View Full Version : Zlob thing?.. pls help
i'm new at this, please bare with me. thanks!
anyway, i used to have a v-monde problem which had a thread of .dll (rqRJDwts.dll) in my winlogon process. i think i was able to get it because spybot wasn't able to detect any trace of it including iexplore.dat, .sys, etc. anymore.
now, i seem to be having problem of which is described as a Zlob.DNSchanger.rtk by spybot. i've run spydot a number of times and that is now one of the two that keeps coming back. the other being an Altnet registry that spybot can't seem to get rid of.
i'm sorry but i tried to self-manage this problem before because i thought i could handle it. kdvkp.exe which was in system32 seems to be the one connected to this before so i deleted it in command prompt. but i can't seem to get rid traces of it in the registry.
how bad is it?
please help...
thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:05 AM, on 6/28/2000
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvkp.exe] C:\WINDOWS\system32\kdvkp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [lljy_df] C:\WINDOWS\system\llzjy080617.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: rqRJDwts - rqRJDwts.dll (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 5636 bytes
StartupList report, 6/28/2000, 6:33:37 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Admin\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
C:\WINDOWS\system32\kdvkp.exe = C:\WINDOWS\system32\kdvkp.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
BitTorrent DNA = "C:\Program Files\DNA\btdna.exe"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BitComet ClickCapture - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Yahoo!\Common\YIeTagBm.dll - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
--------------------------------------------------
Enumerating Task Scheduler jobs:
At1.job
--------------------------------------------------
Enumerating Download Program Files:
[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan82.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
52cbe23c587fd75d: \??\C:\52cbe23c587fd75d.dat (manual start)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
PPdus ASPI Shell: system32\drivers\Afc.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Aspi32: System32\drivers\aspi32.sys (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Bluetooth Audio Service: system32\DRIVERS\blueletaudio.sys (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Bluetooth PAN Network Adapter: system32\DRIVERS\btnetdrv.sys (manual start)
Bluetooth USB For Bluetooth Service: System32\Drivers\btcusb.sys (manual start)
Bluetooth HID Enumerator: system32\DRIVERS\vbtenum.sys (manual start)
Bluetooth HID Manager Service: System32\Drivers\BTHidMgr.sys (system)
Canon Camera Access Library 8: C:\Program Files\Canon\CAL\CALMAIN.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
D-Link DFE-528TX PCI Adapter: system32\DRIVERS\DLKRTL.SYS (manual start)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: system32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
McAfee Framework Service: C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart (autostart)
Network Associates McShield: "C:\Program Files\Network Associates\VirusScan\Mcshield.exe" (autostart)
Network Associates Task Manager: "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe" (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NNServ: "C:\Program Files\NewDotNet\nnrun.exe" "C:\Program Files\NewDotNet\nncore.dll" ServiceStart (autostart)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Intel PentiumIII Processor Driver: system32\DRIVERS\p3.sys (system)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sony Ericsson Device 070 driver (WDM): system32\DRIVERS\se46bus.sys (manual start)
Sony Ericsson Device 070 USB WMC Modem Filter: system32\DRIVERS\se46mdfl.sys (manual start)
Sony Ericsson Device 070 USB WMC Modem Driver: system32\DRIVERS\se46mdm.sys (manual start)
Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM): system32\DRIVERS\se46mgmt.sys (manual start)
Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS): system32\DRIVERS\se46nd5.sys (manual start)
Sony Ericsson Device 070 USB WMC OBEX Interface: system32\DRIVERS\se46obex.sys (manual start)
Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM): system32\DRIVERS\se46unic.sys (manual start)
Secdrv: system32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
High-Capacity Floppy Disk Drive: system32\DRIVERS\sfloppy.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{55A976E7-002C-4FBB-8E18-4ABA4B5EDE08} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
CLCV0: C:\WINDOWS\system32\UTSCSI.EXE (autostart)
Virtual Serial port driver: system32\DRIVERS\VComm.sys (manual start)
Bluetooth VComm Manager Service: System32\Drivers\VcommMgr.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (disabled)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Admin\LOCALS~1\Temp\_iu14D2N.tmp
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
lljy_df = C:\WINDOWS\system\llzjy080617.exe
--------------------------------------------------
End of report, 33,390 bytes
Report generated in 0.180 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
--- Search result list ---
Altnet: [SBI $2F41B249] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
Zlob.DNSChanger.Rtk: [SBI $2E4C4BE7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System=...KDVKP.EXE...
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-06-20 unins000.exe (51.49.0.0)
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2008-01-28 SDFiles.dll (1.5.1.19)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2007-11-07 Includes\Revision.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-16 Includes\Hijackers.sbi (*)
2008-06-03 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-18 Includes\Malware.sbi (*)
2008-06-17 Includes\PUPS.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-17 Includes\Spyware.sbi (*)
2008-06-17 Includes\Adware.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-06-11 Includes\Trojans.sbi (*)
2008-06-10 Includes\DialerC.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-17 Includes\KeyloggersC.sbi (*)
2008-06-17 Includes\MalwareC.sbi (*)
2008-06-17 Includes\PUPSC.sbi (*)
2008-06-18 Includes\SecurityC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-18 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB884020
/ Windows XP / SP3: Windows XP Hotfix - KB884883
/ Windows XP / SP3: Windows XP Hotfix - KB885222
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885523
/ Windows XP / SP3: Windows XP Hotfix - KB885626
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB885894
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB886677
/ Windows XP / SP3: Windows XP Hotfix - KB886716
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB889016
/ Windows XP / SP3: Hotfix for Windows XP (KB889527)
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890831
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Hotfix for Windows XP (KB893357)
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Hotfix for Windows XP (KB896344)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Windows XP Hotfix - KB896626
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Hotfix for Windows XP (KB898543)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900930)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Hotfix for Windows XP (KB903234)
--- Startup entries list ---
Located: HK_LM:Run, C:\WINDOWS\system32\kdvkp.exe
command: C:\WINDOWS\system32\kdvkp.exe
file: C:\WINDOWS\system32\kdvkp.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, ShStatEXE
command: "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
file: C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
size: 81990
MD5: F0814BD93969E2283A240AD4C6A04843
Located: HK_LM:Run, C:\WINDOWS\system32\kdvkp.exe (DISABLED)
command: C:\WINDOWS\system32\kdvkp.exe
file: C:\WINDOWS\system32\kdvkp.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, HP Component Manager (DISABLED)
command: "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
file: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
size: 241664
MD5: B75B654EE1DA99876461B24597AE3FF3
Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:RunOnce, Spybot - Search & Destroy (DISABLED)
