View Full Version : computer in bad shape--newbie
hi
i have a very badly infected computer SMITFRAUD-c, smitfraud c-gp. It doesn't let me run the online virus checker, nothing....Pls help and guide me
Sonali
Bombay, India
Hi
Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only
* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here. :)
Here's the log from Hijack this. I am not able to access www.kaspersky.com from the infected laptop, nor am i able to access the spybot forums page?? Don't understand?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:06 AM, on 6/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Speed+\Client\ventc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CPUTray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Speed+\Configurator\ventcfg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,
O2 - BHO: gooochi browser optimizer - {1bb4d908-e6a2-5fb2-7737-cb6b3259f870} - C:\WINDOWS\system32\{3278288d-4c93-efce-72a2-4c88dc3db1f3}.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [Paw] "C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" /boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Speed+\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\$winnt$e.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\$winnt$e.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155850863321
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geBsstqO - geBsstqO.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Speed+\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8449 bytes
Hi
Connection problem is caused by the infection.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
1. I could not access any of the links for Combofix from the infected machine so did it from my other laptop and put it on the desktop via a USB drive
2. The program was blocked and wouldn't open. So i changed the name of the program and then double clicked after which it ran.
Attached are the logs from Combofix and Hijack This:
Thanks for all your help.
ComboFix 08-06-01.6 - snali 2008-06-03 18:46:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.431 [GMT -4:00]
Running from: C:\Documents and Settings\snali\Desktop\Fixit.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\BM27452a3f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\explore.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acobjomr.ini
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\eutibdqc.ini
C:\WINDOWS\system32\IkTvwvut.ini
C:\WINDOWS\system32\IkTvwvut.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oVvFNnnn.ini
C:\WINDOWS\system32\oVvFNnnn.ini2
----- BITS: Possible infected sites -----
hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLBDRIVER
-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.
2008-06-03 12:43 . 2008-06-03 18:52 <DIR> d-------- C:\Program Files\uTorrent
2008-06-03 10:28 . 2008-06-03 10:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 10:24 . 2008-06-03 10:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-03 03:51 . 2008-04-14 05:42 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-06-03 03:51 . 2008-04-14 05:42 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-06-03 03:51 . 2008-04-14 05:41 94,208 -----c--- C:\WINDOWS\system32\dllcache\ehituner.dll
2008-06-03 03:51 . 2008-04-13 22:57 79,872 --------- C:\WINDOWS\system32\msxml6r.dll
2008-06-03 03:51 . 2008-04-13 22:57 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-06-03 03:40 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-03 03:38 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003644_.tmp
2008-06-03 02:20 . 2008-06-03 03:51 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-03 02:19 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-06-03 01:54 . 2008-06-03 03:58 8,617 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-06-03 01:42 . 2008-06-03 01:42 0 --------- C:\WINDOWS\system32\HFX1301.tmp
2008-06-03 01:21 . 2008-04-14 05:42 1,033,728 --a------ C:\WINDOWS\SET452.tmp
2008-06-03 01:21 . 2008-04-14 05:42 471,552 --a------ C:\WINDOWS\system32\SET589.tmp
2008-06-03 01:21 . 2008-04-14 05:41 95,744 --a------ C:\WINDOWS\system32\SET58F.tmp
2008-06-03 01:19 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1E1.tmp
2008-06-03 01:15 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003189_.tmp
2008-06-03 01:12 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\SET16F6.tmp
2008-06-03 01:00 . 2008-06-03 01:54 <DIR> d-------- C:\43f1a73a8204c24fc3fad39e
2008-06-02 07:56 . 2008-06-02 07:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-02 07:56 . 2008-06-02 07:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-02 07:56 . 2008-06-02 07:57 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-02 07:56 . 2008-06-02 07:57 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-02 07:53 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-06-02 07:53 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-06-02 07:53 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-06-02 07:50 . 2008-06-02 07:57 <DIR> d-------- C:\Program Files\Symantec
2008-06-02 07:50 . 2008-06-02 08:22 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-02 07:50 . 2008-06-02 07:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 03:54 . 2008-06-02 23:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-27 03:54 . 2008-05-27 03:54 <DIR> d-------- C:\Program Files\AVG
2008-05-27 03:54 . 2008-06-02 23:41 <DIR> d-------- C:\Documents and Settings\snali\Application Data\SUPERAntiSpyware.com
2008-05-27 03:54 . 2008-05-27 03:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-27 03:44 . 2008-05-27 03:44 21,760 --a------ C:\WINDOWS\quicken.exe
2008-05-27 03:44 . 2008-05-27 03:44 17,664 --a------ C:\WINDOWS\internet.exe
2008-05-27 03:44 . 2008-05-27 03:44 17,664 --a------ C:\WINDOWS\editpad.exe
2008-05-27 03:44 . 2008-05-27 03:44 15,104 --a------ C:\WINDOWS\msconfd.dll
2008-05-26 23:34 . 2008-05-26 23:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-26 23:21 . 2008-06-03 12:33 3,604 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-26 23:20 . 2008-06-03 12:37 <DIR> d-------- C:\SmitfraudFix
2008-05-26 22:43 . 2008-05-26 23:20 1,392,246 --a------ C:\name.exe
2008-05-25 12:08 . 2008-06-02 08:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 02:20 . 2008-05-25 02:20 401,973 --a------ C:\WINDOWS\system32\g56.exe
2008-05-25 02:20 . 2008-05-25 02:21 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-25 02:09 . 2008-05-25 12:14 474 ---hs---- C:\WINDOWS\system32\haxycdhj.ini
2008-05-25 02:01 . 2008-05-25 14:03 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-25 02:01 . 2008-05-25 02:01 <DIR> d-------- C:\WINDOWS\system32\igv
2008-05-25 02:01 . 2008-06-02 09:06 <DIR> d-------- C:\WINDOWS\system32\hI2
2008-05-25 02:01 . 2008-05-25 14:03 <DIR> d-------- C:\WINDOWS\system32\at1
2008-05-25 02:01 . 2008-05-25 14:03 <DIR> d-------- C:\WINDOWS\system32\1064a
2008-05-25 02:01 . 2008-05-25 14:03 <DIR> d--hs---- C:\WINDOWS\c25hbGk
2008-05-25 02:01 . 2008-06-03 18:46 <DIR> d-------- C:\Temp
2008-05-25 02:01 . 2008-05-27 00:55 78,378 --a------ C:\WINDOWS\system32\spywarewarning2.mht
2008-05-25 02:01 . 2004-08-10 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-25 02:00 . 2008-05-25 02:00 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-18 22:11 . 2008-05-18 22:11 <DIR> d-------- C:\Program Files\WM Converter
2008-05-14 20:21 . 2008-05-25 02:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 20:21 . 2008-05-14 20:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-13 13:35 . 2008-05-13 13:37 <DIR> d-------- C:\Documents and Settings\snali\Application Data\Move Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 22:43 --------- d-----w C:\Documents and Settings\snali\Application Data\Skype
2008-06-03 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 16:12 --------- d-----w C:\Program Files\BitComet
2008-06-03 16:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-25 06:16 32,512 ----a-w C:\WINDOWS\searchword.dll
2008-04-14 09:45 218,134 ----a-w C:\WINDOWS\AppPatch\SET4EF.tmp
2008-04-14 09:45 204,396 ----a-w C:\WINDOWS\AppPatch\SET4EE.tmp
2008-04-14 09:45 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET4ED.tmp
2008-04-14 09:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 09:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 09:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 09:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 09:42 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 09:42 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 09:42 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 09:42 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 09:42 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 09:42 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 09:42 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 09:42 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 09:42 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 04:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 04:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 04:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 04:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 04:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 04:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 04:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 04:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 04:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 04:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 04:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 04:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 04:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 04:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 04:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 04:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 04:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 04:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 04:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 04:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 04:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 04:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 04:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 04:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 04:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 04:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 04:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 04:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 04:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 04:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 04:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 04:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 04:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 04:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 04:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 04:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 04:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 04:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 04:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 04:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-14 04:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 04:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-14 04:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 04:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-14 04:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-14 04:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-14 04:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-14 04:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-14 04:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-14 04:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-14 04:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-14 04:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-14 04:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-14 04:16 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-14 04:16 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-14 04:16 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-14 04:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-14 04:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-14 04:16 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 04:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 04:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-14 04:16 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-14 04:16 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-14 04:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-14 04:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-14 04:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 04:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-14 04:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 04:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-14 04:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-14 04:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 04:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-14 04:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-14 04:09 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-14 04:09 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-14 04:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-14 04:09 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-14 04:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1bb4d908-e6a2-5fb2-7737-cb6b3259f870}]
C:\WINDOWS\system32\{3278288d-4c93-efce-72a2-4c88dc3db1f3}.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-09-16 14:05 2048093]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:42 1695232]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 04:01 22880040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-03 11:47 68856]
"Microsoft Windows Installer"="C:\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe" [2008-05-25 02:01 121856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 07:04 59392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-15 17:33 7573504]
"SkyTel"="SkyTel.EXE" [2006-08-15 17:28 2879488 C:\WINDOWS\SkyTel.exe]
"CPUTray"="C:\WINDOWS\system32\CPUTray.exe" [2005-05-13 18:46 212992]
"SMSERIAL"="sm56hlpr.exe" [2006-08-15 16:56 557056 C:\WINDOWS\sm56hlpr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 17:15 798810]
"farstone"="" []
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.exe" [2005-02-03 22:18 118784]
"Eval"="C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe" [2005-02-19 19:39 1826816]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [2005-02-19 14:33 573440]
"Paw"="C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" [2005-02-24 23:53 401408]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 09:28 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 00:06 256576]
"Venturi Configurator"="C:\Program Files\Speed+\Configurator\ventcfg.exe" [2007-08-16 05:35 959880]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-03-15 20:03 127037]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 07:20 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 07:20 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-06-02 16:56 115560]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsstqO]
geBsstqO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM27452a3f]
C:\WINDOWS\system32\wydtaxun.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-15 17:37 1519616 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-08-15 17:25 16248320 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1746ea44-e384-0868-edfa-ffdf76fbf887}]
C:\WINDOWS\system32\{3278288d-4c93-efce-72a2-4c88dc3db1f3}.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Speed+\\squid\\ventcsquid.exe"=
"C:\\Program Files\\Speed+\\squid\\ventcdnsserver.exe"=
"C:\\Program Files\\Speed+\\Configurator\\ventcfg.exe"=
"C:\\Program Files\\Speed+\\Client\\VentC.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17233:TCP"= 17233:TCP:BitComet 17233 TCP
"17233:UDP"= 17233:UDP:BitComet 17233 UDP
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-08-15 17:31]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-08-15 17:31]
R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-02-11 13:25]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2004-05-18 17:43]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2004-12-06 17:43]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-13 02:27]
R2 VenturiClient;Venturi Client;C:\Program Files\Speed+\Client\ventc.exe [2007-08-16 05:36]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-08-15 16:58]
R3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-02-25 20:34]
R3 vwinter;Venturi Wireless Intercepter;C:\WINDOWS\system32\drivers\vwinter.sys [2007-04-30 09:32]
R3 vwredir;Venturi Wireless Redirector;C:\WINDOWS\system32\drivers\vwredir.sys [2007-04-30 09:32]
S1 tdpipee;tdpipee;C:\WINDOWS\system32\drivers\tdpipee.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fee8bde-8592-11dc-920a-0013d38050ac}]
\Shell\????...\command - QQSPY.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL QQSPY.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 10:24:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 18:52:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\LIBEAY32_0.9.6l.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-06-03 18:55:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-03 22:55:36
Pre-Run: 69,080,023,040 bytes free
Post-Run: 69,085,655,040 bytes free
346 --- E O F --- 2008-05-17 14:49:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:29 PM, on 6/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Speed+\Client\ventc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\CPUTray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Speed+\Configurator\ventcfg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: gooochi browser optimizer - {1bb4d908-e6a2-5fb2-7737-cb6b3259f870} - C:\WINDOWS\system32\{3278288d-4c93-efce-72a2-4c88dc3db1f3}.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [Paw] "C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" /boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Speed+\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155850863321
O17 - HKLM\System\CCS\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE758334-17AC-4173-8198-50B410F9D686}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CS4\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geBsstqO - geBsstqO.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Speed+\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8720 bytes
Good :)
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
tdpipee
File::
C:\WINDOWS\quicken.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\editpad.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\system32\g56.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\haxycdhj.ini
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\searchword.dll
C:\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe
C:\WINDOWS\system32\drivers\tdpipee.sys
Folder::
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\igv
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\at1
C:\WINDOWS\system32\1064a
C:\WINDOWS\c25hbGk
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1bb4d908-e6a2-5fb2-7737-cb6b3259f870}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Installer"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsstqO]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM27452a3f]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1746ea44-e384-0868-edfa-ffdf76fbf887}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fee8bde-8592-11dc-920a-0013d38050ac}]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
Here are the logs from the three tests: Combofix, Kapersky and Hijack this.
