-12-12 01:33 81920 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004882.dll
2008-01-08 02:14 348160 C:\Program Files\DivX\DivX Player\DCManager.dll
2007-12-12 01:33 348160 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004883.dll
2008-01-08 02:14 1585664 C:\Program Files\DivX\DivX Player\DivX Player.exe
2007-12-12 01:33 1647616 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004884.exe
C:\Program Files\DivX\DivX Player\DXMBuilderLite.dll
2007-12-12 01:33 1290240 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004886.dll
2008-01-05 00:57 845824 C:\Program Files\DivX\DivX Player\libxml2.dll
2007-12-12 01:33 845824 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004887.dll
2008-01-05 00:58 479232 C:\Program Files\DivX\DivX Player\Microsoft.VC80.CRT\msvcm80.dll
2007-12-12 01:33 479232 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004889.dll
2008-01-05 00:58 548864 C:\Program Files\DivX\DivX Player\Microsoft.VC80.CRT\msvcp80.dll
2007-12-12 01:33 548864 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004890.dll
2008-01-05 00:58 626688 C:\Program Files\DivX\DivX Player\Microsoft.VC80.CRT\msvcr80.dll
2007-12-12 01:33 626688 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004891.dll
2008-01-05 00:58 1101824 C:\Program Files\DivX\DivX Player\Microsoft.VC80.MFC\mfc80.dll
2007-12-12 01:33 1101824 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004892.dll
2008-01-05 00:58 1093120 C:\Program Files\DivX\DivX Player\Microsoft.VC80.MFC\mfc80u.dll
2007-12-12 01:33 1093120 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004893.dll
2008-01-05 00:58 69632 C:\Program Files\DivX\DivX Player\Microsoft.VC80.MFC\mfcm80.dll
2007-12-12 01:33 69632 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004894.dll
2008-01-05 00:58 57856 C:\Program Files\DivX\DivX Player\Microsoft.VC80.MFC\mfcm80u.dll
2007-12-12 01:33 57856 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004895.dll
2008-01-08 02:14 98304 C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
2007-12-12 01:33 98304 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004897.dll
2008-01-08 02:14 1826816 C:\Program Files\DivX\DivX Player\PlaybackModule2.dll
2007-12-12 01:33 1789952 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004899.dll
2008-01-05 00:58 207608 C:\Program Files\DivX\DivX Player\primosdk.dll
2007-12-12 01:34 207608 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004900.dll
2008-01-05 00:58 479232 C:\Program Files\DivX\DivX Web Player\Microsoft.VC80.CRT\msvcm80.dll
2007-12-12 01:33 479232 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004922.dll
2008-01-05 00:58 548864 C:\Program Files\DivX\DivX Web Player\Microsoft.VC80.CRT\msvcp80.dll
2007-12-12 01:33 548864 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004920.dll
2008-01-05 00:58 626688 C:\Program Files\DivX\DivX Web Player\Microsoft.VC80.CRT\msvcr80.dll
2007-12-12 01:33 626688 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004921.dll
2008-01-05 00:57 1335600 C:\Program Files\DivX\DivX Web Player\npdivx32.dll
2007-12-12 01:33 1335600 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004917.dll
2008-02-01 18:23 122049 C:\Program Files\DivX\DivXBundleUninstall.exe
2007-12-23 20:40 121075 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004937.exe
2008-02-01 18:22 122049 C:\Program Files\DivX\DivXCodecUninstall.exe
2007-12-23 20:39 121075 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004841.exe
2008-02-01 18:23 122049 C:\Program Files\DivX\DivXContentUploaderUninstall.exe
2007-12-23 20:40 121075 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004936.exe
2008-02-01 18:23 122049 C:\Program Files\DivX\DivXConverterUninstall.exe
2007-12-23 20:40 121075 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004873.exe
2008-02-01 18:23 122049 C:\Program Files\DivX\DivXPlayerUninstall.exe
2007-12-23 20:40 121075 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004911.exe
2008-02-01 18:23 122049 C:\Program Files\DivX\DivXWebPlayerUninstall.exe
2007-12-23 20:40 121075 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP15\A0004928.exe
2002-01-01 03:53 494712 C:\Program Files\ESET\nod32.exe
2002-01-01 02:44 494712 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0022972.exe
2002-01-01 01:11 494712 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022956.exe
2002-01-01 03:53 552064 C:\Program Files\ESET\nod32krn.exe
2002-01-01 02:27 552064 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0022973.exe
2002-01-01 01:21 552064 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022957.exe
2008-04-29 02:21 949376 C:\Program Files\ESET\nod32kui.exe
2002-01-01 03:00 949376 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0022974.exe
2002-01-01 01:22 949376 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022958.exe
C:\Program Files\Fanatic Software\Uninstall.exe
2008-04-26 00:14 239102 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP98\A0020058.exe
C:\Program Files\Fanatic Software\Verbs.exe
2005-06-09 11:34 7621795 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP98\A0020055.exe
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\gtn.dll
2008-02-18 01:16 171504 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP88\A0019445.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\res_en.dll
2008-02-18 01:16 49152 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP88\A0019446.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
2008-02-18 01:16 323568 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP88\A0019444.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\gtn.dll
2007-06-25 22:23 172984 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP32\A0007901.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\res_en.dll
2007-06-25 22:23 49152 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP32\A0007902.dll
C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
2007-06-25 22:23 325048 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP32\A0007900.dll
2005-01-10 07:08 638976 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2007-06-25 22:23 68856 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0020185.exe
C:\Program Files\Google\GoogleToolbarNotifier\swg-2.0.1121.2472\SearchWithGoogleUpdate_en.exe
2008-02-18 01:16 738800 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP32\A0007903.exe
2007-11-29 07:58 33483 C:\Program Files\GRETECH\GomPlayer\Dodge.dll
2007-11-29 07:58 33483 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019608.dll
2008-03-25 07:23 2602552 C:\Program Files\GRETECH\GomPlayer\GOM.exe
2008-02-20 10:14 2606648 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019597.exe
2008-01-23 07:30 143360 C:\Program Files\GRETECH\GomPlayer\GomWeb3.dll
2008-02-20 10:14 149016 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019596.dll
2008-03-21 07:34 308736 C:\Program Files\GRETECH\GomPlayer\GomWiz.exe
2008-01-15 08:25 306176 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019598.exe
2008-01-23 07:30 2019384 C:\Program Files\GRETECH\GomPlayer\gomx.dll
2008-02-20 10:14 2025032 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019595.dll
2007-03-22 13:46 126976 C:\Program Files\GRETECH\GomPlayer\GrLauncher.exe
2007-03-22 13:46 126976 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019599.exe
2008-03-25 07:08 2860544 C:\Program Files\GRETECH\GomPlayer\GVC.dll
2008-02-18 07:52 2896896 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019594.dll
2008-03-21 07:36 826368 C:\Program Files\GRETECH\GomPlayer\icon.dll
2008-01-16 14:31 826368 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019603.dll
2005-11-11 11:08 3584 C:\Program Files\GRETECH\GomPlayer\KillGom.exe
2005-11-11 11:08 3584 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019593.exe
2008-03-21 08:29 360448 C:\Program Files\GRETECH\GomPlayer\lang\GomEng.dll
2008-02-18 09:17 360448 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019618.dll
2008-03-21 07:34 160256 C:\Program Files\GRETECH\GomPlayer\lang\GomWizEng.dll
2008-01-15 08:25 160256 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019619.dll
2006-07-11 12:35 348160 C:\Program Files\GRETECH\GomPlayer\msvcr71.dll
2006-07-11 12:35 348160 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019613.dll
2004-05-17 04:41 303104 C:\Program Files\GRETECH\GomPlayer\qscl.dll
2004-05-17 04:41 303104 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019609.dll
2007-03-06 07:18 10240 C:\Program Files\GRETECH\GomPlayer\RtParser.exe
2007-03-06 07:18 10240 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019606.exe
2007-12-21 10:23 4608 C:\Program Files\GRETECH\GomPlayer\ShellRegister.exe
2007-12-21 10:23 4608 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019611.exe
2007-03-06 07:17 4096 C:\Program Files\GRETECH\GomPlayer\srt2smi.exe
2007-03-06 07:17 4096 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019607.exe
2008-04-20 12:42 52550 C:\Program Files\GRETECH\GomPlayer\Uninstall.exe
2008-03-01 17:42 52550 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019620.exe
2008-03-25 07:23 206344 C:\Program Files\GRETECH\GomPlayer\VSUtil.dll
2008-02-20 10:14 206344 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP91\A0019612.dll
2006-10-11 12:00 352256 C:\Program Files\ICQLite\ICQPhone.dll
2006-10-11 13:00 352256 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP89\A0019527.dll
2006-12-06 18:00 4608 C:\Program Files\ICQLite\LiteDataFiles\bartout.exe
2006-12-06 19:00 4608 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP89\A0019525.exe
2007-07-03 12:00 69276 C:\Program Files\ICQLite\LiteDataFiles\icqfilexfer.exe
2007-07-03 13:00 69276 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP89\A0019523.exe
2005-03-01 18:13 2560 C:\Program Files\ICQLite\LiteDataFiles\icqtoolbarpatch.exe
2005-03-01 19:13 2560 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP89\A0019524.exe
2006-10-11 12:00 208896 C:\Program Files\ICQLite\MIBFlashCtrl.dll
2006-10-11 13:00 208896 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP89\A0019526.dll
2007-12-06 14:01 625664 C:\Program Files\Internet Explorer\iexplore.exe
2007-10-10 13:59 625152 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP40\A0008934.exe
2008-04-07 10:46 143360 C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
2008-01-25 17:08 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP36\A0008338.dll
2008-02-24 01:21 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018605.dll
2008-04-07 10:46 143360 C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
2008-01-25 17:08 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP36\A0008341.dll
2008-02-24 01:21 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018608.dll
2008-04-07 10:46 143360 C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
2008-01-25 17:08 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP36\A0008344.dll
2008-02-24 01:21 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018611.dll
2008-04-07 10:46 143360 C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
2008-01-25 17:08 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP36\A0008347.dll
2008-02-24 01:21 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018614.dll
2008-04-07 10:46 143360 C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
2008-01-25 17:08 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP36\A0008350.dll
2008-02-24 01:21 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018617.dll
2008-04-07 10:46 143360 C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
2008-01-25 17:08 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP36\A0008353.dll
2008-02-24 01:21 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018620.dll
2008-04-07 10:46 143360 C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
2008-01-25 17:08 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP36\A0008356.dll
2008-02-24 01:21 143360 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018623.dll
2002-01-01 03:55 49152 C:\Program Files\Last.fm\Cleaner.exe
2002-01-01 02:20 49152 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP100\A0022975.exe
2008-01-08 16:23 49152 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022959.exe
2008-04-07 03:12 607576 C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
2008-01-04 14:27 587096 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP59\A0013732.exe
2008-03-17 21:50 607576 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018591.exe
2008-04-07 03:13 2711376 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
2008-02-26 17:44 2858320 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP78\A0018593.exe
2008-03-16 18:55 525664 C:\Program Files\Lavasoft\Ad-Aware 2007\update.dll
2007-12-27 12:13 525664 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP59\A0011465.dll
2008-03-16 18:55 271712 C:\Program Files\Lavasoft\Ad-Aware 2007\upmanager.dll
2007-12-14 11:56 271712 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP59\A0011466.dll
C:\Program Files\Madoogali\Key2Speak\adsrvm.exe
2001-11-07 17:27 102400 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP18\A0005042.exe
C:\Program Files\Madoogali\Key2Speak\Key2Speak.exe
2001-11-22 00:47 212992 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP18\A0005041.exe
C:\Program Files\Madoogali\Key2Speak\MSagent.exe
2000-10-04 00:00 400536 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP18\A0005039.exe
C:\Program Files\Madoogali\Key2Speak\msttsm22l.exe
2001-06-25 09:44 2337528 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP18\A0005043.exe
C:\Program Files\Madoogali\Key2Speak\setup\uninst.exe
2000-02-13 00:00 334848 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP18\A0005050.exe
C:\Program Files\Madoogali\Key2Speak\SPCHAPI.EXE
1999-02-16 10:20 847096 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP18\A0005040.EXE
2008-04-17 19:25 13952 C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll
2007-12-02 13:09 13952 {8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP24\A0006322.dll
{
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:07 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-29 02:21 949376]
"Matrox Powerdesk"="C:\WINDOWS\system32\PDesk\PDesk.exe" [2004-09-14 11:13 684032]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 22:44 196608]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-01-10 07:08 638976]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2006-05-24 18:39 2655272]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 01:37 1115728]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 13:13 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\Dog Machine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-04-27 19:33:40 106496]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-12-26 22:45:55 274432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"vidc.X264"= x264vfw.dll
"vidc.davc"= davcvfw.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.ACDV"= ACDV.dll
"midi1"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--------- 2004-08-05 16:19 118784 C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-01-14 03:20 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
--a------ 2007-06-15 16:17 699120 C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2005-01-10 07:08 638976 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Titan FTP Server Tray App]
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-15 13:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\ESET\\nod32.exe"=
"C:\\Program Files\\ESET\\nod32kui.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\RpcSandraSrv.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1770:TCP"= 1770:TCP:em
"1780:UDP"= 1780:UDP:em2
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"12120:TCP"= 12120:TCP:eMule
"13130:UDP"= 13130:UDP:eMule
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-01-24 18:25]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 10:10]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:07]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [1997-11-26 08:31]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 17:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 20:31]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 08:40]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 08:40]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 17:20]
S3 USBKS1X1;Midiman USB Keystation USB Driver;C:\WINDOWS\system32\drivers\usbks1x1.sys []
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys []
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\WINDOWS\system32\drivers\usbmidim.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 14:18:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-29 09:49:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 16:43:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-29 16:57:42
ComboFix-quarantined-files.txt 2008-04-29 13:57:12
ComboFix2.txt 2008-04-29 06:41:15
Pre-Run: 16,229,072,896 bytes free
Post-Run: 16,210,636,800 bytes free
521 --- E O F --- 2008-04-24 09:30:17
adifrank
2008-04-29, 19:01
Dr. Web CureIt (continued)....