command: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: PE_C_WIL...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1644491937-706699826-1202660629-1007...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1644491937-706699826-1202660629-1007...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: S-1-5-21-1644491937-706699826-1202660629-1007...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: Startup (disabled), Empty (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), Registration Heroes of Might & Magic 5 (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), Adobe Gamma Loader (DISABLED)
command: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362B96870CE8649F4F2EC893DA93F0
Located: Startup (disabled), BlueSoleil (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), BulletProof Go!Zilla (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), ISPx Web Accelerator (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), LUMIX Simple Viewer (DISABLED)
command: "C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
file: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A
Located: Startup (disabled), WinZip Quick Pick (DISABLED)
command: C:\PROGRA~1\WinZip\WZQKPICK.EXE
file: C:\PROGRA~1\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67B2E7B6AE3B400D832F0456068EA83D
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, rqRJDwts
command: rqRJDwts.dll
file: rqRJDwts.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (UberButton Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: UberButton Class
Path: C:\Program Files\Yahoo!\Common\
Long name: yiesrvc.dll
Short name:
Date (created): 10/24/2005 3:31:24 AM
Date (last access): 6/28/2000
Date (last write): 1/6/2006 12:52:14 PM
Filesize: 181752
Attributes: archive
MD5: 90AAE04C4C2F05981FB7BF24E70AC0AA
CRC32: F7878D4F
Version: 2006.1.5.1
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} (YahooTaggedBM Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: YahooTaggedBM Class
Path: C:\Program Files\Yahoo!\Common\
Long name: YIeTagBm.dll
Short name: YIETAGBM.DLL
Date (created): 10/24/2005 3:31:22 AM
Date (last access): 6/28/2000
Date (last write): 8/17/2005 9:40:28 AM
Filesize: 120312
Attributes: archive
MD5: 3355B63F76DE77384C93DAADAE22CC2B
CRC32: DAF3ED3E
Version: 2005.8.17.1
--- ActiveX list ---
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
DPF name:
CLSID name: BDSCANONLINE Control
Installer: C:\WINDOWS\Downloaded Program Files\oscan8.inf
Codebase: http://download.bitdefender.com/resources/scan8/oscan8.cab
description:
classification: Legitimate
known filename: oscan8.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: oscan82.ocx
Short name:
Date (created): 2/26/2008 3:59:18 PM
Date (last access): 6/28/2000
Date (last write): 2/26/2008 3:59:18 PM
Filesize: 487424
Attributes: archive
MD5: 230A39D8950142CF2C94A5C1E567E95E
CRC32: A546A5BB
Version: 1.0.0.1
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9c.ocx
Short name: FLASH9C.OCX
Date (created): 3/30/2007 7:09:40 AM
Date (last access): 6/28/2000
Date (last write): 3/30/2007 7:09:40 AM
Filesize: 2267368
Attributes: readonly archive
MD5: 98976C156497DF3FB8AB307AF22237C2
CRC32: DD0CCCD7
Version: 9.0.45.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 336 ( 288) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 368 ( 288) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 412 ( 368) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 424 ( 368) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 592 ( 412) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 640 ( 412) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 676 ( 412) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 720 ( 412) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 784 ( 412) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1028 ( 984) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: 45757077A47C68A603A79B03A1A836AB
PID: 1088 ( 412) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1280 ( 412) C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
size: 106586
MD5: F7BCB6CED5F42EBFB8975A88DEE773D4
PID: 1308 ( 412) C:\Program Files\Network Associates\VirusScan\Mcshield.exe
size: 237657
MD5: 453A467A454BE6F11A6B11B02F5DF1BC
PID: 1340 ( 412) C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
size: 69706
MD5: 184078283F0ED17E2CB86A1C8262F53B
PID: 1372 ( 412) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
size: 270336
MD5: 0EFEE4F2D23BA2D8B27FBA942106E0E1
PID: 1404 ( 592) C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
size: 127058
MD5: 91BDF7D987C8A0655BEE569FC3484E84
PID: 1564 ( 412) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1616 ( 412) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 1860 (1028) C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
size: 81990
MD5: F0814BD93969E2283A240AD4C6A04843
PID: 1876 (1028) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
PID: 1892 (1028) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 552 ( 412) C:\Program Files\Canon\CAL\CALMAIN.exe
size: 96341
MD5: 20F89E232173985A455BC9A5F70D1166
PID: 1448 ( 412) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3900 (1028) C:\Program Files\BitComet\BitComet.exe
size: 2596152
MD5: BCDF03F43A2C3282BEE7F36FC658FD08
PID: 2588 (2704) C:\Program Files\Registry Clean Expert\RCHelper.exe
size: 604920
MD5: 963D198580DAF31A0FD6666EDE3C1FB3
PID: 1716 (1028) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 6/28/2000 8:38:28 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://home.microsoft.com/access/allinone.asp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://home.microsoft.com/search/lobby/search.asp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
https://login.yahoo.com/config/login_verify2?&.src=ym
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
--- Uninstall list ---
(AddressBook)
Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
uninstall cmd: C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html
Adobe Flash Player ActiveX 9.0.45.0 (Adobe Flash Player ActiveX)
uninstall cmd: C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
publisher: Adobe Systems Incorporated
help link: http://www.adobe.com/go/flashplayer_support/
Allok Video to 3GP Converter 4.1.0422 (Allok Video to 3GP Converter_is1)
install location: D:\wiL\programs\3GPcnvrt\Allok Video to 3GP Converter\
uninstall cmd: "D:\wiL\programs\3GPcnvrt\Allok Video to 3GP Converter\unins000.exe"
publisher: Allok Soft .Inc
help link: http://www.alloksoft.com
BitComet 1.02 1.02 (BitComet)
uninstall cmd: C:\Program Files\BitComet\uninst.exe
publisher: ~RnySmile~
(Branding)
Canon Camera Access Library 8.3.0.1 (CAL)
install location: C:\Program Files\Canon\CAL
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX 5.4.5.17 (CameraWindowDVC5)
install location: C:\Program Files\Canon\CameraWindow\CameraWindowDVC
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX 6.4.0.9 (CameraWindowDVC6)
install location: C:\Program Files\Canon\CameraWindow\CameraWindowDVC6
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX 6.3.0.8 (CameraWindowMC)
install location: C:\Program Files\Canon\CameraWindow\CameraWindowMC
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder 1.1.0.4 (Canon G.726 WMP-Decoder)
install location: C:\Program Files\Canon\G726Decoder
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
CCleaner (remove only) (CCleaner)
uninstall cmd: "C:\Program Files\CCleaner\uninst.exe"
(Connection Manager)
Canon Camera Support Core Library 7.3.1.6 (CSCLIB)
install location: C:\Program Files\Canon\CSCLIB
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
(DirectAnimation)
(DirectDrawEx)
(DXM_Runtime)
Canon Utilities EOS Utility 1.1.0.8 (EOS Utility)
install location: C:\Program Files\Canon\EOS Utility
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
(Fontcore)
HijackThis 2.0.2 2.0.2 (HijackThis)
uninstall cmd: "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
publisher: TrendMicro
(ICW)
(IE40)
(IE4Data)
(IE5BAKEX)
(IEData)
(InstallShield Uninstall Information)
QuickTime 7.1 (InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31})
version: 117506048
version (major): 7
version (minor): 1
estimated size: 74459
install date: 20070902
install location: C:\Program Files\QuickTime\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
(KB884016)
LPS V3.2.0 (Lifetime Proposal System Ver. 3.2.0_is1)
install location: D:\flor\PACIFIC\Lifetime Proposal System Ver. 3.2.0\
uninstall cmd: "D:\flor\PACIFIC\Lifetime Proposal System Ver. 3.2.0\unins000.exe"
publisher: Lifetime Plans (A division of Pacific Plans, Inc.)