I'm having a tough time accessing the net though from this computer, Wired connection works sometimes, wireless not at all?!
COMBOFIX
ComboFix 08-06-01.6 - snali 2008-06-04 10:38:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.480 [GMT -4:00]
Running from: C:\Documents and Settings\snali\Desktop\Fixit.exe
Command switches used :: C:\Documents and Settings\snali\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe
C:\WINDOWS\editpad.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\quicken.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\system32\drivers\tdpipee.sys
C:\WINDOWS\system32\g56.exe
C:\WINDOWS\system32\haxycdhj.ini
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.
2008-06-03 12:43 . 2008-06-03 18:53 <DIR> d-------- C:\Program Files\uTorrent
2008-06-03 10:28 . 2008-06-03 10:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 10:24 . 2008-06-03 10:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-03 03:51 . 2008-04-14 05:42 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-06-03 03:51 . 2008-04-14 05:42 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-06-03 03:51 . 2008-04-14 05:41 94,208 -----c--- C:\WINDOWS\system32\dllcache\ehituner.dll
2008-06-03 03:51 . 2008-04-13 22:57 79,872 --------- C:\WINDOWS\system32\msxml6r.dll
2008-06-03 03:51 . 2008-04-13 22:57 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-06-03 03:40 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-03 03:38 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003644_.tmp
2008-06-03 02:20 . 2008-06-03 03:51 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-03 02:19 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-06-03 01:54 . 2008-06-03 03:58 8,617 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-06-03 01:42 . 2008-06-03 01:42 0 --------- C:\WINDOWS\system32\HFX1301.tmp
2008-06-03 01:21 . 2008-04-14 05:42 1,033,728 --a------ C:\WINDOWS\SET452.tmp
2008-06-03 01:21 . 2008-04-14 05:42 471,552 --a------ C:\WINDOWS\system32\SET589.tmp
2008-06-03 01:21 . 2008-04-14 05:41 95,744 --a------ C:\WINDOWS\system32\SET58F.tmp
2008-06-03 01:19 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1E1.tmp
2008-06-03 01:15 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003189_.tmp
2008-06-03 01:12 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\SET16F6.tmp
2008-06-03 01:00 . 2008-06-03 01:54 <DIR> d-------- C:\43f1a73a8204c24fc3fad39e
2008-06-02 07:56 . 2008-06-02 07:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-02 07:56 . 2008-06-02 07:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-02 07:56 . 2008-06-02 07:57 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-02 07:56 . 2008-06-02 07:57 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-02 07:53 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-06-02 07:53 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-06-02 07:53 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-06-02 07:50 . 2008-06-02 07:57 <DIR> d-------- C:\Program Files\Symantec
2008-06-02 07:50 . 2008-06-02 08:22 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-02 07:50 . 2008-06-02 07:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 03:54 . 2008-06-02 23:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-27 03:54 . 2008-05-27 03:54 <DIR> d-------- C:\Program Files\AVG
2008-05-27 03:54 . 2008-06-02 23:41 <DIR> d-------- C:\Documents and Settings\snali\Application Data\SUPERAntiSpyware.com
2008-05-27 03:54 . 2008-05-27 03:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-26 23:34 . 2008-05-26 23:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-26 23:21 . 2008-06-03 12:33 3,604 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-26 23:20 . 2008-06-03 12:37 <DIR> d-------- C:\SmitfraudFix
2008-05-26 22:43 . 2008-05-26 23:20 1,392,246 --a------ C:\name.exe
2008-05-25 12:08 . 2008-06-02 08:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 02:01 . 2004-08-10 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 22:11 . 2008-05-18 22:11 <DIR> d-------- C:\Program Files\WM Converter
2008-05-14 20:21 . 2008-05-25 02:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 20:21 . 2008-05-14 20:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-13 13:35 . 2008-05-13 13:37 <DIR> d-------- C:\Documents and Settings\snali\Application Data\Move Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 22:55 --------- d-----w C:\Documents and Settings\snali\Application Data\Skype
2008-06-03 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-03 16:12 --------- d-----w C:\Program Files\BitComet
2008-06-03 16:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-25 06:16 32,256 ----a-w C:\WINDOWS\mswsc10.dll
2008-05-20 01:30 85,588 ----a-w C:\WINDOWS\Internet Logs\BitComet_2nd_2008_05_19_00_31_07_small.dmp.zip
2008-04-14 09:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 09:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 09:45 218,134 ----a-w C:\WINDOWS\AppPatch\SET4EF.tmp
2008-04-14 09:45 204,396 ----a-w C:\WINDOWS\AppPatch\SET4EE.tmp
2008-04-14 09:45 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET4ED.tmp
2008-04-14 09:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 09:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 09:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 09:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 09:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 09:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 09:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 09:41 99,840 ----a-w C:\WINDOWS\system32\SET424.tmp
2008-04-14 09:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 09:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 09:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 05:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 04:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 04:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 04:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 04:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 04:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 04:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 04:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 04:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 04:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 04:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 04:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 04:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 04:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 04:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 04:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 04:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 04:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 04:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 04:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 04:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 04:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 04:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 04:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 04:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 04:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 04:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 04:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 04:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 04:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 04:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 04:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 04:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 04:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 04:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 04:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 04:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 04:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 04:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 04:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 04:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 04:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-14 04:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 04:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-14 04:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 04:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-14 04:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-14 04:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-14 04:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-14 04:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-14 04:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-14 04:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-14 04:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-14 04:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-14 04:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-14 04:16 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-14 04:16 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-14 04:16 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-14 04:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-14 04:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-14 04:16 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 04:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 04:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-14 04:16 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-14 04:16 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-14 04:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-14 04:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-14 04:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 04:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-14 04:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 04:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-14 04:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-14 04:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-14 04:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-14 04:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 04:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-14 04:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-03_18.55.22.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 22:50:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 14:33:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 14:34:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_428.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-09-16 14:05 2048093]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:42 1695232]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 04:01 22880040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-03 11:47 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 07:04 59392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-15 17:33 7573504]