After about 15 minutes I eventually got a download error message:
C:\Documents and Settings\Dog Machine\Desktop\drweb-cureit.exe part could not be saved, because the source file could not be read.
I had an idea, I am now downloading the Dr. Web CureIt file on a different computer and then I'll transfer it to the infected one and run it. Maybe that'll work.... I'll let you know.
In the meantime, is there anything else I should do?
Rorschach112
2008-04-29, 19:09
Transfer Dr. Web over and run a full scan if you get it working
Also do this
Please download and unzip Icesword (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)to its own folder on your desktop
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.
Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.
Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.
Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.
Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.
Now post all of the data collected under the headings for :
Processes
Win32 Services
Startup
SSDT
Message Hooks
Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.
@echo off
dir "C:\WINDOWS\system32\drivers">C:\peek.txt
start C:\peek.txt
del peek.bat
Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in peek.bat
In the Save as type drop down box select All Files
Close Notepad.
Now, find peek.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.
Attach the log it produces
adifrank
2008-04-30, 03:14
Hi Rorschach. Thanks for sticking with me on this. I really appreciate it. :bigthumb:
I finally managed to run DrWeb CureIt. The trick was to download the exe file on a different computer, burn it to cd and then copying it over from the cd to the infected computer WITH INTERNET CONNECTION DISABLED (otherwise, DrWeb would not work). Then it took a good 3 hours or more to make a complete scan.... phew... but at least it worked and i have the results on file.
Bad news is, I tried the exact same method with IceSword, but after unpacking the zip file and double clicking IceSword.exe - I got the following error message:
IceSword.exe is not a valid Win32 application.
Pasted below is the DrWeb.csv file. I'm gonna get some sleep now and I'll be back online around 9 am.
Cheers.
DrWeb.csv
gendel32.exe;C:\;Tool.Gendel;Incurable.Deleted.;
setup.exe;C:\Documents and Settings\Dog Machine\Desktop\transit folder\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixe;Win32.HLLW.Puce;Deleted.;
b64_2[1].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\JU7L18JM;Win32.HLLM.Beagle;Deleted.;
b64_2[2].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\JU7L18JM;Win32.HLLM.Beagle;Deleted.;
b64_2[1].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\PA2WJL05;Win32.HLLM.Beagle;Deleted.;
b64_3[1].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\PA2WJL05;Win32.HLLM.Beagle;Deleted.;
b64_3[2].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\PA2WJL05;Win32.HLLM.Beagle;Deleted.;
b64_2[1].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\TO34UYDT;Win32.HLLM.Beagle;Deleted.;
b64_3[1].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\TO34UYDT;Win32.HLLM.Beagle;Deleted.;
b64_2[1].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\WE4556E1;Win32.HLLM.Beagle;Deleted.;
b64_3[1].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\WE4556E1;Win32.HLLM.Beagle;Deleted.;
b64_3[2].jpg;C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\WE4556E1;Win32.HLLM.Beagle;Deleted.;
0C4XA3CA.NQF;C:\Program Files\ESET\infected;Trojan.MulDrop.3700;Deleted.;
20WNCEAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Puce;Deleted.;
5YHAPADA.NQF;C:\Program Files\ESET\infected;BackDoor.Bifrost;Deleted.;
D3U3LFBA.NQF;C:\Program Files\ESET\infected;Trojan.DownLoader.22050;Deleted.;
FJGUSFBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Puce;Deleted.;
GHZBI3BA.NQF;C:\Program Files\ESET\infected;Trojan.Swizzor;Deleted.;
HHJK0JBA.NQF;C:\Program Files\ESET\infected;Trojan.DownLoader.10616;Deleted.;
Q5SXQUDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Puce;Deleted.;
XCVZ2MBA.NQF;C:\Program Files\ESET\infected;Trojan.DownLoader.17378;Deleted.;
A0023143.EXE;C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101;Program.PsExec.170;Incurable.Deleted.;
A0023146.bat;C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101;Probably BATCH.Virus;Incurable.Deleted.;
A0023154.bat;C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP101;Probably SCRIPT.Virus;Incurable.Deleted.;
A0023237.exe;C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102;Win32.HLLM.Beagle;Deleted.;
A0023249.bat;C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102;Probably BATCH.Virus;Incurable.Deleted.;
A0023256.bat;C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102;Probably SCRIPT.Virus;Incurable.Deleted.;
A0023348.exe;C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102;Win32.HLLW.Puce;Deleted.;
Rorschach112
2008-04-30, 03:19
Ok do this in the morning for me
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
adifrank
2008-04-30, 11:04
Deckard's System Scanner - main
Deckard's System Scanner v20071014.68
Run by Dog Machine on 2008-04-30 11:27:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
90: 2008-04-30 08:28:08 UTC - RP103 - Deckard's System Scanner Restore Point
89: 2008-04-29 13:38:37 UTC - RP102 - ComboFix created restore point
88: 2008-04-28 23:15:20 UTC - RP101 - ComboFix created restore point
87: 2002-01-01 00:07:53 UTC - RP100 - System Checkpoint
86: 2008-04-26 23:31:28 UTC - RP99 - System Checkpoint
-- First Restore Point --
1: 2008-01-31 10:37:30 UTC - RP14 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-30 11:30:59
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\PDesk\pdesk.exe
C:\WINDOWS\system32\DeltTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Documents and Settings\Dog Machine\Desktop\dss.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nana.co.il
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{CDFC83AF-9AEB-4405-A519-DBB9C85248B7}: NameServer = 192.168.1.1,62.90.42.110,212.150.49.10
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATM Service (ATMsrvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\ATMsrvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII\RpcSandraSrv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 11840 bytes
-- File Associations -----------------------------------------------------------
.js - unable to read key
.js - unable to read key
.txt - unable to read key
.txt - unable to read key
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R2 Nsynas32 - c:\windows\system32\drivers\nsynas32.sys <Not Verified; Syncrosoft Hard- und Software GmbH; Internet Protection Hardware Driver>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S0 Inspect (Comodo Network Engine) - c:\windows\system32\drivers\inspect.sys (file missing)
S2 Parclass - c:\windows\system32\drivers\parclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT(TM) Operating System>
S3 RT73 (RT73 USB Wireless LAN Card Driver) - c:\windows\system32\drivers\rt73.sys (file missing)
S3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 USBKS1X1 (Midiman USB Keystation USB Driver) - c:\windows\system32\drivers\usbks1x1.sys (file missing)
S3 USBKT1X1 (M-Audio USB Keystation) - c:\windows\system32\drivers\usbkt1x1.sys (file missing)
S3 USBMIDIM (Midiman USB MidiSport Midi Kernel Driver) - c:\windows\system32\drivers\usbmidim.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 ATMsrvc (ATM Service) - c:\windows\system32\atmsrvc.exe <Not Verified; Adobe Systems Incorporated; Adobe Type Manager>
S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Ralink Turbo Wireless LAN Card
Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_25611814&REV_00\4&2E98101C&0&08F0
Manufacturer: Ralink Technology, Inc.