help link: http://www.lifetimeplans.com.ph
Microsoft .NET Framework 1.1 (Microsoft .NET Framework 1.1 (1033))
uninstall cmd: msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
readme: file://C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\RepairRedist.htm
(MobileOptionPack)
Canon MovieEdit Task for ZoomBrowser EX 2.4.0.14 (MovieEditTask)
install location: C:\Program Files\Canon\ZoomBrowser EX\Program
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
(MPlayer2)
(MSI30-Beta1)
(MSI30-Beta2)
(MSI30-KB884016)
(MSI30-RC1)
(MSI30-RC2)
(MSI30a-KB884016)
(MSI31-Beta)
(MSI31-RC1)
(Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Suite (NeroMultiInstaller!UninstallKey)
uninstall cmd: C:\Program Files\Common Files\Ahead\Uninstall\SetupX.exe /uninstall ExtraUninstallID=""
(NeroVision!UninstallKey)
uninstall cmd: C:\WINDOWS\UNNeroVision.exe /UNINSTALL
(NetMeeting)
(NMPUninstallKey)
uninstall cmd: C:\WINDOWS\UNNMP.exe /UNINSTALL
(OutlookExpress)
PCI Audio Applications (PCI Audio Applications)
uninstall cmd: C:\Program Files\PCI Audio Applications\Bin\Uninstall.exe
PCI Audio Driver (PCI Audio Driver)
uninstall cmd: cmuninst.exe
Canon Utilities PhotoStitch 3.1.19.43 (PhotoStitch)
install location: C:\Program Files\Canon\PhotoStitch
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon RAW Image Task for ZoomBrowser EX 2.6.0.13 (RAW Image Task)
install location: C:\Program Files\Canon\RAW Image Task
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Registry Clean Expert (Registry Clean Expert_is1)
install date: 20080519
install location: C:\Program Files\Registry Clean Expert\
uninstall cmd: "C:\Program Files\Registry Clean Expert\unins000.exe"
publisher: iExpert
help link: http://www.registry-clean.net
Canon RemoteCapture Task for ZoomBrowser EX 1.7.0.8 (RemoteCaptureTask)
install location: C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
(SchedulingAgent)
Windows Media Format Runtime (Windows Media Format Runtime)
uninstall cmd: "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10 (Windows Media Player)
uninstall cmd: "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
WinRAR archiver (WinRAR archiver)
uninstall cmd: C:\Program Files\WinRAR\uninstall.exe
WinZip 9.0 SR-1 (6224) (WinZip)
version (major): 9
install location: C:\PROGRA~1\WINZIP\
uninstall cmd: "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
publisher: WinZip Computing, Inc.
help link: http://www.winzip.com/xsupport.htm
Xilisoft AVI to DVD Converter 3.0.34.0124 (Xilisoft AVI to DVD Converter)
uninstall cmd: C:\Program Files\Xilisoft\AVI to DVD Converter\Uninstall.exe
publisher: Xilisoft
help link: http://www.xilisoft.com
Xiph QuickTime Components (XiphQT)
uninstall cmd: "C:\Program Files\QuickTime\QTComponents\XiphQTuninstall.exe"
XP Codec Pack (XP Codec Pack)
uninstall cmd: C:\Program Files\XP Codec Pack\Uninstall.exe
Yahoo! Toolbar (Yahoo! Companion)
uninstall cmd: C:\PROGRA~1\YAHOO!\COMMON\unyt.exe
Yahoo! Browser Services (Yahoo! Customizations)
uninstall cmd: C:\PROGRA~1\YAHOO!\COMMON\unyext.exe
Yahoo! Internet Mail (Yahoo! Internet Mail)
uninstall cmd: C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll
Yahoo! Messenger (Yahoo! Messenger)
uninstall cmd: C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar (Yahoo! Toolbar)
Yahoo! Install Manager (YInstHelper)
uninstall cmd: C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Canon Utilities ZoomBrowser EX 5.8.0.74 (ZoomBrowser EX)
install location: C:\Program Files\Canon\ZoomBrowser EX\Program
uninstall cmd: "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
WebFldrs XP 9.50.7523 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154279267
version (major): 9
version (minor): 50
estimated size: 2500
install date: 20050820
install source: C:\WINDOWS\system32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows
Adobe® Photoshop® Album Starter Edition 3.0 3.00.000 ({4BDFD2CE-6329-42E4-9801-9B3D1F10D79B})
version: 50331648
version (major): 3
estimated size: 18485
install date: 20070426
install location: C:\Program Files\Adobe\Photoshop Album Starter Edition\
install source: E:\Applications\PSA\English\PhotoshopAlbumSE\
uninstall cmd: MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
publisher: Adobe Systems, Inc.