"SkyTel"="SkyTel.EXE" [2006-08-15 17:28 2879488 C:\WINDOWS\SkyTel.exe]
"CPUTray"="C:\WINDOWS\system32\CPUTray.exe" [2005-05-13 18:46 212992]
"SMSERIAL"="sm56hlpr.exe" [2006-08-15 16:56 557056 C:\WINDOWS\sm56hlpr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 17:15 798810]
"farstone"="" []
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.exe" [2005-02-03 22:18 118784]
"Eval"="C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe" [2005-02-19 19:39 1826816]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [2005-02-19 14:33 573440]
"Paw"="C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" [2005-02-24 23:53 401408]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 09:28 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 00:06 256576]
"Venturi Configurator"="C:\Program Files\Speed+\Configurator\ventcfg.exe" [2007-08-16 05:35 959880]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-03-15 20:03 127037]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 07:20 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 07:20 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-06-02 16:56 115560]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-15 17:37 1519616 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-08-15 17:25 16248320 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Speed+\\squid\\ventcsquid.exe"=
"C:\\Program Files\\Speed+\\squid\\ventcdnsserver.exe"=
"C:\\Program Files\\Speed+\\Configurator\\ventcfg.exe"=
"C:\\Program Files\\Speed+\\Client\\VentC.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17233:TCP"= 17233:TCP:BitComet 17233 TCP
"17233:UDP"= 17233:UDP:BitComet 17233 UDP
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-08-15 17:31]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-08-15 17:31]
R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-02-11 13:25]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2004-05-18 17:43]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2004-12-06 17:43]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-13 02:27]
R2 VenturiClient;Venturi Client;C:\Program Files\Speed+\Client\ventc.exe [2007-08-16 05:36]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-08-15 16:58]
R3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-02-25 20:34]
R3 vwinter;Venturi Wireless Intercepter;C:\WINDOWS\system32\drivers\vwinter.sys [2007-04-30 09:32]
R3 vwredir;Venturi Wireless Redirector;C:\WINDOWS\system32\drivers\vwredir.sys [2007-04-30 09:32]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 10:24:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 10:40:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\LIBEAY32_0.9.6l.dll
.
Completion time: 2008-06-04 10:41:07
ComboFix-quarantined-files.txt 2008-06-04 14:41:02
ComboFix2.txt 2008-06-04 14:37:35
ComboFix3.txt 2008-06-03 22:55:40
Pre-Run: 69,060,542,464 bytes free
Post-Run: 69,046,386,688 bytes free
280 --- E O F --- 2008-05-17 14:49:59
KAPERSKY
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 04, 2008 12:15:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 828899
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 59025
Number of viruses found: 9
Number of infected objects: 27
Number of suspicious objects: 18
Duration of the scan process: 00:54:04
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll3.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf2.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/win64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/accesss.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip/win64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip/window.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC79.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC79.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp3.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\7AB78A4F.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\call256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\callmember256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\chat512.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\index2.dat Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\profile256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\sms256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\user1024.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\user16384.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\user256.dbb Object is locked skipped
C:\Documents and Settings\snali\Application Data\Skype\sthaks\user4096.dbb Object is locked skipped
C:\Documents and Settings\snali\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\snali\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\snali\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\snali\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\snali\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\snali\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\snali\ntuser.dat.LOG Object is locked skipped
C:\name.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\name.exe RAR: infected - 1 skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Phoenix Technologies\cME\Guard\error.log Object is locked skipped
C:\Program Files\Phoenix Technologies\cME\Guard\monitor.log Object is locked skipped
C:\Program Files\Phoenix Technologies\cME\Guard\repair.log Object is locked skipped
C:\Program Files\Speed+\Client\vent2.log Object is locked skipped
C:\Program Files\Speed+\squid\cache\swap.state Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\AVMan.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\GUProxy.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\LUMan.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\NacMan.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\processlog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\rawlog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\seclog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\syslog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\tralog.log Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\snali\Application Data\Microsoft\dtsc\22721.exe.vir Infected: Trojan-Downloader.Win32.Agent.plz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g56.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g56.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g56.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\igv\baizcom05.exe.vir Infected: Trojan-Downloader.Win32.Small.vvk skipped
C:\QooBox\Quarantine\catchme2008-06-03_184900.56.zip/clbdriver.sys Infected: Rootkit.Win32.Agent.aol skipped
C:\QooBox\Quarantine\catchme2008-06-03_184900.56.zip/clbdll.dll Infected: Trojan-Downloader.Win32.Agent.qpw skipped
C:\QooBox\Quarantine\catchme2008-06-03_184900.56.zip ZIP: infected - 2 skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP48\A0031622.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP48\A0031622.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP48\A0033636.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP48\A0033636.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP53\A0044994.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP53\A0044994.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP59\A0061145.exe Infected: Trojan-Downloader.Win32.Small.vvk skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP59\A0061146.exe Infected: Trojan-Downloader.Win32.Agent.plz skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP59\A0061152.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP59\A0061152.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP59\A0061152.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP60\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\imsDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CE036D19-0E77-4B19-BE83-6578A316432E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\update[1].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\update[2].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\update[3].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_300.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
HIJACK THIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:16 PM, on 6/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Speed+\Client\ventc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CPUTray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Speed+\Configurator\ventcfg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [Paw] "C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" /boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Speed+\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155850863321
O17 - HKLM\System\CCS\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE758334-17AC-4173-8198-50B410F9D686}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CS4\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Speed+\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8127 bytes
Hi
Upload following file to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\system32\beep.sys
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\name.exe
Folder::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\SmitfraudFix
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log (without forgetting above meantioned ComboFix resultant log) in your next reply.
I'm having a tough time accessing the net though from this computer, Wired connection works sometimes, wireless not at all?!
How long has this behaviour occured? Is your firewall set to allow connection properly?