Name: Ralink Turbo Wireless LAN Card #3
PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_25611814&REV_00\4&2E98101C&0&08F0
Service: RT61
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_30208086&REV_01\4&2E98101C&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_30208086&REV_01\4&2E98101C&0&40F0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_A0008086&REV_02\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_A0008086&REV_02\3&267A616A&0&FD
Service:
-- Scheduled Tasks -------------------------------------------------------------
2008-04-29 12:49:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-25 17:18:32 402 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
-- Files created between 2008-03-30 and 2008-04-30 -----------------------------
2008-04-29 22:59:37 0 d-------- C:\Documents and Settings\Dog Machine\DoctorWeb
2008-04-29 02:13:56 68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 02:13:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 02:13:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 02:13:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 02:13:56 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 02:13:56 98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 02:13:56 80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 02:13:56 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-27 19:34:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-04-27 19:33:38 0 d-------- C:\Program Files\Last.fm
2008-04-09 23:41:11 0 d-------- C:\Program Files\WinPcap
2008-04-09 23:38:55 0 d-------- C:\Program Files\WMR11
2008-04-08 03:34:51 0 d-------- C:\Program Files\Common Files\SourceTec
2008-04-08 03:34:49 0 d-------- C:\Program Files\SourceTec
2008-04-07 10:54:15 0 d-------- C:\Program Files\iPod
2008-04-07 10:43:31 0 d-------- C:\Program Files\QuickTime
2008-04-02 04:57:52 0 dr-h----- C:\Documents and Settings\Dog Machine\Recent
-- Find3M Report ---------------------------------------------------------------
2008-04-29 22:41:04 0 d-------- C:\Documents and Settings\Dog Machine\Application Data\Babylon
2008-04-27 23:16:11 0 d-------- C:\Program Files\eMule
2008-04-21 13:14:51 0 d-------- C:\Program Files\Apple Software Update
2008-04-19 15:37:31 2608 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-11 17:04:19 0 d-------- C:\Documents and Settings\Dog Machine\Application Data\Adobe
2008-04-08 03:34:51 0 d-------- C:\Program Files\Common Files
2008-04-07 10:54:36 0 d-------- C:\Program Files\iTunes
2008-03-20 18:09:57 0 d-------- C:\Documents and Settings\Dog Machine\Application Data\Real
2008-03-10 00:16:13 0 d-------- C:\Program Files\Webteh
2008-03-01 17:42:08 0 d-------- C:\Documents and Settings\Dog Machine\Application Data\GRETECH
2008-03-01 17:41:49 0 d-------- C:\Program Files\GRETECH
2008-03-01 13:30:46 0 d-------- C:\Program Files\Vertical Moon
2008-02-03 22:25:17 12 --a------ C:\WINDOWS\system32\dck2s21.dat
2008-01-30 10:58:18 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [04/30/2008 12:47 AM]
"Matrox Powerdesk"="C:\WINDOWS\system32\PDesk\PDesk.exe" [09/14/2004 11:13 AM]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [08/27/2004 12:43 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [11/29/2001 10:44 PM]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [01/10/2005 07:08 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [05/24/2006 06:39 PM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [02/07/2007 01:37 AM]
"DeltTray"="DeltTray.exe" [08/27/2004 12:43 AM C:\WINDOWS\system32\DeltTray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/15/2008 01:13 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:07 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
C:\Documents and Settings\Dog Machine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [4/27/2008 7:33:40 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [12/26/2007 10:45:55 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Titan FTP Server Tray App]
"C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
-- End of Deckard's System Scanner: finished at 2008-04-30 11:31:37 ------------
Deckard's System Scanner - extra
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 2.40GHz
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1021.73 MiB / 666.05 MiB
Pagefile Memory (total/avail): 2924.73 MiB / 2714.58 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.16 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 14.87 GiB free.
E: is CDROM (CDFS)
K: is Fixed (NTFS) - 39.06 GiB total, 1.21 GiB free.
L: is Fixed (NTFS) - 109.99 GiB total, 31.34 GiB free.
\\.\PHYSICALDRIVE1 - WDC WD1600JB-00EVA0 - 149.05 GiB - 2 partitions
\PARTITION0 - Installable File System - 39.06 GiB - K:
\PARTITION1 - Installable File System - 109.99 GiB - L:
\\.\PHYSICALDRIVE0 - WDC WD800JB-00ETA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before download.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\ESET\\nod32.exe"="C:\\Program Files\\ESET\\nod32.exe:*:Enabled:NOD32"
"C:\\Program Files\\ESET\\nod32kui.exe"="C:\\Program Files\\ESET\\nod32kui.exe:*:Enabled:NOD32 Control Center"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dog Machine\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRUCELEE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dog Machine
LOGONSERVER=\\BRUCELEE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SAN_DIR=C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DOGMAC~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DOGMAC~1\LOCALS~1\Temp
USERDOMAIN=BRUCELEE
USERNAME=Dog Machine
USERPROFILE=C:\Documents and Settings\Dog Machine
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Dog Machine [I](admin)
Administrator (new local, admin)
Guest (new local, guest)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
ACDSee Pro --> MsiExec.exe /I{F99F74B4-972B-4B06-B893-6B3B0DB0128B}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Add or Remove Adobe Creative Suite 3 Design Premium --> C:\Program Files\Common Files\Adobe\Installers\c14ac4070fd9614ffe63f4bb533db2c\Setup.exe
Adobe After Effects CS3 --> C:\Program Files\Common Files\Adobe\Installers\b7dd24a87e82dcf8af8876fd727b7cf\Setup.exe
Adobe After Effects CS3 --> MsiExec.exe /I{8AF3FB06-BDA3-42A3-995C-308812D2F094}
Adobe After Effects CS3 Presets --> MsiExec.exe /I{4B215C29-1A3E-4736-92AA-10C83FA56EB9}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B7F560B3-6EFF-4026-A982-843895A41149}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite 3 Design Premium --> MsiExec.exe /I{D1C18EDD-571A-4BDD-BE7B-1DD86027D7FF}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{77D2A9D3-5800-43E3-B274-87841BC87DB2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Setup --> MsiExec.exe /I{09E2111C-16B1-4DDF-BF0D-F994C9A12350}
Adobe Setup --> MsiExec.exe /I{2C294A0B-DF22-4023-B168-8C7645B10019}
Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}
Adobe SING CS3 --> MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server {ko_KR} --> MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Ape2CD 2.0.0 --> "C:\Program Files\Ape2CD\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Babylon --> C:\Program Files\Babylon\Babylon-Pro\Utils\uninstbb.exe
Barak013 L2TP --> C:\PROGRA~1\Barak013\BARAK0~1\UNWISE.EXE C:\PROGRA~1\Barak013\BARAK0~1\INSTALL.LOG
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Cole2k Media - Codec Pack (Advanced) --> C:\WINDOWS\system32\C2MP\Uninst.exe
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Delta --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4810699-E859-43A6-8F40-1743873E72AB}\setup.exe" -l0x9 -removeonly
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Document Printer v2.0 --> "C:\Program Files\docPrint v2.0\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Event Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48F22622-1CC2-4A83-9C1E-644DD96F832D}\Setup.exe" -l0x9 -u
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4197E46D-56D2-4527-8E40-8574FFFFBF1B}\Setup.exe" -l0x9 UNINST
EPSON Image Clip Palette --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{314F6D08-A8B7-11D8-8446-0050BA1D384D}\Setup.exe" -l0x9 -u
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Send To Web --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F839E2D2-4BEE-4915-A031-20A4D9006F92} /l1033 ADDREMOVEDLG
fxpansion!RobotikVocoder --> C:\UNWISE.EXE C:\PROGRA~1\FXPANS~1\INSTALL.LOG
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\Dog Machine\Desktop\HijackThis.exe" /uninstall
HP Deskjet 5700 --> msiexec /x{85B1BEF2-2357-4C27-ABBE-15A1AE3AF78D}
hp deskjet 970c series --> rundll32 hpzcon04.dll,VendorJettison hp deskjet 970c series
hp deskjet 970c series (Remove only) --> C:\Program Files\hp deskjet 970c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB003 -vproduct=970c -huninstall
HP Image Zone 4.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{49FB31C1-26EC-44c6-AB47-73C66E2BC41E}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{B81023A5-71ED-46EB-BE3B-9F974D1155F1}
ICQ 5.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXE
iDump Build: 24 --> C:\Program Files\iDump\uninst.exe
IncrediMail Xe --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Japanese Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5760-0000-800000000003}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Joost (tm) 0.10.2 --> C:\Program Files\Joost\uninst.exe
Last.fm 1.4.2.59470 --> "C:\Program Files\Last.fm\unins000.exe"
Launchy 2.0 --> "C:\Program Files\Launchy\unins000.exe"
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia FreeHand MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AE751-7055-4518-87B0-E148A8D50D0A}\Setup.exe" -l0x9 UNINSTALL
Matrox Graphics Software (remove only) --> C:\WINDOWS\system32\PDesk\PDUninst.exe
Microsoft Office 2000 Proofing Tools Disc 1 --> MsiExec.exe /I{00300409-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSm22.inf, Uninstall
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NOD32 Antivirus System --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "C:\Program Files\Eset\unins000.exe"
Norton Spyware Scan provided by Yahoo! --> C:\PROGRA~1\Yahoo!\Common\unynss.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
Perf4870 Reference Guide --> C:\Program Files\EPSON\Perf4870\REF_G\DOCUNINS.EXE
PERF4990P Reference Guide --> C:\Program Files\EPSON\TPMANUAL\PERF4990P\REF_G\DOCUNINS.EXE
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Ralink Wireless LAN Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}\setup.exe" -l0x9 -removeonly
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Reason 3.0 --> "C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
ReFX Slayer VSTi v1.3 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\REFXSL~1.3\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\REFXSL~1.3\INSTALL.LOG
Revo Uninstaller 1.50 --> C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
River Past Audio Converter Pro --> C:\WINDOWS\Audio Converter Pro Uninstaller.exe
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Series II MIDI --> C:\Program Files\InstallShield Installation Information\{379BD39E-F13E-458F-96D8-56BD7F2CC516}\setup.exe -runfromtemp -l0x0009 -removeonly
SiSoftware Sandra Engineer XII --> "C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII\unins000.exe"
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP Client 2.0 Setup Files (remove only) --> "C:\Program Files\SmartFTP Client 2.0 Setup Files\uninst-sftp.exe"
SmartFTP Client 2.5 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 2.5 Setup Files\uninst-sftp.exe
Sonic CinePlayer --> MsiExec.exe /X{26792CA7-D87A-4DBE-896B-C2F66B344511}
Sonic Scenarist --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sonic\Scenarist\Uninst.isu"
Sony Media Manager 2.0 --> MsiExec.exe /X{B13F5727-F12F-4253-B6AD-26AFA880B709}
Sony Vegas 6.0d --> MsiExec.exe /X{4F68B605-2F2B-42A8-8689-0CA7E67797B0}
Sony Vegas Pro 8.0 --> MsiExec.exe /X{1246FF64-3035-4A92-8FE6-A968275495EB}
SopCast 1.1.2 --> C:\Program Files\SopCast\uninst.exe
Sothink SWF Decompiler --> "C:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
SpeedSoft Virtual Sampler --> C:\SpeedSoft\VSampler\bin\UnInstall.exe
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Steinberg Cubase SX v3.0.2.623 --> C:\PROGRA~1\STEINB~1\CUBASE~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\CUBASE~1\INSTALL.LOG
Steinberg VoiceMachine v1.0 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\STEINB~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\STEINB~1\INSTALL.LOG
SWF, Lock & Load 1.106 --> "C:\Program Files\Vertical Moon\SWF, Lock & Load\unins000.exe"
Syncrosoft's License Control --> C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
SyncroSoft Emu (Remove only) --> C:\Program Files\SyncroSoft\Pos\H2O\Uninst.exe
Tablet --> C:\Program Files\Tablet\Remove.exe /u
TBL BassLine v1.2 VSTi --> C:\PROGRA~1\STEINB~1\VSTPLU~1\TBLBAS~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\TBLBAS~1\INSTALL.LOG
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
USB Keyboard Device 1.0.1.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\M-Audio USB Keyboard Device\irunin.ini"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Warp VST V1.0 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\WARPVS~1.0\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\WARPVS~1.0\INSTALL.LOG
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinPcap 4.0 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WM Recorder 12.0 --> C:\Program Files\WMR11\Uninstal.exe
XML Paper Specification Shared Components Pack 1.0 -->
XNote Stopwatch 1.40 --> C:\Program Files\XNote Stopwatch\uninstall.exe
Xvid 1.1.2 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
הפוך על הפוך --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\הפוך על הפוך\ST6UNST.LOG"
-- Application Event Log -------------------------------------------------------
Event Record #/Type25398 / Error
Event Submitted/Written: 04/29/2008 11:11:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINWORD.EXE, version 10.0.2627.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type25394 / Warning
Event Submitted/Written: 04/29/2008 09:20:59 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'
Event Record #/Type25393 / Warning
Event Submitted/Written: 04/29/2008 09:20:59 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.