readme: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\ReadMe.txt
neroxml 1.0.0 ({56C049BE-79E9-4502-BEA7-9754A3E60F9B})
version: 16777216
version (major): 1
estimated size: 1278
install date: 20080519
uninstall cmd: MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
publisher: Nero AG
contact: Nero AG
McAfee VirusScan Enterprise 7.1.0 ({59224777-298D-4E9C-9AEB-4A91BDA01B27})
version: 117506048
version (major): 7
version (minor): 1
estimated size: 10702
install date: 20061104
install location: C:\Program Files\Network Associates\VirusScan\
uninstall cmd: MsiExec.exe /I{59224777-298D-4E9C-9AEB-4A91BDA01B27}
publisher: Network Associates
help link: https://mysupport.nai.com/redir/default.asp?pCode=VSC&sRef=app&sDest=FAQ
help telephone: +1 (408) 988-3832
({5E977DEC-5BB4-44C7-9FE5-9357D2DB4FCB})
install location: C:\Program Files\Disc2Phone\
PowerDVD ({6811CAA0-BF12-11D4-9EA1-0050BAE317E1})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Microsoft Office XP Professional with FrontPage 10.0.2627.01 ({90280409-6000-11D3-8CFE-0050048383C9})
version: 167774787
version (major): 10
estimated size: 535207
install date: 20050820
install location: INSTALLLOCATION
install source: E:\
uninstall cmd: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office10\1033\OFREAD10.HTM
Adobe Reader 7.0.9 7.0.9 ({AC76BA86-7AD7-1033-7B44-A70900000002})
version: 117440521
version (major): 7
estimated size: 69471
install date: 20080610
install source: C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\
uninstall cmd: MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
publisher: Adobe Systems Incorporated
comments:
contact:
help link: http://www.adobe.com/support/main.html
help telephone:
readme: C:\Program Files\Adobe\Acrobat 7.0\Reader\Readme.htm
Spybot - Search & Destroy 1.5.2 ({B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1)
install date: 20080620
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited
help link: http://www.safer-networking.org/index.php?page=support
HP Software Update 3.0.1.25 ({B81023A5-71ED-46EB-BE3B-9F974D1155F1})
version: 50331649
version (major): 3
estimated size: 3539
install date: 20050822
install source: E:\Applications\HPSU\
uninstall cmd: MsiExec.exe /X{B81023A5-71ED-46EB-BE3B-9F974D1155F1}
publisher: HEWLET~1|Hewlett-Packard
contact: http://www.hp.com/support
QuickTime 7.1 ({C21D5524-A970-42FA-AC8A-59B8C7CDCA31})
version: 117506048
version (major): 7
version (minor): 1
estimated size: 74459
install date: 20070902
install location: C:\Program Files\QuickTime\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
Microsoft .NET Framework 1.1 1.1.4322 ({CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1})
version: 16847074
version (major): 1
version (minor): 1
estimated size: 65905
install date: 20070426
uninstall cmd: MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
publisher: Microsoft
readme: file://C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\RepairRedist.htm
HP Deskjet 3740 1.00.0000 ({F901CA6D-A074-42D3-A11D-33AAE6FFD0C1})
version: 16777216
version (major): 1
estimated size: 43723
install date: 20070620
install source: e:\
uninstall cmd: msiexec /x{F901CA6D-A074-42D3-A11D-33AAE6FFD0C1}
publisher: Hewlett-Packard
Sony Ericsson PC Suite 2.0.52 ({FC906D5C-91F9-4DA4-A765-6DCBB669F317})
version: 33554484
version (major): 2
estimated size: 100282
install date: 20070426
install location: C:\Program Files\Sony Ericsson\Mobile2\
uninstall cmd: MsiExec.exe /I{FC906D5C-91F9-4DA4-A765-6DCBB669F317}
publisher: Sony Ericsson
contact: Sony Ericsson Technical Support
help link: http://www.sonyericsson.com
Disc2Phone 1.4.0.112 ({FFAB5ABB-8AAB-42E2-847F-1743E51E01E9})
version: 17039360
version (major): 1
version (minor): 4
estimated size: 10897
install date: 20080313
install location: C:\Program Files\Disc2Phone\
uninstall cmd: MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
publisher: Sony Media Software
help link: www.sonyericsson.com/support
--- System Services ---
Service (registry key): .NET CLR Data
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): .NET CLR Networking
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): .NETFramework
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): 52cbe23c587fd75d
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: 52cbe23c587fd75d
Image path: \??\C:\52cbe23c587fd75d.dat
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0
Service (registry key): Abiosdsk
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 0
Service (registry key): abp480n5
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): ACPI
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft ACPI Driver
Image path: system32\DRIVERS\ACPI.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1
Service (registry key): ACPIEC
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): adpu160m
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): aec
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Kernel Acoustic Echo Canceller
Image path: system32\drivers\aec.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): Afc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: PPdus ASPI Shell
Image path: system32\drivers\Afc.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): AFD
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: AFD
Description: AFD Networking Support Environment
Image path: \SystemRoot\System32\drivers\afd.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1
Service (registry key): Aha154x
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): aic78u2
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): aic78xx
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): Alerter
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Alerter
Description: Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation
Service (registry key): ALG
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Application Layer Gateway Service
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\alg.exe
Image size: 44544
Image MD5: F1958FBF86D5C004CF19A5951A9514B7
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Service (registry key): AliIde
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): amsint
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): AppMgmt
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Application Management
Description: Provides software installation services such as Assign, Publish, and Remove.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Service (registry key): asc
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): asc3350p
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): asc3550
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): ASP.NET
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): ASP.NET_1.1.4322
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): Aspi32
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: System32\drivers\aspi32.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 2
Type: 1
Error Control: 1
Service (registry key): aspnet_state
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: ASP.NET State Service
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
Image size: 32768
Image MD5: E1A1206A4FB19B675E947B29CCD25FBA
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Service (registry key): AsyncMac
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: RAS Asynchronous Media Driver
Description: RAS Asynchronous Media Driver
Image path: system32\DRIVERS\asyncmac.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): atapi
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Standard IDE/ESDI Hard Disk Controller
Image path: system32\DRIVERS\atapi.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1
Service (registry key): Atdisk
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 0
Service (registry key): Atmarpc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: ATM ARP Client Protocol
Description: ATM ARP Client Protocol
Image path: system32\DRIVERS\atmarpc.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip
Service (registry key): AudioSrv
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Audio
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: PlugPlay,RpcSs
Service (registry key): audstub
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Audio Stub Driver
Image path: system32\DRIVERS\audstub.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): BattC
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): Beep
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1
Service (registry key): BITS
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Background Intelligent Transfer Service
Description: Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs
Service (registry key): BlueletAudio
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Bluetooth Audio Service
Image path: system32\DRIVERS\blueletaudio.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): Browser
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Computer Browser
Description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation,LanmanServer
Service (registry key): BT
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Bluetooth PAN Network Adapter
Image path: system32\DRIVERS\btnetdrv.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): Btcsrusb
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Bluetooth USB For Bluetooth Service
Image path: System32\Drivers\btcusb.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): BTHidEnum
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Bluetooth HID Enumerator
Image path: system32\DRIVERS\vbtenum.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0