1. INternet access problem only started 2 days ago
2. IN safe mode, i see an administrator log in (With a photo of karate chop) someone seems to ahve admin rights on my laptop.
here goes
Service load: 0% 100%
File: beep.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: da1f27d85e0d1525f6621372e7b685e9
Packers detected: -
Scanner results
Scan taken on 05 Jun 2008 03:35:26 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
COMBO FIX
ComboFix 08-06-01.6 - snali 2008-06-04 23:39:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.442 [GMT -4:00]
Running from: C:\Documents and Settings\snali\Desktop\Fixit.exe
Command switches used :: C:\Documents and Settings\snali\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\name.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClientMan.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClientMan1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClientMan2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClientMan3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClientMan4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ClientMan5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommandService9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch18.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch20.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch21.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBlowSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBlowSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBlowSearch2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchDreplace.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchDreplace1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchDreplace2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchDreplace3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchDreplace4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnaSearch17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGonnasearch9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchk.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchk1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchk2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchk3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchk4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchk5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchk6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWCADW.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWCADW1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWCADW2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinRes.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinRes1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinRes2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinSearch2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSystem.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSystem1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSystem2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSystem3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSystem4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC100.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC101.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC102.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC103.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC104.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC105.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC106.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC107.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC108.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC109.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC110.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC111.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC112.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC23.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC24.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC25.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC27.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC28.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC29.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC31.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC32.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC34.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC35.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC36.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC37.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC38.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC39.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC40.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC41.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC42.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC43.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC44.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC45.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC46.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC47.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC48.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC49.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC50.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC51.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC52.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC53.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC54.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC55.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC56.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC57.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC58.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC59.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC60.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC61.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC62.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC63.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC64.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC65.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC66.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC67.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC68.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC69.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC70.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC71.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC72.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC73.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC74.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC75.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC76.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC77.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC78.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC79.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC80.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC81.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC82.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC83.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC84.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC85.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC86.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC87.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC88.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC89.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC90.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC91.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC92.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC93.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC94.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC95.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC96.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC97.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC98.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC99.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ToolbarCC.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ToolbarCC1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\webHancer9.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallny.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch1.zip
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\name.exe
C:\SmitfraudFix
C:\SmitfraudFix\404Fix.exe
C:\SmitfraudFix\dumphive.exe
C:\SmitfraudFix\exit.exe
C:\SmitfraudFix\GenericRenosFix.exe
C:\SmitfraudFix\HostsChk.exe
C:\SmitfraudFix\IEDFix.exe
C:\SmitfraudFix\Policies.exe
C:\SmitfraudFix\Process.exe
C:\SmitfraudFix\Reboot.exe
C:\SmitfraudFix\restart.exe
C:\SmitfraudFix\SmitfraudFix.cmd
C:\SmitfraudFix\SmiUpdate.exe
C:\SmitfraudFix\SrchSTS.exe
C:\SmitfraudFix\swreg.exe
C:\SmitfraudFix\swsc.exe
C:\SmitfraudFix\swxcacls.exe
C:\SmitfraudFix\UIFix.exe
C:\SmitfraudFix\unzip.exe
C:\SmitfraudFix\VACFix.exe
C:\SmitfraudFix\VCCLSID.exe
C:\SmitfraudFix\WS2Fix.exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\desktop.ini
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\index[1].php
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\update[1].upd
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\update[2].upd
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZF6MUSQV\update[3].upd
.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.
2008-06-04 10:54 . 2008-06-04 10:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-04 10:54 . 2008-06-04 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 12:43 . 2008-06-03 18:53 <DIR> d-------- C:\Program Files\uTorrent
2008-06-03 10:28 . 2008-06-03 10:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 10:24 . 2008-06-03 10:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-03 03:51 . 2008-04-14 05:42 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-06-03 03:51 . 2008-04-14 05:42 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-06-03 03:51 . 2008-04-14 05:41 94,208 -----c--- C:\WINDOWS\system32\dllcache\ehituner.dll
2008-06-03 03:51 . 2008-04-13 22:57 79,872 --------- C:\WINDOWS\system32\msxml6r.dll
2008-06-03 03:51 . 2008-04-13 22:57 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-06-03 03:40 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-03 03:38 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003644_.tmp
2008-06-03 02:20 . 2008-06-03 03:51 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-03 02:19 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-06-03 01:54 . 2008-06-03 03:58 8,617 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-06-03 01:42 . 2008-06-03 01:42 0 --------- C:\WINDOWS\system32\HFX1301.tmp
2008-06-03 01:21 . 2008-04-14 05:42 1,033,728 --a------ C:\WINDOWS\SET452.tmp
2008-06-03 01:21 . 2008-04-14 05:42 471,552 --a------ C:\WINDOWS\system32\SET589.tmp
2008-06-03 01:21 . 2008-04-14 05:41 95,744 --a------ C:\WINDOWS\system32\SET58F.tmp
2008-06-03 01:19 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1E1.tmp
2008-06-03 01:15 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003189_.tmp
2008-06-03 01:12 . 2007-10-25 23:36 8,454,656 --a------ C:\WINDOWS\system32\SET16F6.tmp
2008-06-03 01:00 . 2008-06-03 01:54 <DIR> d-------- C:\43f1a73a8204c24fc3fad39e
2008-06-02 07:56 . 2008-06-02 07:57 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-02 07:56 . 2008-06-02 07:57 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-02 07:56 . 2008-06-02 07:57 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-02 07:56 . 2008-06-02 07:57 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-02 07:53 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-06-02 07:53 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-06-02 07:53 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-06-02 07:50 . 2008-06-02 07:57 <DIR> d-------- C:\Program Files\Symantec
2008-06-02 07:50 . 2008-06-02 08:22 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-02 07:50 . 2008-06-02 07:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 03:54 . 2008-06-02 23:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-27 03:54 . 2008-05-27 03:54 <DIR> d-------- C:\Program Files\AVG
2008-05-27 03:54 . 2008-06-02 23:41 <DIR> d-------- C:\Documents and Settings\snali\Application Data\SUPERAntiSpyware.com