Event Record #/Type25388 / Warning
Event Submitted/Written: 04/29/2008 07:40:10 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'
Event Record #/Type25387 / Warning
Event Submitted/Written: 04/29/2008 07:40:10 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type48376 / Warning
Event Submitted/Written: 04/27/2008 07:52:45 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type48370 / Warning
Event Submitted/Written: 04/25/2008 09:59:54 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type48335 / Warning
Event Submitted/Written: 04/24/2008 00:27:47 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type48333 / Warning
Event Submitted/Written: 04/23/2008 07:33:50 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.
Event Record #/Type48332 / Warning
Event Submitted/Written: 04/23/2008 07:33:50 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.
-- End of Deckard's System Scanner: finished at 2008-04-30 11:31:37 ------------
Virus Total results
File GoogleToolbarNotifier.exe received on 04.30.2008 10:51:05 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 19/31 (61.3%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.4.30.0 2008.04.30 Win-Trojan/Bagle.638976
AntiVir 7.8.0.10 2008.04.30 TR/Dldr.Bagle.NU
Authentium 4.93.8 2008.04.27 -
Avast 4.8.1169.0 2008.04.30 Win32:Beagle-AAC
AVG 7.5.0.516 2008.04.30 I-Worm/Bagle
BitDefender 7.2 2008.04.30 Trojan.Downloader.Bagle.HO
CAT-QuickHeal 9.50 2008.04.29 TrojanDownloader.Bagle.nu
ClamAV 0.92.1 2008.04.30 PUA.Packed.Themida
DrWeb 4.44.0.09170 2008.04.30 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5746 2008.04.30 -
Ewido 4.0 2008.04.29 -
F-Prot 4.4.2.54 2008.04.30 -
F-Secure 6.70.13260.0 2008.04.30 Trojan-Downloader.Win32.Bagle.nu
Fortinet 3.14.0.0 2008.04.30 W32/Bagle.NU!tr.dldr
Ikarus T3.1.1.26 2008.04.30 Virus.Win32.Rbot.CXN
Kaspersky 7.0.0.125 2008.04.30 Trojan-Downloader.Win32.Bagle.nu
McAfee 5284 2008.04.29 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3064 2008.04.29 Win32/Bagle.OM
Norman 5.80.02 2008.04.29 W32/Mitglied.AUJ
Panda 9.0.0.4 2008.04.30 -
Prevx1 V2 2008.04.30 I-Worm/Bagle
Rising 20.42.20.00 2008.04.30 -
Sophos 4.28.0 2008.04.30 Mal/Generic-A
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.30 -
TheHacker 6.2.92.297 2008.04.29 Trojan/Downloader.Bagle.nu
VBA32 3.12.6.5 2008.04.29 Trojan-Downloader.Win32.Bagle.nu
VirusBuster 4.3.26:9 2008.04.29 Worm.Bagle.ZZK
Webwasher-Gateway 6.6.2 2008.04.30 Trojan.Dldr.Bagle.NU
Additional information
File size: 638976 bytes
MD5...: 62273984f4264b8822e91ef65f06b4e8
SHA1..: 13f9f786f23f02c597bd629892f0d2d9c23c0d77
SHA256: 47ab78e30ff3b6fea4a2571e8bec2957f907e2116832792fd098d718241871e1
SHA512: 9c4fd0d3c4850a7ca6f219480733acd661bb0b76e8ebb26edc2ec232456adf77
2692d18db42d0cddbb5e08542723971f3ceb35751be7c375e3002d89c069295a
PEiD..: Themida/WinLicense V1.8.0.2 + -> Oreans Technologies
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x47f014
timedatestamp.....: 0x48122060 (Fri Apr 25 18:18:08 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x75000 0x36000 7.97 94c9e20a202163a92dbb9959acb86bd1
.rsrc 0x76000 0x7588 0x3000 5.53 7f015111abad34ee4127e33b8ebf8488
.idata 0x7e000 0x1000 0x1000 0.24 26d28c4d124a92eaa21dfcb5ed9354d5
Themida 0x7f000 0xe7000 0x61000 7.89 afab585c2fa71b8d28d535dd5df42e17
( 2 imports )
> KERNEL32.dll: CreateFileA, ExitProcess
> COMCTL32.dll: InitCommonControls
( 0 exports )
packers: Themida
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=64F0840C005BE2B2C0F409B9FEAB3F002518E22A
Rorschach112
2008-04-30, 14:31
Brilliant, found the file dropper
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Folder::
Registry::
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot and try run the Kaspersky Webscanner and tell me how your PC is running
adifrank
2008-04-30, 18:24
All is looking pretty good!!! :santa:
- Startup time is back to normal.
- Administrator privileges have been restored.
- I can once again download files.
- MS Internet Explorer is working.
The only apparent issue:
My security software is still not functioning: NOD32 won't open, COMODO firewall is disabled and can't be re-enabled.... I guess I should just uninstall these programs and reinstall them. Right?
I'm now running Kaspersky Online Scanner. I followed your directions running the scanner as you posted them earlier in this thread. Yes, it is running and scanning, but VERY VERY slowly. After 42 minutes the progress bar shows 4% complete. Is this normal?
I'm not sure if you need it or not, but here it is anyway -
the most recent combo-fix log file:
ComboFix 08-04-27.3 - Dog Machine 2008-04-30 17:26:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.704 [GMT 3:00]
Running from: C:\Documents and Settings\Dog Machine\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Dog Machine\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\1157937.exe
C:\WINDOWS\system32\drivers\downld\1182375.exe
C:\WINDOWS\system32\drivers\downld\1223046.exe
C:\WINDOWS\system32\drivers\downld\1241046.exe
C:\WINDOWS\system32\drivers\downld\52638656.exe
C:\WINDOWS\system32\drivers\downld\52644406.exe
C:\WINDOWS\system32\drivers\downld\52646406.exe
C:\WINDOWS\system32\drivers\downld\52669125.exe
C:\WINDOWS\system32\drivers\downld\53036718.exe
C:\WINDOWS\system32\drivers\downld\53040656.exe
C:\WINDOWS\system32\drivers\downld\53045359.exe
C:\WINDOWS\system32\drivers\downld\53060125.exe
C:\WINDOWS\system32\drivers\downld\53069562.exe
C:\WINDOWS\system32\drivers\downld\53122750.exe
C:\WINDOWS\system32\drivers\downld\53128171.exe
C:\WINDOWS\system32\drivers\downld\53191921.exe
C:\WINDOWS\system32\drivers\downld\53247937.exe
C:\WINDOWS\system32\drivers\downld\53252437.exe
C:\WINDOWS\system32\drivers\downld\53255890.exe
C:\WINDOWS\system32\drivers\downld\53270375.exe
C:\WINDOWS\system32\drivers\downld\53280218.exe
C:\WINDOWS\system32\drivers\downld\60589984.exe
C:\WINDOWS\system32\drivers\downld\60595046.exe
C:\WINDOWS\system32\drivers\downld\60599343.exe
C:\WINDOWS\system32\drivers\downld\60672390.exe
C:\WINDOWS\system32\drivers\downld\60676609.exe
C:\WINDOWS\system32\drivers\downld\60679031.exe
C:\WINDOWS\system32\drivers\downld\60729593.exe
C:\WINDOWS\system32\drivers\downld\60748984.exe
C:\WINDOWS\system32\drivers\downld\60924343.exe
C:\WINDOWS\system32\drivers\downld\60953406.exe
C:\WINDOWS\system32\drivers\downld\60996593.exe
C:\WINDOWS\system32\drivers\downld\61007187.exe
C:\WINDOWS\system32\drivers\downld\937906.exe
C:\WINDOWS\system32\drivers\downld\947750.exe
C:\WINDOWS\system32\drivers\downld\959234.exe
C:\WINDOWS\system32\drivers\downld\984703.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SROSA
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.