Service (registry key): BTHidMgr
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Bluetooth HID Manager Service
Image path: System32\Drivers\BTHidMgr.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1
Service (registry key): cbidf2k
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): CCALib8
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Canon Camera Access Library 8
Object name: LocalSystem
Image path: C:\Program Files\Canon\CAL\CALMAIN.exe
Image size: 96341
Image MD5: 20F89E232173985A455BC9A5F70D1166
Control Set: CurrentControlSet
Start: 2
Type: 16
Error Control: 1
Depends On services: stisvc,SSDPSRV
Service (registry key): CCDECODE
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Closed Caption Decoder
Image path: system32\DRIVERS\CCDECODE.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): cd20xrnt
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): Cdaudio
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0
Service (registry key): Cdfs
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 2
Error Control: 1
Depends On group: "SCSI CDROM Class"
Service (registry key): Cdrom
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: CD-ROM Driver
Image path: system32\DRIVERS\cdrom.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1
Depends On group: "SCSI miniport"
Service (registry key): Changer
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0
Service (registry key): CiSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Indexing Service
Description: Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
Object name: LocalSystem
Image path: %SystemRoot%\system32\cisvc.exe
Image size: 5632
Image MD5: 3192BD04D032A9C4A85A3278C268A13A
Control Set: CurrentControlSet
Start: 3
Type: 288
Error Control: 1
Depends On services: RPCSS
Service (registry key): ClipSrv
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: ClipBook
Description: Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\system32\clipsrv.exe
Image size: 33280
Image MD5: C8DEC22C4137D7A90F8BDF41CA4B82AE
Control Set: CurrentControlSet
Start: 4
Type: 16
Error Control: 1
Depends On services: NetDDE
Service (registry key): CmdIde
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): cmpci
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: C-Media PCI Audio Driver (WDM)
Image path: system32\drivers\cmaudio.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): COMSysApp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: COM+ System Application
Description: Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Image size: 5120
Image MD5: DD87DB7387B9EB441C5674888A0D840C
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Depends On services: rpcss
Service (registry key): ContentFilter
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): ContentIndex
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0
Service (registry key): Cpqarray
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): CryptSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Cryptographic Services
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs
Service (registry key): dac2w2k
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 0
Service (registry key): dac960nt
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): DcomLaunch
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: DCOM Server Process Launcher
Description: Provides launch functionality for DCOM services.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost -k DcomLaunch
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Service (registry key): DFE528TX
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: D-Link DFE-528TX PCI Adapter
Image path: system32\DRIVERS\DLKRTL.SYS
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): Dhcp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: DHCP Client
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: Tcpip,Afd,NetBT
Service (registry key): Disk
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Disk Driver
Image path: system32\DRIVERS\disk.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1
Depends On group: "SCSI miniport"
Service (registry key): dmadmin
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Logical Disk Manager Administrative Service
Description: Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
Object name: LocalSystem
Image path: %SystemRoot%\System32\dmadmin.exe /com
Image size: 224768
Image MD5: 554C7CB178FE3BD12450B81AD63ADBC3
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs,PlugPlay,DmServer
Service (registry key): dmboot
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: System32\drivers\dmboot.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): dmio
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Logical Disk Manager Driver
Image path: System32\drivers\dmio.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1
Service (registry key): dmload
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: System32\drivers\dmload.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1
Service (registry key): dmserver
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Logical Disk Manager
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs,PlugPlay
Service (registry key): DMusic
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Kernel DLS Syntheiszer
Image path: system32\drivers\DMusic.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): Dnscache
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: DNS Client
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\system32\svchost.exe -k NetworkService
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: Tcpip
Service (registry key): dpti2o
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1
Service (registry key): drmkaud
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Kernel DRM Audio Descrambler
Image path: system32\drivers\drmkaud.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): ERSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Error Reporting Service
Description: Allows error reporting for services and applictions running in non-standard environments.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 0
Depends On services: RpcSs
Service (registry key): Eventlog
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Event Log
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Object name: LocalSystem
Image path: %SystemRoot%\system32\services.exe
Image size: 108032
Image MD5: C6CE6EEC82F187615D1002BB3BB50ED4
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Service (registry key): EventSystem
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: COM+ Event System
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RPCSS
Service (registry key): Fastfat
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 2
Error Control: 1
Service (registry key): FastUserSwitchingCompatibility
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Fast User Switching Compatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: TermService
Service (registry key): Fdc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Floppy Disk Controller Driver
Image path: system32\DRIVERS\fdc.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Service (registry key): Fips
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1
Service (registry key): Flpydisk
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Floppy Disk Driver
Image path: system32\DRIVERS\flpydisk.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Hi
Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
hi..
i just want to say for now, thanks for the reply and that i will try to read first the thread posted on the forums about ComboFix and the windows recovery console. it might take me a while though, maybe after 2 days i can post the results 'cause it's kinda my birthday so i may not have the time today. anyway, thanks again! thanks!
Happy Birthday to you :present:
I'll wait for your input :)
hi again..
thanks for the greeting and sorry for the delay. i got backed up on my chores after my birthday. my house was a mess and i had to get them done first and then after reading the threads about combofix and the damage it might do. i had to back up all my personal files and my mom's which took me a lot longer than what i thought, scanning and burning them into dvd-5s. well anyway, here's the log from combofix. was surprised on the files it mentioned it deleted. i'll post a fresher HJT log after this. =)
thanks in advance! =)
--------------------------------------------------------------------------
ComboFix 08-07-03.1 - Admin 2008-07-04 12:19:36.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT 0:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\dfDelmlljy.bat
C:\WINDOWS\BM407222d9.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bdkmiorv.ini
C:\WINDOWS\system32\GNTwHRqr.ini
C:\WINDOWS\system32\GNTwHRqr.ini2
C:\WINDOWS\system32\gtrpmxmt.ini
C:\WINDOWS\system32\gunxwwes.ini
C:\WINDOWS\system32\hduaadyl.ini
C:\WINDOWS\system32\iiaxsfvm.ini
C:\WINDOWS\system32\inxsdgpd.ini
C:\WINDOWS\system32\jkhoeqqn.ini
C:\WINDOWS\system32\kdvkp.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mtewdh.dll.LoG
C:\WINDOWS\system32\mtmgflnv.ini
C:\WINDOWS\system32\PsttCfhk.ini
C:\WINDOWS\system32\PsttCfhk.ini2
C:\WINDOWS\system32\sgrefg.dll.LoG
C:\WINDOWS\system32\thafmllu.ini
C:\WINDOWS\system32\uwjxavsl.ini
C:\WINDOWS\system32\vahlrefv.ini
C:\WINDOWS\system32\VvGhRXyb.ini
C:\WINDOWS\system32\VvGhRXyb.ini2
C:\WINDOWS\system32\ypjfprey.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NNSERV
-------\Service_NNServ
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.