2008-05-27 03:54 . 2008-05-27 03:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-26 23:34 . 2008-05-26 23:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-26 23:21 . 2008-06-03 12:33 3,604 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 12:08 . 2008-06-02 08:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 02:01 . 2004-08-10 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 22:11 . 2008-05-18 22:11 <DIR> d-------- C:\Program Files\WM Converter
2008-05-14 20:21 . 2008-05-25 02:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 20:21 . 2008-05-14 20:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-13 13:35 . 2008-05-13 13:37 <DIR> d-------- C:\Documents and Settings\snali\Application Data\Move Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 03:27 --------- d-----w C:\Documents and Settings\snali\Application Data\Skype
2008-06-03 22:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 16:12 --------- d-----w C:\Program Files\BitComet
2008-06-03 16:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-25 06:16 32,256 ----a-w C:\WINDOWS\mswsc10.dll
2008-05-20 01:30 85,588 ----a-w C:\WINDOWS\Internet Logs\BitComet_2nd_2008_05_19_00_31_07_small.dmp.zip
2008-04-14 09:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 09:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 09:45 218,134 ----a-w C:\WINDOWS\AppPatch\SET4EF.tmp
2008-04-14 09:45 204,396 ----a-w C:\WINDOWS\AppPatch\SET4EE.tmp
2008-04-14 09:45 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET4ED.tmp
2008-04-14 09:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 09:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 09:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 09:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 09:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 09:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 09:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 09:41 99,840 ----a-w C:\WINDOWS\system32\SET424.tmp
2008-04-14 09:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 09:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 09:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 05:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 04:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-14 04:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 04:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-14 04:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-14 04:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-14 04:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-14 04:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-14 04:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-14 04:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-14 04:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 04:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-14 04:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-14 04:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 04:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-14 04:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-14 04:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-14 04:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 04:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-14 04:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 04:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-14 04:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-14 04:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-14 04:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-14 04:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-14 04:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-14 04:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-14 04:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-14 04:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-14 04:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-14 04:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-14 04:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-14 04:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-14 04:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-14 04:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-14 04:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-14 04:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-14 04:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-14 04:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-14 04:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-14 04:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-14 04:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-14 04:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-14 04:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-14 04:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 04:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-14 04:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-14 04:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-14 04:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-14 04:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-14 04:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-14 04:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-14 04:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-14 04:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-14 04:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-14 04:16 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-14 04:16 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-14 04:16 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-14 04:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-14 04:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-14 04:16 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 04:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-14 04:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-14 04:16 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-14 04:16 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-14 04:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-14 04:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-14 04:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-14 04:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-14 04:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-14 04:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-14 04:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-14 04:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-14 04:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-14 04:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-14 04:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-14 04:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-03_18.55.22.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 22:50:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 03:25:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-06-05 03:26:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_32c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-09-16 14:05 2048093]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:42 1695232]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 04:01 22880040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-03 11:47 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 07:04 59392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-15 17:33 7573504]
"SkyTel"="SkyTel.EXE" [2006-08-15 17:28 2879488 C:\WINDOWS\SkyTel.exe]
"CPUTray"="C:\WINDOWS\system32\CPUTray.exe" [2005-05-13 18:46 212992]
"SMSERIAL"="sm56hlpr.exe" [2006-08-15 16:56 557056 C:\WINDOWS\sm56hlpr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 17:15 798810]
"farstone"="" []
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.exe" [2005-02-03 22:18 118784]
"Eval"="C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe" [2005-02-19 19:39 1826816]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [2005-02-19 14:33 573440]
"Paw"="C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" [2005-02-24 23:53 401408]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 09:28 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 00:06 256576]
"Venturi Configurator"="C:\Program Files\Speed+\Configurator\ventcfg.exe" [2007-08-16 05:35 959880]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-03-15 20:03 127037]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 07:20 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 07:20 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-06-02 16:56 115560]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-15 17:37 1519616 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-08-15 17:25 16248320 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Speed+\\squid\\ventcsquid.exe"=
"C:\\Program Files\\Speed+\\squid\\ventcdnsserver.exe"=
"C:\\Program Files\\Speed+\\Configurator\\ventcfg.exe"=
"C:\\Program Files\\Speed+\\Client\\VentC.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17233:TCP"= 17233:TCP:BitComet 17233 TCP
"17233:UDP"= 17233:UDP:BitComet 17233 UDP
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-08-15 17:31]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-08-15 17:31]
R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-02-11 13:25]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2004-05-18 17:43]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2004-12-06 17:43]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-13 02:27]
R2 VenturiClient;Venturi Client;C:\Program Files\Speed+\Client\ventc.exe [2007-08-16 05:36]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-08-15 16:58]
R3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-02-25 20:34]
R3 vwinter;Venturi Wireless Intercepter;C:\WINDOWS\system32\drivers\vwinter.sys [2007-04-30 09:32]
R3 vwredir;Venturi Wireless Redirector;C:\WINDOWS\system32\drivers\vwredir.sys [2007-04-30 09:32]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 10:24:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 23:41:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\LIBEAY32_0.9.6l.dll
.
Completion time: 2008-06-04 23:42:58
ComboFix-quarantined-files.txt 2008-06-05 03:42:55
ComboFix2.txt 2008-06-04 14:41:08
ComboFix3.txt 2008-06-04 14:37:35
ComboFix4.txt 2008-06-03 22:55:40
Pre-Run: 69,022,928,896 bytes free
Post-Run: 69,005,619,200 bytes free
625 --- E O F --- 2008-05-17 14:49:59
MALWARE
Malwarebytes' Anti-Malware 1.14
Database version: 826
12:17:36 AM 6/5/2008
mbam-log-6-5-2008 (00-17-36).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 92340
Time elapsed: 27 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b1a64443-6fca-41ce-8d51-5f8991257555} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\igv\baizcom05.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP57\A0060874.exe (Adware.Vapsup) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP59\A0061145.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HIJACK THIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:09 AM, on 6/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Speed+\Client\ventc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CPUTray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Speed+\Configurator\ventcfg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [Paw] "C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" /boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Speed+\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155850863321
O17 - HKLM\System\CCS\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE758334-17AC-4173-8198-50B410F9D686}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Speed+\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8211 bytes
Hi
Logs look quite ok to me now.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
I recommend installing Internet Explorer 7 to see if it makes any difference to network problem.
On safe mode, the other administrator is still there, and there continues to be a problem with the internet access...I had to reboot in safe mode manually as the f8 key didn't work
Shall I just reformat my system?
ST
Hi
If possible try those I posted in my previous post by using removal media again if needed. I hope after that we have better understanding of whether or not reformat is the only solution.