2008-04-30 11:27 . 2008-04-30 11:27 <DIR> d-------- C:\Deckard
2008-04-29 22:59 . 2008-04-29 22:59 <DIR> d-------- C:\Documents and Settings\Dog Machine\DoctorWeb
2008-04-27 19:34 . 2008-04-27 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\Last.fm
2008-04-09 23:41 . 2008-04-09 23:41 <DIR> d-------- C:\Program Files\WinPcap
2008-04-09 23:38 . 2008-04-09 23:48 <DIR> d-------- C:\Program Files\WMR11
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\SourceTec
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-04-07 10:54 . 2008-04-07 10:54 <DIR> d-------- C:\Program Files\iPod
2008-04-07 10:43 . 2008-04-07 10:46 <DIR> d-------- C:\Program Files\QuickTime
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-01 17:43 . 2008-03-01 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-01 17:42 . 2008-03-01 17:42 <DIR> d-------- C:\Documents and Settings\Dog Machine\Application Data\GRETECH
2008-03-01 17:41 . 2008-03-01 17:41 <DIR> d-------- C:\Program Files\GRETECH
2008-03-01 13:30 . 2008-03-01 13:30 <DIR> d-------- C:\Program Files\Vertical Moon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 19:41 --------- d-----w C:\Documents and Settings\Dog Machine\Application Data\Babylon
2008-04-27 20:16 --------- d-----w C:\Program Files\eMule
2008-04-24 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-21 10:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-07 07:54 --------- d-----w C:\Program Files\iTunes
2008-03-09 21:16 --------- d-----w C:\Program Files\Webteh
2008-01-30 07:58 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-01-25 23:06 443,408 ----a-w C:\Documents and Settings\Dog Machine\Application Data\GDIPFONTCACHEV1.DAT
2008-01-19 16:38 161,532 ----a-w C:\WINDOWS\Audio Converter Pro Uninstaller.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-29_ 9.31.29.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-01-01 01:09:08 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB873339\update\update.exe
+ 2008-04-29 22:28:59 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB873339\update\update.exe
- 2002-01-01 01:09:09 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB885250\update\update.exe
+ 2008-04-29 22:29:01 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB885250\update\update.exe
- 2002-01-01 01:09:09 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB885835\update\update.exe
+ 2008-04-29 22:29:03 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB885835\update\update.exe
- 2002-01-01 01:09:09 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB885836\update\update.exe
+ 2008-04-29 22:29:05 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB885836\update\update.exe
- 2002-01-01 01:09:10 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB886185\update\update.exe
+ 2008-04-29 22:29:07 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB886185\update\update.exe
- 2002-01-01 01:09:10 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB887472\update\update.exe
+ 2008-04-29 22:29:08 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB887472\update\update.exe
- 2002-01-01 01:09:11 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB887742\update\update.exe
+ 2008-04-29 22:29:10 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB887742\update\update.exe
- 2002-01-01 01:09:11 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB888113\update\update.exe
+ 2008-04-29 22:29:11 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB888113\update\update.exe
- 2002-01-01 01:09:11 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB888302\update\update.exe
+ 2008-04-29 22:29:13 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB888302\update\update.exe
- 2002-01-01 01:09:12 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\update.exe
+ 2008-04-29 22:29:14 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\update.exe
- 2002-01-01 01:09:13 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB890859\update\update.exe
+ 2008-04-29 22:29:20 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB890859\update\update.exe
- 2002-01-01 01:09:13 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB891781\update\update.exe
+ 2008-04-29 22:29:21 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB891781\update\update.exe
- 2002-01-01 01:09:14 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB893756\update\update.exe
+ 2008-04-29 22:29:23 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB893756\update\update.exe
- 2002-01-01 01:09:15 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB894391\update\update.exe
+ 2008-04-29 22:29:25 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB894391\update\update.exe
- 2002-01-01 01:09:16 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\update.exe
+ 2008-04-29 22:29:27 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\update.exe
- 2002-01-01 01:09:16 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896422\update\update.exe
+ 2008-04-29 22:29:29 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896422\update\update.exe
- 2002-01-01 01:09:17 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
+ 2008-04-29 22:29:30 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
- 2002-01-01 01:09:18 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896424\update\update.exe
+ 2008-04-29 22:29:32 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896424\update\update.exe
- 2002-01-01 01:09:19 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896428\update\update.exe
+ 2008-04-29 22:29:34 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896428\update\update.exe
- 2002-01-01 01:09:19 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB898461\update\update.exe
+ 2008-04-29 22:29:36 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB898461\update\update.exe
- 2002-01-01 01:09:20 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899587\update\update.exe
+ 2008-04-29 22:29:37 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899587\update\update.exe
- 2002-01-01 01:09:21 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899589\update\update.exe
+ 2008-04-29 22:29:39 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899589\update\update.exe
- 2002-01-01 01:09:21 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\update.exe
+ 2008-04-29 22:29:41 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\update.exe
- 2002-01-01 01:09:22 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB900485\update\update.exe
+ 2008-04-29 22:29:43 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB900485\update\update.exe
- 2002-01-01 01:09:23 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB900725\update\update.exe
+ 2008-04-29 22:29:45 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB900725\update\update.exe
- 2002-01-01 01:09:24 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\update.exe
+ 2008-04-29 22:29:47 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\update.exe
- 2002-01-01 01:09:25 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\update.exe
+ 2008-04-29 22:29:49 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\update.exe
- 2002-01-01 01:09:26 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\update.exe
+ 2008-04-29 22:29:52 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\update.exe
- 2002-01-01 01:09:27 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB904706\update\update.exe
+ 2008-04-29 22:29:55 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB904706\update\update.exe
- 2002-01-01 01:09:27 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\update.exe
+ 2008-04-29 22:29:56 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\update.exe
- 2002-01-01 01:09:28 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB905749\update\update.exe
+ 2008-04-29 22:29:58 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB905749\update\update.exe
- 2002-01-01 01:09:30 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB905915\update\update.exe
+ 2008-04-29 22:30:01 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB905915\update\update.exe
- 2002-01-01 01:09:30 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB908519\update\update.exe
+ 2008-04-29 22:30:03 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB908519\update\update.exe
- 2002-01-01 01:09:31 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB908531\update\update.exe
+ 2008-04-29 22:30:05 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB908531\update\update.exe
- 2002-01-01 01:09:32 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB910437\update\update.exe
+ 2008-04-29 22:30:07 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB910437\update\update.exe
- 2002-01-01 01:09:32 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\update.exe
+ 2008-04-29 22:30:09 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\update.exe
- 2002-01-01 01:09:33 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\update.exe
+ 2008-04-29 22:30:11 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\update.exe
- 2002-01-01 01:09:34 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911567\update\update.exe
+ 2008-04-29 22:30:13 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911567\update\update.exe
- 2002-01-01 01:09:35 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911927\update\update.exe
+ 2008-04-29 22:30:15 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911927\update\update.exe
- 2002-01-01 01:09:36 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB912812\update\update.exe
+ 2008-04-29 22:30:18 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB912812\update\update.exe
- 2002-01-01 01:09:37 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB912919\update\update.exe
+ 2008-04-29 22:30:20 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB912919\update\update.exe
- 2002-01-01 01:09:37 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB913446\update\update.exe
+ 2008-04-29 22:30:22 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB913446\update\update.exe
- 2002-01-01 01:09:38 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB913580\update\update.exe
+ 2008-04-29 22:30:24 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB913580\update\update.exe
- 2002-01-01 01:09:39 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB914388\update\update.exe
+ 2008-04-29 22:30:26 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB914388\update\update.exe
- 2002-01-01 01:09:40 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB914389\update\update.exe
+ 2008-04-29 22:30:28 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB914389\update\update.exe
- 2002-01-01 01:09:41 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB915865\update\update.exe
+ 2008-04-29 22:30:30 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB915865\update\update.exe
- 2002-01-01 01:09:42 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB916281\update\update.exe
+ 2008-04-29 22:30:33 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB916281\update\update.exe
- 2002-01-01 01:09:43 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB916595\update\update.exe
+ 2008-04-29 22:30:35 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB916595\update\update.exe
- 2002-01-01 01:09:44 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917159\update\update.exe
+ 2008-04-29 22:30:37 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917159\update\update.exe
- 2002-01-01 01:09:44 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917344\update\update.exe
+ 2008-04-29 22:30:39 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917344\update\update.exe
- 2002-01-01 01:09:45 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917422\update\update.exe
+ 2008-04-29 22:30:41 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917422\update\update.exe
- 2002-01-01 01:09:46 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917953\update\update.exe
+ 2008-04-29 22:30:43 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB917953\update\update.exe
- 2002-01-01 01:09:46 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB918118\update\update.exe
+ 2008-04-29 22:30:45 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB918118\update\update.exe
- 2002-01-01 01:09:47 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB918439\update\update.exe
+ 2008-04-29 22:30:47 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB918439\update\update.exe
- 2002-01-01 01:09:49 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB918899\update\update.exe
+ 2008-04-29 22:30:50 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB918899\update\update.exe
- 2002-01-01 01:09:50 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\update.exe
+ 2008-04-29 22:30:52 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\update.exe
- 2002-01-01 01:09:50 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920213\update\update.exe
+ 2008-04-29 22:30:54 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920213\update\update.exe
- 2002-01-01 01:09:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920214\update\update.exe
+ 2008-04-29 22:30:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920214\update\update.exe
- 2002-01-01 01:09:52 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\update.exe
+ 2008-04-29 22:30:58 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\update.exe
- 2002-01-01 01:09:52 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920683\update\update.exe
+ 2008-04-29 22:30:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920683\update\update.exe
- 2002-01-01 01:09:53 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920685\update\update.exe
+ 2008-04-29 22:31:01 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920685\update\update.exe
- 2002-01-01 01:09:54 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920872\update\update.exe
+ 2008-04-29 22:31:03 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920872\update\update.exe
- 2002-01-01 01:09:55 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921398\update\update.exe
+ 2008-04-29 22:31:05 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921398\update\update.exe
- 2002-01-01 01:09:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921503\update\update.exe
+ 2008-04-29 22:31:07 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921503\update\update.exe
- 2002-01-01 01:09:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921883\update\update.exe
+ 2008-04-29 22:31:09 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB921883\update\update.exe
- 2002-01-01 01:09:57 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922582\update\update.exe
+ 2008-04-29 22:31:11 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922582\update\update.exe
- 2002-01-01 01:09:58 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922616\update\update.exe
+ 2008-04-29 22:31:12 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922616\update\update.exe
- 2002-01-01 01:09:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922760\update\update.exe
+ 2008-04-29 22:31:16 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922760\update\update.exe
- 2002-01-01 01:10:00 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922819\update\update.exe
+ 2008-04-29 22:31:18 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB922819\update\update.exe
- 2002-01-01 01:10:01 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923414\update\update.exe
+ 2008-04-29 22:31:20 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923414\update\update.exe
- 2002-01-01 01:10:02 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923694\update\update.exe
+ 2008-04-29 22:31:22 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923694\update\update.exe
- 2002-01-01 01:10:02 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923980\update\update.exe
+ 2008-04-29 22:31:24 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923980\update\update.exe
- 2002-01-01 01:10:03 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924191\update\update.exe
+ 2008-04-29 22:31:26 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924191\update\update.exe
- 2002-01-01 01:10:04 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924270\update\update.exe
+ 2008-04-29 22:31:28 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924270\update\update.exe
- 2002-01-01 01:10:05 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\update.exe
+ 2008-04-29 22:31:30 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\update.exe
- 2002-01-01 01:10:06 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925454\update\update.exe
+ 2008-04-29 22:31:34 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925454\update\update.exe
- 2002-01-01 01:10:07 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925486\update\update.exe
+ 2008-04-29 22:31:36 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925486\update\update.exe
- 2002-01-01 01:10:08 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925720\update\update.exe
+ 2008-04-29 22:31:38 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925720\update\update.exe
- 2002-01-01 01:10:09 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925902\update\update.exe
+ 2008-04-29 22:31:41 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925902\update\update.exe
- 2002-01-01 01:10:09 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB926255\update\update.exe
+ 2008-04-29 22:31:44 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB926255\update\update.exe
- 2002-01-01 01:10:10 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB926436\update\update.exe
+ 2008-04-29 22:31:45 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB926436\update\update.exe
- 2002-01-01 01:10:11 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB927779\update\update.exe
+ 2008-04-29 22:31:47 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB927779\update\update.exe
- 2002-01-01 01:10:12 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB927802\update\update.exe
+ 2008-04-29 22:31:49 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB927802\update\update.exe
- 2002-01-01 01:10:13 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB927891\update\update.exe
+ 2008-04-29 22:31:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB927891\update\update.exe
- 2002-01-01 01:10:14 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928090\update\update.exe
+ 2008-04-29 22:31:54 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928090\update\update.exe
- 2002-01-01 01:10:15 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928255\update\update.exe
+ 2008-04-29 22:31:57 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928255\update\update.exe
- 2002-01-01 01:10:16 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928843\update\update.exe
+ 2008-04-29 22:31:58 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928843\update\update.exe
- 2002-01-01 01:10:17 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB929123\update\update.exe
+ 2008-04-29 22:32:01 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB929123\update\update.exe
- 2002-01-01 01:10:18 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB929338\update\update.exe