2008-07-04 09:09 . 2008-07-04 09:09 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-20 04:49 . 2000-06-21 03:12 327 --a------ C:\WINDOWS\wininit.ini
2008-06-20 02:59 . 2008-06-20 03:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 02:59 . 2008-06-20 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 13:42 . 2008-06-19 13:42 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-19 12:49 . 2008-06-19 12:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-06-16 03:34 . 2008-06-16 03:34 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 01:51 . 2008-06-19 12:10 110,321 --a------ C:\WINDOWS\BM407222d9.xml
2008-06-11 15:25 . 2008-06-11 15:25 <DIR> d-------- C:\Documents and Settings\wiL\New Folder
2008-06-11 15:19 . 2008-06-11 15:19 <DIR> d-------- C:\Documents and Settings\wiL\Temporary
2008-06-11 13:47 . 2008-06-19 18:33 345 --ahs---- C:\WINDOWS\system32\ccMmlnnn.ini
2008-06-11 13:42 . 2008-06-11 13:42 <DIR> d-------- C:\Program Files\Xilisoft
2008-06-10 21:57 . 2008-06-10 21:57 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\InstallShield
2008-06-10 10:25 . 2008-06-10 10:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Kazaa Lite
2008-06-09 21:34 . 2002-06-24 04:30 45,568 -ra------ C:\WINDOWS\system32\drivers\DLKRTL.SYS
2008-06-04 19:16 . 2008-07-04 10:30 116 --a------ C:\WINDOWS\NeroDigital.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 07:15 21,424 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-05-19 02:44 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-19 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-06 16:07 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-04-06 16:07 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-04-06 16:07 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2005-09-11 20:47 19,944 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-08-26 15:20 11,535 ----a-w C:\Program Files\INSTALL.LOG
1999-10-18 09:08 4 ----a-w C:\Program Files\hl.dat
1999-08-11 10:09 4 ----a-w C:\Program Files\hlds.dat
1999-04-05 15:29 3,310 ----a-w C:\Program Files\TeamFortressClassic.ico
1999-01-20 16:12 733,184 ----a-w C:\Program Files\UtDel32.exe
1998-10-30 22:21 30,240 ----a-w C:\Program Files\SETUP.EXE
1998-10-30 22:21 141,824 ----a-w C:\Program Files\hluninst.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 07:10 81990]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Empty.pif]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BulletProof Go!Zilla.lnk]
backup=C:\WINDOWS\pss\BulletProof Go!Zilla.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ISPx Web Accelerator.lnk]
backup=C:\WINDOWS\pss\ISPx Web Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-19 01:55 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 23:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2003-09-10 03:11 135251 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-02 18:50 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
--a------ 2008-01-31 02:09 604920 C:\Program Files\Registry Clean Expert\RCHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-06-16 14:37 3334144 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2001-09-12 15:09 1134592 C:\WINDOWS\mixer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"C:\WINDOWS\system32\kdvkp.exe"=C:\WINDOWS\system32\kdvkp.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9789:TCP"= 9789:TCP:BitComet 9789 TCP
"9789:UDP"= 9789:UDP:BitComet 9789 UDP
"18941:TCP"= 18941:TCP:BitComet 18941 TCP
"18941:UDP"= 18941:UDP:BitComet 18941 UDP
R3 DFE528TX;D-Link DFE-528TX PCI Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTL.SYS [2002-06-24 04:30]
S3 52cbe23c587fd75d;52cbe23c587fd75d;C:\52cbe23c587fd75d.dat []
S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 15:11]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 15:11]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 15:11]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 15:11]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 15:11]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 15:11]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 15:11]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{017bfdf0-4957-11dd-b7af-001cf0ec2404}]
\Shell\Auto\command - G:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - G:\Recycled/dllcache32.exe
\Shell\open\Command - G:\Recycled/dllcache32.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 17:08:02 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\Administrator\Templates\Brengkolang.com
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-C:\WINDOWS\system32\kdvkp.exe - C:\WINDOWS\system32\kdvkp.exe
ShellExecuteHooks-{5E907A48-400E-4EA8-9792-FFAE052D59E9} - (no file)
ShellExecuteHooks-{A9895933-6636-4281-BC58-EE6DE2AF96E3} - (no file)
ShellExecuteHooks-{E6C0D0E3-9E9A-489D-AE19-BBCFC7047A59} - (no file)
Notify-rqRJDwts - rqRJDwts.dll
MSConfigStartUp-BM407222d9 - C:\WINDOWS\system32\xqkpcyme.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 12:29:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\52cbe23c587fd75d]
"ImagePath"="\??\C:\52cbe23c587fd75d.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSTSKMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-07-04 12:30:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 12:30:20
Pre-Run: 6,938,165,248 bytes free
Post-Run: 6,871,089,152 bytes free
209
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:29 PM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvkp.exe] C:\WINDOWS\system32\kdvkp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 4350 bytes
hope it's not that big of a problem.. although i'm learning a lot from this experience.. =)
thanks again for taking the time to help me.. much appreciated.. =)
Hi
Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
52cbe23c587fd75d
File::
C:\WINDOWS\BM407222d9.xml
C:\WINDOWS\system32\ccMmlnnn.ini
C:\52cbe23c587fd75d.dat
G:\Recycled\dllcache32.exe
C:\WINDOWS\Tasks\At1.job
C:\Documents and Settings\Administrator\Templates\Brengkolang.com
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{017bfdf0-4957-11dd-b7af-001cf0ec2404}]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
here they are...
first, the combofix resultant log with the CFScript...
--------------------------------------------------------------------------
ComboFix 08-07-03.1 - Admin 2008-07-05 0:39:20.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.165 [GMT 0:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\52cbe23c587fd75d.dat
C:\Documents and Settings\Administrator\Templates\Brengkolang.com
C:\WINDOWS\BM407222d9.xml
C:\WINDOWS\system32\ccMmlnnn.ini
C:\WINDOWS\Tasks\At1.job
G:\Recycled\dllcache32.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\lljydf16.ini
C:\WINDOWS\BM407222d9.xml
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\ccMmlnnn.ini
C:\WINDOWS\Tasks\At1.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_52CBE23C587FD75D
-------\Service_52cbe23c587fd75d
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.
2008-07-04 09:09 . 2008-07-04 09:09 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-20 04:49 . 2000-06-21 03:12 327 --a------ C:\WINDOWS\wininit.ini
2008-06-20 02:59 . 2008-06-20 03:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 02:59 . 2008-06-20 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 13:42 . 2008-06-19 13:42 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-19 12:49 . 2008-06-19 12:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-06-16 03:34 . 2008-06-16 03:34 <DIR> d-------- C:\Program Files\CCleaner
2008-06-11 15:25 . 2008-06-11 15:25 <DIR> d-------- C:\Documents and Settings\wiL\New Folder
2008-06-11 15:19 . 2008-06-11 15:19 <DIR> d-------- C:\Documents and Settings\wiL\Temporary
2008-06-11 13:42 . 2008-06-11 13:42 <DIR> d-------- C:\Program Files\Xilisoft
2008-06-10 21:57 . 2008-06-10 21:57 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\InstallShield
2008-06-10 10:25 . 2008-06-10 10:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Kazaa Lite
2008-06-09 21:34 . 2002-06-24 04:30 45,568 -ra------ C:\WINDOWS\system32\drivers\DLKRTL.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 07:15 21,424 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-05-19 02:44 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-19 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-06 16:07 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-04-06 16:07 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-04-06 16:07 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2005-09-11 20:47 19,944 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-08-26 15:20 11,535 ----a-w C:\Program Files\INSTALL.LOG
1999-10-18 09:08 4 ----a-w C:\Program Files\hl.dat
1999-08-11 10:09 4 ----a-w C:\Program Files\hlds.dat
1999-04-05 15:29 3,310 ----a-w C:\Program Files\TeamFortressClassic.ico
1999-01-20 16:12 733,184 ----a-w C:\Program Files\UtDel32.exe
1998-10-30 22:21 30,240 ----a-w C:\Program Files\SETUP.EXE
1998-10-30 22:21 141,824 ----a-w C:\Program Files\hluninst.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-04_12.29.51.24 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 12:28:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 00:43:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 07:10 81990]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Empty.pif]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BulletProof Go!Zilla.lnk]
backup=C:\WINDOWS\pss\BulletProof Go!Zilla.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ISPx Web Accelerator.lnk]
backup=C:\WINDOWS\pss\ISPx Web Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-19 01:55 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 23:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2003-09-10 03:11 135251 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-02 18:50 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