Deckard's System Scanner v20071014.68
Run by snali on 2008-06-05 03:23:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
38: 2008-06-05 07:23:47 UTC - RP62 - Deckard's System Scanner Restore Point
37: 2008-06-05 03:39:26 UTC - RP61 - ComboFix created restore point
36: 2008-06-04 14:38:46 UTC - RP60 - ComboFix created restore point
35: 2008-06-04 14:29:37 UTC - RP59 - ComboFix created restore point
34: 2008-06-03 22:46:05 UTC - RP58 - ComboFix created restore point
-- First Restore Point --
1: 2008-05-25 06:06:35 UTC - RP25 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as snali.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:36 AM, on 6/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Speed+\Client\ventc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CPUTray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Speed+\Configurator\ventcfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\snali\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\snali.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CPUTray] C:\WINDOWS\system32\CPUTray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [Paw] "C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" /boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Speed+\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155850863321
O17 - HKLM\System\CCS\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE758334-17AC-4173-8198-50B410F9D686}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{093DDD96-42D0-4950-8173-39754DA83DF4}: NameServer = 203.94.227.70,203.94.243.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Speed+\Client\ventc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8098 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ptpd (Disk Filter Driver) - c:\windows\system32\drivers\ptpd.sys <Not Verified; Phoenix Technologies Ltd.; cMeDisk>
R0 RITCPT - c:\windows\system32\drivers\ritcpt.sys
R2 FBAPI - c:\windows\system32\drivers\fbapi.sys
R2 Machnm32 (Machnm32 Driver) - c:\windows\system32\machnm32.sys
R3 PhnxVcd - c:\windows\system32\drivers\phnxvcd.sys <Not Verified; Phoenix Technologies Ltd.; Virtual CD>
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S3 catchme - c:\fixit\catchme.sys (file missing)
S3 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; CAI Anti-Virus>
S3 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys
S3 VETMONNT (VET File and Macro Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; CAI Anti-Virus>
S3 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 O2Flash (O2Micro Flash Memory) - c:\windows\system32\o2flash.exe
S3 CAISafe (CA ISafe) - c:\windows\system32\zonelabs\isafe.exe <Not Verified; Computer Associates International, Inc.; ISafe>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-04-16 06:24:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2008-05-05 and 2008-06-05 -----------------------------
2008-06-04 23:46:06 0 d-------- C:\Documents and Settings\snali\Application Data\Malwarebytes
2008-06-04 23:46:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 23:46:02 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 10:54:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 10:54:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-03 18:45:41 68096 --a------ C:\WINDOWS\zip.exe
2008-06-03 18:45:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-03 18:45:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-03 18:45:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-03 18:45:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-03 18:45:41 98816 --a------ C:\WINDOWS\sed.exe
2008-06-03 18:45:41 80412 --a------ C:\WINDOWS\grep.exe
2008-06-03 18:45:41 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-03 12:43:24 0 d-------- C:\Program Files\uTorrent
2008-06-03 10:28:20 0 d-------- C:\Program Files\Trend Micro
2008-06-03 10:24:45 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-03 10:24:41 0 d-------- C:\Documents and Settings\snali\Application Data\Mozilla
2008-06-03 04:03:30 0 d-------- C:\WINDOWS\Prefetch
2008-06-03 02:20:48 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-03 01:26:23 0 d-------- C:\WINDOWS\system32\scripting
2008-06-03 01:26:23 0 d-------- C:\WINDOWS\l2schemas
2008-06-03 01:26:21 0 d-------- C:\WINDOWS\system32\en
2008-06-03 01:26:20 0 d-------- C:\WINDOWS\system32\bits
2008-06-03 01:18:23 0 d-------- C:\WINDOWS\network diagnostic
2008-06-03 01:00:06 0 d-------- C:\43f1a73a8204c24fc3fad39e
2008-06-03 00:29:08 0 d-------- C:\WINDOWS\pss
2008-06-02 08:21:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-02 07:50:47 0 d-------- C:\Program Files\Symantec
2008-06-02 07:50:47 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-02 07:50:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 03:54:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-27 03:54:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-27 03:54:24 0 d-------- C:\Documents and Settings\snali\Application Data\SUPERAntiSpyware.com
2008-05-27 03:54:04 0 d-------- C:\Program Files\AVG
2008-05-26 23:34:55 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-26 23:21:21 3604 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 12:08:40 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-25 02:16:13 24064 --a------ C:\WINDOWS\svcinit.exe
2008-05-25 02:16:12 18432 --a------ C:\WINDOWS\sistem.exe
2008-05-25 02:16:10 16128 --a------ C:\WINDOWS\qttasks.exe
2008-05-25 02:16:09 13824 --a------ C:\WINDOWS\mswsc20.dll
2008-05-25 02:16:09 32256 --a------ C:\WINDOWS\mswsc10.dll
2008-05-25 02:16:08 25344 --a------ C:\WINDOWS\msspi.dll
2008-05-25 02:16:07 24064 --a------ C:\WINDOWS\inetinf.exe
2008-05-25 02:16:06 12288 --a------ C:\WINDOWS\helpcvs.exe
2008-05-25 02:16:06 27392 --a------ C:\WINDOWS\gfmnaaa.dll
2008-05-25 02:16:06 26112 --a------ C:\WINDOWS\funny.exe
2008-05-25 02:16:06 32000 --a------ C:\WINDOWS\funniest.exe
2008-05-25 02:16:05 23296 --a------ C:\WINDOWS\dnsrelay.dll
2008-05-25 02:16:05 12544 --a------ C:\WINDOWS\directx32.exe
2008-05-25 02:16:05 23040 --a------ C:\WINDOWS\ctrlpan.dll
2008-05-25 02:16:04 24832 --a------ C:\WINDOWS\ctfmon32.exe
2008-05-25 02:00:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-25 02:00:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-25 02:00:38 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-25 02:00:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-18 22:11:12 0 d-------- C:\Program Files\WM Converter
2008-05-13 13:35:57 0 d-------- C:\Documents and Settings\snali\Application Data\Move Networks
-- Find3M Report ---------------------------------------------------------------
2008-06-05 03:23:12 0 d-------- C:\Documents and Settings\snali\Application Data\Skype
2008-06-03 12:12:26 0 d-------- C:\Program Files\BitComet
2008-06-03 12:01:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-03 04:02:39 0 d-------- C:\Program Files\Messenger
2008-06-03 03:50:30 0 d-------- C:\Program Files\Movie Maker
2008-06-03 03:43:30 0 d-------- C:\Program Files\Windows NT
2008-06-02 23:41:06 0 d-------- C:\Program Files\Common Files
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 07:04 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/15/2006 05:33 PM]
"SkyTel"="SkyTel.EXE" [08/15/2006 05:28 PM C:\WINDOWS\SkyTel.exe]
"CPUTray"="C:\WINDOWS\system32\CPUTray.exe" [05/13/2005 06:46 PM]
"SMSERIAL"="sm56hlpr.exe" [08/15/2006 04:56 PM C:\WINDOWS\sm56hlpr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/15/2006 05:15 PM]
"farstone"="" []
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.exe" [02/03/2005 10:18 PM]
"Eval"="C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe" [02/19/2005 07:39 PM]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [02/19/2005 02:33 PM]
"Paw"="C:\Program Files\Phoenix Technologies\cME\PAW\Paw.exe" [02/24/2005 11:53 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 09:28 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 12:06 AM]
"Venturi Configurator"="C:\Program Files\Speed+\Configurator\ventcfg.exe" [08/16/2007 05:35 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/15/2005 08:03 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 07:20 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 07:20 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2008 04:56 PM]
"RTHDCPL"="RTHDCPL.EXE" [08/15/2006 05:25 PM C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [08/15/2006 05:37 PM C:\WINDOWS\system32\nwiz.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [09/16/2005 02:05 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/14/2008 05:42 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [09/13/2007 04:01 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/03/2007 11:47 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 1:05:26 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc
-- End of Deckard's System Scanner: finished at 2008-06-05 03:27:41 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English
CPU 0: AMD Turion(tm) 64 X2 Mobile Technology TL-50
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 959.36 MiB / 389.56 MiB
Pagefile Memory (total/avail): 2314.9 MiB / 1784.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1902.83 MiB
C: is Fixed (NTFS) - 93.16 GiB total, 66.41 GiB free.