+ 2008-04-29 22:32:05 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB929338\update\update.exe
- 2002-01-01 01:10:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB929969\update\update.exe
+ 2008-04-29 22:32:07 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB929969\update\update.exe
- 2002-01-01 01:10:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB930178\update\update.exe
+ 2008-04-29 22:32:09 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB930178\update\update.exe
- 2002-01-01 01:10:20 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\update.exe
+ 2008-04-29 22:32:12 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\update.exe
- 2002-01-01 01:10:21 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931261\update\update.exe
+ 2008-04-29 22:32:13 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931261\update\update.exe
- 2002-01-01 01:10:23 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931768\update\update.exe
+ 2008-04-29 22:32:17 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931768\update\update.exe
- 2002-01-01 01:10:24 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931784\update\update.exe
+ 2008-04-29 22:32:22 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931784\update\update.exe
- 2002-01-01 01:10:24 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931836\update\update.exe
+ 2008-04-29 22:32:24 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931836\update\update.exe
- 2002-01-01 01:10:25 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932168\update\update.exe
+ 2008-04-29 22:32:26 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932168\update\update.exe
- 2002-01-01 01:10:26 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933360\update\update.exe
+ 2008-04-29 22:32:27 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933360\update\update.exe
- 2002-01-01 01:10:28 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933566\update\update.exe
+ 2008-04-29 22:32:31 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933566\update\update.exe
- 2002-01-01 01:10:28 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933729\update\update.exe
+ 2008-04-29 22:32:33 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933729\update\update.exe
- 2002-01-01 01:10:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935839\update\update.exe
+ 2008-04-29 22:32:34 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935839\update\update.exe
- 2002-01-01 01:10:30 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\update.exe
+ 2008-04-29 22:32:36 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\update.exe
- 2002-01-01 01:10:31 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB936021\update\update.exe
+ 2008-04-29 22:32:38 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB936021\update\update.exe
- 2002-01-01 01:10:31 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB936357\update\update.exe
+ 2008-04-29 22:32:40 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB936357\update\update.exe
- 2002-01-01 01:10:33 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB937143\update\update.exe
+ 2008-04-29 22:32:44 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB937143\update\update.exe
- 2002-01-01 01:10:34 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\update.exe
+ 2008-04-29 22:32:46 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\update.exe
- 2002-01-01 01:10:36 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2008-04-29 22:32:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
- 2002-01-01 01:10:35 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\update.exe
+ 2008-04-29 22:32:48 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\update.exe
- 2002-01-01 01:10:36 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938828\update\update.exe
+ 2008-04-29 22:32:53 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938828\update\update.exe
- 2002-01-01 01:10:37 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938829\update\update.exe
+ 2008-04-29 22:32:56 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938829\update\update.exe
- 2002-01-01 01:10:41 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe
+ 2008-04-29 22:33:11 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe
- 2002-01-01 01:10:39 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\update.exe
+ 2008-04-29 22:33:01 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\update.exe
- 2002-01-01 01:10:42 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe
+ 2008-04-29 22:33:13 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe
- 2002-01-01 01:10:43 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2008-04-29 22:33:16 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
- 2002-01-01 01:10:44 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2008-04-29 22:33:18 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
- 2002-01-01 01:10:46 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
+ 2008-04-29 22:33:25 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
- 2002-01-01 01:10:47 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2008-04-29 22:33:27 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
- 2002-01-01 01:10:48 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\update.exe
+ 2008-04-29 22:33:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943055\update\update.exe
- 2002-01-01 01:10:48 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943460\update\update.exe
+ 2008-04-29 22:33:31 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943460\update\update.exe
- 2002-01-01 01:10:49 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2008-04-29 22:33:33 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
- 2002-01-01 01:10:52 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\update\update.exe
+ 2008-04-29 22:33:38 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944533-IE7\update\update.exe
- 2002-01-01 01:10:52 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2008-04-29 22:33:40 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
- 2002-01-01 01:10:53 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\update.exe
+ 2008-04-29 22:33:42 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\update.exe
- 2008-04-28 23:59:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 14:33:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2002-01-01 01:14:44 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\1b272c8a858f509af0544d58440bc6f0\update\update.exe
- 2002-01-01 01:14:45 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\c8795f85b506ef02f891bd42e25c5cfd\update\update.exe
- 2002-01-01 01:14:46 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\d61766d223927760d60364c3824ce500\update\update.exe
- 2002-01-01 01:14:47 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\ea3863a5336a3a84f11ecb9a77ebd04d\update\update.exe
- 2002-01-01 01:14:48 716,000 ----a-w C:\WINDOWS\SoftwareDistribution\Download\f7ad988f2335a2207e9e725b4c9d3398\update\update.exe
- 2002-01-01 01:16:10 14,848 -c--a-w C:\WINDOWS\system32\dllcache\register.exe
+ 2008-04-29 22:50:06 14,848 -c--a-w C:\WINDOWS\system32\dllcache\register.exe
- 2002-01-01 01:16:17 68,096 -c--a-w C:\WINDOWS\system32\dllcache\sysinfo.exe
+ 2008-04-29 22:50:25 68,096 -c--a-w C:\WINDOWS\system32\dllcache\sysinfo.exe
- 2008-04-29 06:16:02 78,616 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-29 07:17:32 78,616 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-29 06:16:02 455,668 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-29 07:17:32 455,668 ----a-w C:\WINDOWS\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:07 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-30 17:29 949376]
"Matrox Powerdesk"="C:\WINDOWS\system32\PDesk\PDesk.exe" [2004-09-14 11:13 684032]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 22:44 196608]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-01-10 07:08 638976]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2006-05-24 18:39 2655272]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 01:37 1115728]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 13:13 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\Dog Machine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-04-27 19:33:40 106496]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-12-26 22:45:55 274432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"vidc.X264"= x264vfw.dll
"vidc.davc"= davcvfw.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.ACDV"= ACDV.dll
"midi1"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--------- 2004-08-05 16:19 118784 C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-01-14 03:20 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
--a------ 2007-06-15 16:17 699120 C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Titan FTP Server Tray App]
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-15 13:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\ESET\\nod32.exe"=
"C:\\Program Files\\ESET\\nod32kui.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\RpcSandraSrv.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1770:TCP"= 1770:TCP:em
"1780:UDP"= 1780:UDP:em2
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"12120:TCP"= 12120:TCP:eMule
"13130:UDP"= 13130:UDP:eMule
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-01-24 18:25]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 10:10]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:07]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [1997-11-26 08:31]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 17:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 20:31]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 08:40]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 08:40]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 17:20]
S3 USBKS1X1;Midiman USB Keystation USB Driver;C:\WINDOWS\system32\drivers\usbks1x1.sys []
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys []
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\WINDOWS\system32\drivers\usbmidim.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 14:18:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-29 09:49:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 17:34:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-30 17:53:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 14:53:47
ComboFix2.txt 2008-04-29 13:57:43
ComboFix3.txt 2008-04-29 06:41:15
Pre-Run: 15,969,751,040 bytes free
Post-Run: 15,943,364,608 bytes free
506 --- E O F --- 2008-04-24 09:30:17
Rorschach112
2008-04-30, 18:32
Hello
I guess I should just uninstall these programs and reinstall them. Right?
Yes that should fix them, leave it till the end though
After 42 minutes the progress bar shows 4% complete. Is this normal?
Yes this is normal. It is worth the wait though
Can you do this after the Kaspersky scan
Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Then can you tell me if this folder is present
C:\Windows\system32\drivers\disdn
So I need to see the Kaspersky scan, the F-Secure scan, and tell me if that folder is there
adifrank
2008-04-30, 21:05
Looks like Kaspersky found some viruses....
Below is the report.
Next I'll run F-secure scan. I'll send you the report when its done and tell you if I found that disdn file.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 30, 2008 9:56:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/04/2008
Kaspersky Anti-Virus database records: 733227
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
E:\
K:\
L:\
Scan Statistics:
Total number of scanned objects: 181425
Number of viruses found: 8
Number of infected objects: 38
Number of suspicious objects: 0
Duration of the scan process: 02:29:47
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dog Machine\Application Data\Babylon\log_file.txt Object is locked skipped
C:\Documents and Settings\Dog Machine\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Dog Machine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Last.fm\Client\iTunesPlugin.log Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Last.fm\Client\Last.fm.log Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Last.fm\Client\LastFmHelper.log Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Mozilla\Firefox\Profiles\b1d9hef1.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Mozilla\Firefox\Profiles\b1d9hef1.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Mozilla\Firefox\Profiles\b1d9hef1.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Application Data\Mozilla\Firefox\Profiles\b1d9hef1.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\History\History.IE5\MSHist012008043020080501\index.dat Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\temp\~DF2997.tmp Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\temp\~DF29B4.tmp Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\temp\~DF428A.tmp Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\temp\~DF7D33.tmp Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\temp\~WRF0001.tmp Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\temp\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\Dog Machine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dog Machine\My Documents\bROKENkFABE\Script\080427_script.doc Object is locked skipped
C:\Documents and Settings\Dog Machine\My Documents\bROKENkFABE\Script\~WRL1452.tmp Object is locked skipped
C:\Documents and Settings\Dog Machine\My Documents\INCOMING EMULE\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixed 02-2008.rar/setup.exe Infected: P2P-Worm.Win32.Kapucen.b skipped
C:\Documents and Settings\Dog Machine\My Documents\INCOMING EMULE\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixed 02-2008.rar RAR: infected - 1 skipped
C:\Documents and Settings\Dog Machine\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Dog Machine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dog Machine\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\infected\2MXYTFAA.NQF/data0011 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\ESET\infected\2MXYTFAA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\2MXYTFAA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\40M42WDA.NQF/data0011 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\ESET\infected\40M42WDA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\40M42WDA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\CNHBH3BA.NQF/data0011 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\ESET\infected\CNHBH3BA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\CNHBH3BA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\EXHTTPCA.NQF Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Program Files\ESET\infected\PK5FQACA.NQF Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\Program Files\ESET\infected\UC3J0GBA.NQF Infected: Trojan.MSIL.Agent.b skipped
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.vir Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\50433671.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\50438109.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\52644406.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\52646406.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\52669125.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53040656.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53045359.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53060125.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53128171.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53191921.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53252437.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53255890.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\53270375.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\60595046.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\60599343.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\60676609.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\60679031.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\downld\947750.exe.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-04-29_ 22316.48.zip/srosa.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\QooBox\Quarantine\catchme2008-04-29_ 22316.48.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-29_ 22316.48.zip/mdelk.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-29_ 22316.48.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\catchme2008-04-30_173037.20.zip/srosa.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\QooBox\Quarantine\catchme2008-04-30_173037.20.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-30_173037.20.zip/mdelk.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\QooBox\Quarantine\catchme2008-04-30_173037.20.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\Registry_backups\Legacy_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023238.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023239.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023240.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023241.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023274.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023295.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023296.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023297.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023320.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP102\A0023321.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023536.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023537.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023538.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023540.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023541.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023542.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023545.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023546.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023548.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023549.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023550.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023553.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023554.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023556.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023557.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023565.exe Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\A0023568.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP104\change.log Object is locked skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022939.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022940.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\System Volume Information\_restore{8A883030-E259-414B-B7CB-EF89BB24A0B8}\RP99\A0022949.exe Infected: Trojan-Downloader.Win32.Bagle.nu skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2909.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
adifrank
2008-05-01, 00:47
Hi Rorschach
Maybe my celebration was too soon... :red:
I tried scanning my system using F-Secure Online Scan, but after about an hour of scanning I suddenly got a message that says something like: out of memory, please close some applications and try again.