--a------ 2008-01-31 02:09 604920 C:\Program Files\Registry Clean Expert\RCHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-06-16 14:37 3334144 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2001-09-12 15:09 1134592 C:\WINDOWS\mixer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"C:\WINDOWS\system32\kdvkp.exe"=C:\WINDOWS\system32\kdvkp.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9789:TCP"= 9789:TCP:BitComet 9789 TCP
"9789:UDP"= 9789:UDP:BitComet 9789 UDP
"18941:TCP"= 18941:TCP:BitComet 18941 TCP
"18941:UDP"= 18941:UDP:BitComet 18941 UDP
R3 DFE528TX;D-Link DFE-528TX PCI Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTL.SYS [2002-06-24 04:30]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 15:11]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 15:11]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 15:11]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 15:11]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 15:11]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 15:11]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 15:11]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-C:\WINDOWS\system32\kdvkp.exe - C:\WINDOWS\system32\kdvkp.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 00:44:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSTSKMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2008-07-05 0:46:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-05 00:46:34
ComboFix2.txt 2008-07-04 12:30:26
Pre-Run: 6,853,328,896 bytes free
Post-Run: 6,845,071,360 bytes free
180
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 05, 2008 5:13:45 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/07/2008
Kaspersky Anti-Virus database records: 913396
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 73989
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 02:33:51
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_94F7325A80AF435.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_94F7325A80AF435.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{61055A6D-D95D-4917-B22A-A5BEBC236A6C}\RP2\A0000163.EXE Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{61055A6D-D95D-4917-B22A-A5BEBC236A6C}\RP3\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kdvkp.exe.vir Infected: Trojan.Win32.Monder.gen skipped
D:\wiL\downloads\installers\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
D:\wiL\downloads\installers\mirc617.exe mIRC: infected - 1 skipped
D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl\Xilisoft.AVI.To.DVD.Converter.v3.0.34.Build.0124.exe/data0000.cab/installer2.exe Infected: Trojan.Win32.Monder.gen skipped
D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl\Xilisoft.AVI.To.DVD.Converter.v3.0.34.Build.0124.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl\Xilisoft.AVI.To.DVD.Converter.v3.0.34.Build.0124.exe Rsrc-Package: infected - 2 skipped
D:\System Volume Information\_restore{61055A6D-D95D-4917-B22A-A5BEBC236A6C}\RP3\change.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:13 AM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvkp.exe] C:\WINDOWS\system32\kdvkp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 4292 bytes
--------------------------------------------------------------------------
THANKS! =)
Hi
We have to do one more run.
Start hjt, do a system scan, check:
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvkp.exe] C:\WINDOWS\system32\kdvkp.exe
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Empty.pif]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C:\WINDOWS\system32\kdvkp.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Reboot and post a fresh hjt log too.
here it is.. =)
1st, combofix 3rd run resultant log.. =)
--------------------------------------------------------------------------
ComboFix 08-07-03.1 - Admin 2008-07-05 11:33:38.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.174 [GMT 0:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl
D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl\Serial.txt
D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl\Xilisoft.AVI.To.DVD.Converter.v3.0.34.Build.0124.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.
2008-07-05 01:04 . 2008-07-05 01:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-05 01:04 . 2008-07-05 01:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-04 09:09 . 2008-07-04 09:09 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-20 04:49 . 2000-06-21 03:12 327 --a------ C:\WINDOWS\wininit.ini
2008-06-20 02:59 . 2008-06-20 03:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-20 02:59 . 2008-06-20 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 13:42 . 2008-06-19 13:42 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-19 12:49 . 2008-06-19 12:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Media Player Classic
2008-06-16 03:34 . 2008-06-16 03:34 <DIR> d-------- C:\Program Files\CCleaner
2008-06-11 15:25 . 2008-06-11 15:25 <DIR> d-------- C:\Documents and Settings\wiL\New Folder
2008-06-11 15:19 . 2008-06-11 15:19 <DIR> d-------- C:\Documents and Settings\wiL\Temporary
2008-06-11 13:42 . 2008-06-11 13:42 <DIR> d-------- C:\Program Files\Xilisoft
2008-06-10 21:57 . 2008-06-10 21:57 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\InstallShield
2008-06-10 10:25 . 2008-06-10 10:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Kazaa Lite
2008-06-09 21:34 . 2002-06-24 04:30 45,568 -ra------ C:\WINDOWS\system32\drivers\DLKRTL.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 07:15 21,424 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-05-19 02:44 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-19 02:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-06 16:07 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-04-06 16:07 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-04-06 16:07 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2005-09-11 20:47 19,944 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-08-26 15:20 11,535 ----a-w C:\Program Files\INSTALL.LOG
1999-10-18 09:08 4 ----a-w C:\Program Files\hl.dat
1999-08-11 10:09 4 ----a-w C:\Program Files\hlds.dat
1999-04-05 15:29 3,310 ----a-w C:\Program Files\TeamFortressClassic.ico
1999-01-20 16:12 733,184 ----a-w C:\Program Files\UtDel32.exe
1998-10-30 22:21 30,240 ----a-w C:\Program Files\SETUP.EXE
1998-10-30 22:21 141,824 ----a-w C:\Program Files\hluninst.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-04_12.29.51.24 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 12:28:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 11:21:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 07:10 81990]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BulletProof Go!Zilla.lnk]
backup=C:\WINDOWS\pss\BulletProof Go!Zilla.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ISPx Web Accelerator.lnk]
backup=C:\WINDOWS\pss\ISPx Web Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-19 01:55 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 23:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2003-09-10 03:11 135251 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-02 18:50 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
--a------ 2008-01-31 02:09 604920 C:\Program Files\Registry Clean Expert\RCHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-06-16 14:37 3334144 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2001-09-12 15:09 1134592 C:\WINDOWS\mixer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"C:\WINDOWS\system32\kdvkp.exe"=C:\WINDOWS\system32\kdvkp.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9789:TCP"= 9789:TCP:BitComet 9789 TCP
"9789:UDP"= 9789:UDP:BitComet 9789 UDP
"18941:TCP"= 18941:TCP:BitComet 18941 TCP
"18941:UDP"= 18941:UDP:BitComet 18941 UDP
R3 DFE528TX;D-Link DFE-528TX PCI Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTL.SYS [2002-06-24 04:30]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 15:11]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 15:11]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 15:11]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 15:11]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 15:11]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 15:11]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 15:11]
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 11:35:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-05 11:36:16
ComboFix-quarantined-files.txt 2008-07-05 11:36:14
ComboFix3.txt 2008-07-04 12:30:26
ComboFix2.txt 2008-07-05 00:46:50
Pre-Run: 6,748,012,544 bytes free
Post-Run: 6,728,073,216 bytes free
159
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:25 AM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 4179 bytes
it's all becoming clearer now... =)
THANKS! =)
Hi
You may reinstall Spybot now :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one if you have only Windows own firewall enabled and don't have a hardware firewall.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
i already did the system restore thing, uninstalled combofix, changed the settings for the internet explorer, and downloaded the necessary programs you mentioned (adaware, spywareblaster, and comodo for my firewall), but i'm still to do the updates, but i'll get it done as soon as i get some sleep, just came from a post birthday celebration with some close friends only available in the weekends.
anyway, i thought about this several times because i don't know all the rules here, so i'm quite hesitant about this, but i really want to learn. i guess what i'm trying to say is that if it's not too much to ask. i just want to know some things.