D: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - HTS541010G9SA00 - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.16 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\snali\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-B25D9E178B
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\snali
HPA=0
LOGONSERVER=\\YOUR-B25D9E178B
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 72 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4802
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\snali\LOCALS~1\Temp
TMP=C:\DOCUME~1\snali\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=YOUR-B25D9E178B
USERNAME=snali
USERPROFILE=C:\Documents and Settings\snali
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
snali [I](admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
CPU Speed High / Low Status Application --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4F0861C-22B2-401C-89F2-F1F1AD4F21B4}\Setup.exe" -l0x9
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HUAWEI Mobile Connect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C27866B-00E1-4AFF-A199-C7E978A10FC6}\Setup.exe" -HWREMOVE
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 3.3 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaShow 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5A9B7C0-8751-11D8-9D75-000129760D75}\setup.exe" -uninstall
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola SM56 Data Fax Modem --> rundll32.exe sm56co.dll,SM56UnInstaller
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\snali\Application Data\Move Networks\ie_bin\Uninst.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvunrm.exe UninstallGUI
O2Micro Flash Memory Card Windows Driver V2.05 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{D4F8D619-B730-40E9-A526-3F66CE3BB351} /l1033
Phoenix Core Managed Environment (cME) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{9B365D9D-C47D-458D-A46F-491A4B33EEAB} /l1033
Phoenix FirstWare Recover Pro 2004 --> C:\Program Files\Phoenix Technologies\cME\RPro\ XP\un_vback.exe
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Ralink Wireless LAN Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E91E8912-769D-42F0-8408-0E329443BABC}\setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Audio module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Speed+ --> C:\Program Files\InstallShield Installation Information\{9C59FA2E-EEDA-41FA-90AC-F8FCBD032E85}\setup.exe -runfromtemp -l0x0009 -vuninstall -removeonly
Symantec Endpoint Protection --> MsiExec.exe /I{76B2BC31-2D96-4170-9C44-09E13B5555F3}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_6FE44FCD212D4A086C7BC0C98B9A619782073FB7\amdk8.inf
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WM Converter 2.0 --> C:\Program Files\WM Converter\Uninstal.exe
Xvid 1.1.2 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
-- Application Event Log -------------------------------------------------------
Event Record #/Type1202 / Error
Event Submitted/Written: 06/04/2008 10:45:15 AM
Event ID/Source: 13 / SescLU
Event Description:
LiveUpdate returned a non-critical error. Available content updates may have failed to install.
Event Record #/Type1172 / Warning
Event Submitted/Written: 06/03/2008 03:54:18 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Event Record #/Type1163 / Warning
Event Submitted/Written: 06/03/2008 02:42:43 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Event Record #/Type1124 / Error
Event Submitted/Written: 06/02/2008 09:48:34 AM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Downloader.MisleadApp in File: c:\System Volume Information\_restore{0E5EE253-128C-4CCF-B206-33913774A810}\RP52\A0043948.exe by: Manual scan. Action: Clean succeeded. Action Description: The file was repaired successfully.
Event Record #/Type1123 / Warning
Event Submitted/Written: 06/02/2008 09:33:26 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 2 files inside c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip due to extraction errors encountered by the Decomposer Engines.Application has encountered an error.
For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMessages?product=SAVCORP&version=11.0.2000.1253&language=english&module=1000&error=0014&build=symantec_ent
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type9821 / Warning
Event Submitted/Written: 06/05/2008 03:00:32 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
Event Record #/Type9820 / Warning
Event Submitted/Written: 06/05/2008 02:56:39 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.
Event Record #/Type9818 / Warning
Event Submitted/Written: 06/05/2008 02:36:17 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type9817 / Warning
Event Submitted/Written: 06/05/2008 02:08:37 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type9816 / Warning
Event Submitted/Written: 06/05/2008 01:52:48 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
-- End of Deckard's System Scanner: finished at 2008-06-05 03:27:41 ------------
Hi
That Administrator account is probably your actual admin account which is only visible in safe mode by default. :)
Is your hard drive worked ok? There were some disk errors in the log and that's why I'm asking.
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Please upload following file to http://virusscan.jotti.org and post back the results (using removable media again if needed):
c:\windows\system32\drivers\fbapi.sys
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
catchme
File::
c:\fixit\catchme.sys
C:\WINDOWS\svcinit.exe
C:\WINDOWS\sistem.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\inetinf.exe
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\funny.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\ctfmon32.exe
DirLook::
c:\fixit
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Run DSS again and post its log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.