Really no reason I why there wouldn't be enough memory available to perform the scan, but in any case I made sure all applications were closed, I even quit some processes that I knew were not needed at the time and ran F-Secure Online Scan again...... and once more, after about an hour or so, I got the same "out of memory" message.
So no luck there.
By the way, Kaspersky Online Scan DID do a complete scan of my system and DID find threats and viruses as you can see from the report, but I don't think it took any action regarding those threats and viruses
Oh... and I checked and the disdn folder DOES exist in the location you mentioned.
Awaiting your instructions...... :)
Rorschach112
2008-05-01, 00:51
Ok, well Kaspersky found the main bad guy so that is good
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\Documents and Settings\Dog Machine\My Documents\INCOMING EMULE\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixed 02-2008.rar
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Folder::
C:\Documents and Settings\Dog Machine\My Documents\INCOMING EMULE\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixed 02-2008.rar
DirLook::
C:\Windows\system32\drivers\disdn
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Then reboot and try F-Secure Online Scanner again
adifrank
2008-05-01, 02:54
Below is the latest report made by ComboFix after dropping that .txt file onto it.
I've rebooted my computer and let F-Secure Online Virus Scanner go to work. I see 4:00 am just around the corner... so I'm gonna let F-Secure do its stuff and hopefully when I wake up (in not too long...) it'll be a done process, all good news and cigars for all of us.
cheers!
ComboFix Report
ComboFix 08-04-27.3 - Dog Machine 2008-05-01 3:07:48.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.669 [GMT 3:00]
Running from: C:\Documents and Settings\Dog Machine\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Dog Machine\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\Dog Machine\My Documents\INCOMING EMULE\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixed 02-2008.rar
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Dog Machine\My Documents\INCOMING EMULE\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixed 02-2008.rar
C:\Documents and Settings\Dog Machine\My Documents\INCOMING EMULE\Babylon.7.0.0.13.Pro.Multilingual.Incl.Crack.-.UnREal updated-fixed 02-2008.rar\
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
C:\WINDOWS\system32\drivers\downld
.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-04-30 22:09 . 2008-04-30 22:09 <DIR> d-------- C:\fsaua.data
2008-04-30 18:07 . 2008-04-30 18:07 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 18:07 . 2008-04-30 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 17:36 . 2008-04-30 17:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-30 17:36 . 2008-04-30 17:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 11:27 . 2008-04-30 11:27 <DIR> d-------- C:\Deckard
2008-04-29 22:59 . 2008-04-29 22:59 <DIR> d-------- C:\Documents and Settings\Dog Machine\DoctorWeb
2008-04-27 19:34 . 2008-04-27 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\Last.fm
2008-04-09 23:41 . 2008-04-09 23:41 <DIR> d-------- C:\Program Files\WinPcap
2008-04-09 23:38 . 2008-04-09 23:48 <DIR> d-------- C:\Program Files\WMR11
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\SourceTec
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-04-07 10:54 . 2008-04-07 10:54 <DIR> d-------- C:\Program Files\iPod
2008-04-07 10:43 . 2008-04-07 10:46 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 21:20 --------- d-----w C:\Documents and Settings\Dog Machine\Application Data\Babylon
2008-04-27 20:16 --------- d-----w C:\Program Files\eMule
2008-04-24 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-21 10:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-07 07:54 --------- d-----w C:\Program Files\iTunes
2008-03-09 21:16 --------- d-----w C:\Program Files\Webteh
2008-03-01 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-01 14:42 --------- d-----w C:\Documents and Settings\Dog Machine\Application Data\GRETECH
2008-03-01 14:41 --------- d-----w C:\Program Files\GRETECH
2008-03-01 10:30 --------- d-----w C:\Program Files\Vertical Moon
2008-01-25 23:06 443,408 ----a-w C:\Documents and Settings\Dog Machine\Application Data\GDIPFONTCACHEV1.DAT
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Windows\system32\drivers\disdn ----
((((((((((((((((((((((((((((( snapshot_2008-04-30_17.48.55.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 14:33:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 00:13:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 12:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 12:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 13:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 12:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2005-05-24 09:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:07 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-30 17:29 949376]
"Matrox Powerdesk"="C:\WINDOWS\system32\PDesk\PDesk.exe" [2004-09-14 11:13 684032]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 22:44 196608]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2006-05-24 18:39 2655272]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 01:37 1115728]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 13:13 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\Dog Machine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-04-27 19:33:40 106496]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-12-26 22:45:55 274432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"vidc.X264"= x264vfw.dll
"vidc.davc"= davcvfw.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.ACDV"= ACDV.dll
"midi1"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--------- 2004-08-05 16:19 118784 C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-01-14 03:20 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
--a------ 2007-06-15 16:17 699120 C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Titan FTP Server Tray App]
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-15 13:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\ESET\\nod32.exe"=
"C:\\Program Files\\ESET\\nod32kui.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\RpcSandraSrv.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1770:TCP"= 1770:TCP:em
"1780:UDP"= 1780:UDP:em2
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"12120:TCP"= 12120:TCP:eMule
"13130:UDP"= 13130:UDP:eMule
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-01-24 18:25]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 10:10]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:07]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [1997-11-26 08:31]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 17:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 20:31]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 08:40]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 08:40]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 17:20]
S3 USBKS1X1;Midiman USB Keystation USB Driver;C:\WINDOWS\system32\drivers\usbks1x1.sys []
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys []
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\WINDOWS\system32\drivers\usbmidim.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 14:18:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-29 09:49:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 03:16:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-01 3:32:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 00:31:46
ComboFix2.txt 2008-04-30 14:53:54
ComboFix3.txt 2008-04-29 13:57:43
ComboFix4.txt 2008-04-29 06:41:15
Pre-Run: 15,811,424,256 bytes free
Post-Run: 15,870,103,552 bytes free
217 --- E O F --- 2008-04-24 09:30:17
adifrank
2008-05-01, 08:25
Won't light up the cigars just yet....... I awoke and found the "not enough memory" message sitting on my screen. Please let me know what to do next and when I return home, later, at night, I'll put my scrubs back on and continue from where we left off.
(thanks for all the help and patience up to now. I really apprecieate it)
Rorschach112
2008-05-01, 13:57
That may not be due to malware
Can you post the F-Secure log and do this
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
Folder::
C:\Windows\system32\drivers\disdn
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H2O"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Also post a new HijackThis log
adifrank
2008-05-02, 02:46
Hi.
F-secure didn't make a report. Once the "not enough memory" message appeared, it just asked me if to try and run the scan again, or quit. I didn't see any option to create a report.
Below is the ComboFix log which was made after following your instructions from your latest post.
Combo Fix log
ComboFix 08-04-27.3 - Dog Machine 2008-05-02 3:15:43.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.684 [GMT 3:00]
Running from: C:\Documents and Settings\Dog Machine\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Dog Machine\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\drivers\disdn . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.
2008-04-30 22:09 . 2008-04-30 22:09 <DIR> d-------- C:\fsaua.data
2008-04-30 18:07 . 2008-04-30 18:07 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 18:07 . 2008-04-30 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 17:36 . 2008-05-02 03:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-30 17:36 . 2008-04-30 17:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 11:27 . 2008-04-30 11:27 <DIR> d-------- C:\Deckard
2008-04-29 22:59 . 2008-04-29 22:59 <DIR> d-------- C:\Documents and Settings\Dog Machine\DoctorWeb
2008-04-27 19:34 . 2008-04-27 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\Last.fm
2008-04-09 23:41 . 2008-04-09 23:41 <DIR> d-------- C:\Program Files\WinPcap
2008-04-09 23:38 . 2008-04-09 23:48 <DIR> d-------- C:\Program Files\WMR11
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\SourceTec
2008-04-08 03:34 . 2008-04-08 03:34 <DIR> d-------- C:\Program Files\Common Files\SourceTec
2008-04-07 10:54 . 2008-04-07 10:54 <DIR> d-------- C:\Program Files\iPod
2008-04-07 10:43 . 2008-04-07 10:46 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 00:37 --------- d-----w C:\Documents and Settings\Dog Machine\Application Data\Babylon
2008-04-27 20:16 --------- d-----w C:\Program Files\eMule
2008-04-24 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-21 10:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-07 07:54 --------- d-----w C:\Program Files\iTunes
2008-03-09 21:16 --------- d-----w C:\Program Files\Webteh
2008-01-25 23:06 443,408 ----a-w C:\Documents and Settings\Dog Machine\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot_2008-04-30_17.48.55.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 14:33:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 00:23:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 12:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 12:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 13:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 12:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2005-05-24 09:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:07 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-30 17:29 949376]
"Matrox Powerdesk"="C:\WINDOWS\system32\PDesk\PDesk.exe" [2004-09-14 11:13 684032]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 22:44 196608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2006-05-24 18:39 2655272]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 01:37 1115728]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 13:13 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\Dog Machine\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-04-27 19:33:40 106496]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-12-26 22:45:55 274432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= divxc32.dll
"vidc.DIV4"= divxc32f.dll
"vidc.X264"= x264vfw.dll
"vidc.davc"= davcvfw.dll
"msacm.divxa32"= msaud32_divx.acm
"VIDC.ACDV"= ACDV.dll
"midi1"= ma_cmidn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--------- 2004-08-05 16:19 118784 C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-01-14 03:20 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
--a------ 2007-06-15 16:17 699120 C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Titan FTP Server Tray App]
C:\Program Files\South River Technologies\Titan FTP Server\srxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-15 13:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\ESET\\nod32.exe"=
"C:\\Program Files\\ESET\\nod32kui.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Engineer XII\\RpcSandraSrv.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1770:TCP"= 1770:TCP:em
"1780:UDP"= 1780:UDP:em2
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"12120:TCP"= 12120:TCP:eMule
"13130:UDP"= 13130:UDP:eMule
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-01-24 18:25]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 10:10]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 04:07]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [1997-11-26 08:31]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 17:20]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 20:31]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 08:40]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 08:40]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 17:20]
S3 USBKS1X1;Midiman USB Keystation USB Driver;C:\WINDOWS\system32\drivers\usbks1x1.sys []
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys []
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\WINDOWS\system32\drivers\usbmidim.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 14:18:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-04-29 09:49:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 03:23:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-02 3:40:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 00:39:01
ComboFix2.txt 2008-05-01 00:32:48
ComboFix3.txt 2008-04-30 14:53:54
ComboFix4.txt 2008-04-29 13:57:43
ComboFix5.txt 2008-04-29 06:41:15
Pre-Run: 15,844,118,528 bytes free
Post-Run: 15,901,343,744 bytes free
203 --- E O F --- 2008-04-24 09:30:17
Rorschach112
2008-05-02, 02:53
Ok looking good
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also post a new HijackThis log and tell me how the PC is running
adifrank
2008-05-02, 03:22
Okay, I've downloaded Malwarebytes' Anti-Malware and installed it. It should be performing an update now, but what I'm seeing is a small window with a progress bar in it. It says:
Looking for malwarebytes.org
and there is absolutely nothing happening with the progress bar. No progress or change. It's been like this for about 10 minutes. Should I keep waiting? or do you think something might not be right?
adifrank
2008-05-02, 03:47
.... (continued)..... after another 10 minutes and still no progress, I closed the small window, opened the application again, then selected a different mirror and clicked the "check for updates" button.
the same window with progress bar appeared. After 7 minutes or so, the results are the same. There seems to be no progress going on. Just the message:
Looking for It-Mate.co.uk
adifrank
2008-05-02, 11:29
I finally went to bed and left Malwarebytes Anti-Malware still looking for It-Mate.co.uk.
(six hours later)
No apparent progress. It remained exactly the same, just as I left it, so I closed the application
....awaiting further instuctions.
Rorschach112
2008-05-02, 13:01
Leave that then
Can you post a new HijackThis log and tell me how your PC is running
adifrank
2008-05-02, 14:21
Its probably not important, but I thought I'd let you know that I uninstalled NOD32, Comodo Firewall and Sunbelt Counterspy. I'll reinstall them once I'm in the clear for sure.
The hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:49 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym&rl=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDFC83AF-9AEB-4405-A519-DBB9C85248B7}: NameServer = 192.168.1.1,62.90.42.110,212.150.49.10
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XII\RpcSandraSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 11013 bytes
Rorschach112
2008-05-02, 16:34
Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
adifrank
2008-05-02, 17:54
Great to hear it!!
I've uninstalled Combofix.
Regarding the removal of older version Java components, the only component I found in the uninstall utility, under "currently installed programs" is:
Java(TM) 6 Update 3
Should I uninstall that?
Rorschach112
2008-05-02, 23:12
Yes that is the one
Let me know if you have any more questions
adifrank
2008-05-03, 09:47
All is looking very good. re-installed Java.
Now i'm installing the protection software you recommended.
I've been using Firefox for over a year.
and I've installed:
AVG antivirus
Spyware Blaster (and donated the $10 for auto updates)
I'm about to install the Comodo Firewall. As you may recall I uninstalled Comodo Firewall previously because apparently it had been corrupted. Before going ahead with the new install I checked Microsoft Security Center (Start > Control Panel > Security Center) to make sure no 3rd party Firewalls maybe running (as recommended by Comodo at the start of the installation process). The Firewall indication is ON and below it says that Comodo Firewall Pro is ON (although it was uninstalled yesterday).
So I'm not sure if there is something wrong... or something I should do to completely uninstall Comodo Firewall, or if I should just go ahead, ignore the fact that Windows seems to think I have a firewall running and re-install Comodo?
Rorschach112
2008-05-03, 12:40
I wouldn't worry about that, go ahead and re-install Comodo. Won't cause any problems
Let me know how that goes and if you have any more questions
adifrank
2008-05-03, 18:09
:bow:
My computer is running nicely and seems fairly protected now, thanks to your great help!! It was a pleasure working this out with you. I made a humble donation with hopes you guys keep up the excellent work in keeping our files clean.
Have a great weekend. :)
Rorschach112
2008-05-03, 18:37
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Rorschach112
2008-05-04, 12:42
What seems to be the problem ?
adifrank
2008-05-04, 14:01
Hi again. I received a Microsoft "updates available" indication this morning. So, as usual I clicked it and started the download/install process of the latest Windows xp security updates. But strangely, I did not receive any confirmation that the updates were successfully installed and so on. So I went to the Microsoft Windows update section in their website, clicked update history and saw that since running into the malware problem we just recently fixed, all windows updates have failed to install.
Rorschach112
2008-05-04, 15:35
Try this
Download Dial-a-Fix (http://www.majorgeeks.com/download4899.html) to your desktop and unzip it to it's own folder
Run it
Under WU/WUAU, check the box beside "Fix Windows Update", then click Go
Reboot your PC and see if Windows Update works now
adifrank
2008-05-04, 20:53
I got some error messages and Windows updates failed again.
The updates I am trying to download and install are:
Security Update for Windows XP K3941693
Security Update for Windows XP K3945553
Security Update for Windows XP K3948590
Here is the dial-a-fix log:
Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log
DAF version: v0.60.0.24
--- System info ---
OS: Microsoft Windows XP Service Pack 2
IE version: 7.0.5730.13
MPC: 55274-640
CPU: Intel(R) Pentium(R) 4 CPU 2.40GHz (~2390MHz)
BIOS: 2/13/2005
Memory (approx): 1021MB
Uptime: 0 hour(s)
Current directory: C:\Documents and Settings\Dog Machine\My Documents\DOWNLOADS\dial a fix\Dial-a-fix-v0.60.0.24
---
5/4/2008 9:30:39 PM -- Dial-a-fix : [v0.60.0.24] -- started
9:30:39 PM | Policy scan started
9:30:39 PM | Policy scan ended - no restrictive policies were found
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
9:31:08 PM | Unregistered: C:\WINDOWS\system32\msxml.dll
9:31:08 PM | Registered: C:\WINDOWS\system32\msxml.dll
9:31:09 PM | Unregistered: C:\WINDOWS\system32\msxml2.dll
9:31:09 PM | Registered: C:\WINDOWS\system32\msxml2.dll
9:32:15 PM | Error during unregistration of C:\WINDOWS\system32\msxml3.dll - version: . The error returned is: Unspecified error
(-2147467259)
9:32:29 PM | Error during registration of C:\WINDOWS\system32\msxml3.dll - version: . The error returned is: Access is denied.
(-2147024891)
9:32:29 PM | Unregistered: C:\WINDOWS\system32\msxml4.dll
9:32:29 PM | Registered: C:\WINDOWS\system32\msxml4.dll
9:32:30 PM | Unregistered: C:\WINDOWS\system32\qmgr.dll
9:32:30 PM | Registered: C:\WINDOWS\system32\qmgr.dll
9:32:30 PM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
9:32:30 PM | Registered: C:\WINDOWS\system32\qmgrprxy.dll
9:32:30 PM | Unregistered: C:\WINDOWS\system32\muweb.dll
9:32:30 PM | Registered: C:\WINDOWS\system32\muweb.dll
9:32:30 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
9:32:30 PM | Registered: C:\WINDOWS\system32\winhttp.dll
9:32:31 PM | Registered: C:\WINDOWS\system32\wuapi.dll
9:32:31 PM | Unregistered: C:\WINDOWS\system32\wuaueng.dll
9:32:33 PM | Registered: C:\WINDOWS\system32\wuaueng.dll
9:32:33 PM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
9:32:33 PM | Registered: C:\WINDOWS\system32\wuaueng1.dll
9:32:33 PM | Unregistered: C:\WINDOWS\system32\wucltui.dll
9:32:33 PM | Registered: C:\WINDOWS\system32\wucltui.dll
9:32:33 PM | Unregistered: C:\WINDOWS\system32\wups.dll
9:32:33 PM | Registered: C:\WINDOWS\system32\wups.dll
9:32:33 PM | Unregistered: C:\WINDOWS\system32\wups2.dll
9:32:33 PM | Registered: C:\WINDOWS\system32\wups2.dll
9:32:33 PM | Unregistered: C:\WINDOWS\system32\wuweb.dll
9:32:33 PM | Registered: C:\WINDOWS\system32\wuweb.dll
9:32:33 PM | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
9:33:00 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
9:33:04 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
9:33:04 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll
9:33:05 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll
9:33:05 PM | Registered: C:\WINDOWS\system32\cryptui.dll
9:33:05 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll
9:33:05 PM | Registered: C:\WINDOWS\system32\cryptext.dll
9:33:05 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll
9:33:05 PM | Registered: C:\WINDOWS\system32\dssenh.dll
9:33:06 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
9:33:06 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll
9:33:06 PM | Unregistered: C:\WINDOWS\system32\initpki.dll
9:34:21 PM | Registered: C:\WINDOWS\system32\initpki.dll
9:34:23 PM | Unregistered: C:\WINDOWS\system32\licdll.dll
9:34:24 PM | Registered: C:\WINDOWS\system32\licdll.dll
9:34:24 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll
9:34:24 PM | Registered: C:\WINDOWS\system32\mssign32.dll
9:34:24 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll
9:34:24 PM | Registered: C:\WINDOWS\system32\mssip32.dll
9:34:25 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll
9:34:25 PM | Registered: C:\WINDOWS\system32\scardssp.dll
9:34:25 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll
9:34:25 PM | Registered: C:\WINDOWS\system32\sccbase.dll
9:34:25 PM | Unregistered: C:\WINDOWS\system32\scecli.dll
9:34:30 PM | Registered: C:\WINDOWS\system32\scecli.dll
9:34:30 PM | Unregistered: C:\WINDOWS\system32\softpub.dll
9:34:31 PM | Registered: C:\WINDOWS\system32\softpub.dll
9:34:31 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll
9:34:31 PM | Registered: C:\WINDOWS\system32\slbcsp.dll
9:34:31 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll
9:34:31 PM | Registered: C:\WINDOWS\system32\regwizc.dll
9:34:31 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll
9:34:31 PM | Registered: C:\WINDOWS\system32\rsaenh.dll
9:34:31 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll
9:34:31 PM | Registered: C:\WINDOWS\system32\winhttp.dll
9:34:31 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll
9:34:32 PM | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: Programming cores/runtimes ---
9:34:32 PM | Registered: C:\WINDOWS\system32\atl.dll
9:34:32 PM | Registered: C:\WINDOWS\system32\corpol.dll
9:34:32 PM | Registered: C:\WINDOWS\system32\jscript.dll
9:34:32 PM | Registered: C:\WINDOWS\system32\dispex.dll
9:34:37 PM | Error during registration of C:\WINDOWS\system32\scrrun.dll - version: 5.6.0.8820. The error returned is: Unspecified error
(-2147467259)
9:34:37 PM | Registered: C:\WINDOWS\system32\scrobj.dll
9:34:38 PM | Registered: C:\WINDOWS\system32\vbscript.dll
9:34:38 PM | Registered: C:\WINDOWS\system32\wshext.dll
Rorschach112
2008-05-04, 20:58
I am not sure how to fix that problem as it is not malware related
To fix it, I would recommend you make an account at this site
http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html
And post your problem there. Tell them I sent you over. They should be able to fix it
Any other questions ?
Rorschach112
2008-05-09, 01:26
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.