-to begin with, what actually happened? is it mainly because of the Zlob? Virtumonde? was the kdvkp.exe only a part of the bigger problem?
-the xilisoft avi to dvd converter program, can i still use it? or do i have to completely uninstall it? 'cause i saw in one of the actions that the installer was infected and had to be deleted.
-and i guess in the same breath, the mirc617.exe installer?
-and the last is which one of the two installers of comodo will i use? 32bit or 64bit?
i'm not imposing or obliging you or anything. it's ok if you don't really answer. heheh... ANYWAY =)
thanks for all the help blade! my PC seems to run smoother and faster now. i guess that means it's clean. =) Thank you so much. =) i only hope and pray that you continue doing something you're good at to help other people. of which i myself will try to do in my chosen profession, granting that it will choose me also. still waiting for the results of my board exam. =)
kudos! cherio? =) God bless! Thanks again.. =)
-to begin with, what actually happened? is it mainly because of the Zlob? Virtumonde? was the kdvkp.exe only a part of the bigger problem?
Your problems may have started when you run that XiliSoft video converter program.
-the xilisoft avi to dvd converter program, can i still use it? or do i have to completely uninstall it? 'cause i saw in one of the actions that the installer was infected and had to be deleted.
Looking at the name of D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl folder we deleted it seems you don't have legal version installed. I ask you to remove the program.
-and i guess in the same breath, the mirc617.exe installer?
The Mirc finding is a false positive.
-and the last is which one of the two installers of comodo will i use? 32bit or 64bit?
32bit is right version for your system :)
i totally forgot.. what about the altnet registry that spybot could not delete or fix? =)
figures it started like that.. got that from a friend.. anyway, since you asked, i will remove it then.. =)
and about the altnet registry? or is it okay to leave it?
Hi
Could you post Spybot findings regarding altnet so that we can try to remove it too?
at last, i thought this thread got erased. =) anyway..
is this it?
Altnet: [SBI $2F41B249] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
this one says nothing done because i already know here that spybot couldn't delete it, even when spybot does the fixing on startup.
i don't know what else to post. on spybot's definition, it's a tracker? or something that memorizes? logs? my habits.. something like that..
Hi
Yes, that's what I was after :)
Download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml)
Save it to your desktop. Run and install this program.
In the box that opens ONLY choose
System registry.
Then click OK.
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Reboot and run Spybot again.
is it a problem? or a potential big problem? this altnet thing?
spybot usually gives this message for it...
some problems couldn't be fixed; the reason could be that the associated files are still in use (in memory).
this could be fixed after a restart.
may spybot-s&d run on your next system startup?
[but it still can't, i tried again before replying]
Altnet: [SBI $2F41B249] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
Right Media: Tracking cookie (Internet Explorer: Admin) (Cookie, nothing done)
the second one, i've seen it before, several times actually but it does get fixed by spybot. [just thought i'd include it] =)
anyway, i don't really know what it is. so, i don't know what else to say.
btw, do firewalls like CFP take up bandwidth? my download speed slowed ever since i installed it.
Thanks for the help again! seems insufficient but.. all i can do is reiterate, i guess... =)
Hi
Try to run that fix.reg in safe mode. It's also recommended to install that mvps hosts file. Makes surfing safer and reduces amount of cookies. Firewall shouldn't affect to download speeds (not much at least) when it's configured right.
just to satisfy my curiosity? and naivity? =)
It's also recommended to install that mvps hosts file. Makes surfing safer and reduces amount of cookies.
you've said before that it might cause my PC to slow down. how actually? 'cause i run on a very old system? or hardware? still P3 733mghz, 384 RAM. would love to upgrade it soon but money's hard to come by these days [according to my mom and our country's economic standing]. =)
Firewall shouldn't affect to download speeds (not much at least) when it's configured right.
little advice on what configuration's right? please and thank you.. :clown::euro::laugh:
Hi
Mvps hosts file causes slowness only on seldom cases. I'm using it on four machines myself and haven't noticed any kind of side effects :)
For Comodo adjusting you can find tutorials here (http://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall-b32.0/). If you have a question that existing tutorials don't cover you can ask it on their forums.
i'll do some reading on the mvp hosts file first then i'll definitely install it and try to see if there would be any slow down problems. and for the comodo firewall, i'll go read up on that too. thanks for pointing me to the right direction. =)
as for the altnet registry, i did the fix.reg on safe mode but when i check for problems again using spybot, it would still be there. i can see it on the recovery section of spybot, and my guess is that it gets fixed but just comes back again. just a guess.. =)
hmm.. what now? :banghead::trample::sad: [no crying smily] =)
Hi
Do you think you could be able to follow this (http://www.spywareremove.com/removeAltnet.html) set of Altnet removal instructions?
i'm sorry i'm not really sure how to follow it. on step 1, found the folder but there weren't any files in it [hidden files are checked on folder options]. on step 2, no altnet process/es like the ones listed on the page. on step 3, i don't know if i did it right, i used the "Find" option on registry editor for the listed supposed entries and nothing. on step 4, i'm a bit dumbfounded. hehe.. BUT i did find something on the registry..
and alas, i don't know how to attach an image.. doi.. when i click on the dropdown cap, it displays at the bottom, "error on page", sorry...
i have a snapshot of it but i don't know how to show it to you. so anyway, i found a folder containing some DLL's listed on step 4 including one having the word altnet in it. but i don't know what to do next.
hmm...
Hi
Please delete that altnet folder you found if you haven't done so already.
After that please download the Registry Search tool by clicking on the
hard drive
icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for altnet and click OK. Post the logfile from the tool here for me.
here it is...
--------------------------------------------------------------------------
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "altnet" 7/9/2008 11:34:13 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\McAfeeToDel]
"c:\\program files\\Altnet"="TOCLEAN"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="altnetuninstall.exe"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"013"="altnet"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"h"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\mht]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"
--------------------------------------------------------------------------
under the folder Software\Microsoft\Search Assistant\ACMru\5603 of HKEY_USERS, is where i found the DLL's i was talkin about. i'll try to give it here..
NAME DATA
(Default) (value not set)
000 adm25.dll
001 adm4.dll
002 admdata.dll
003 admdloader.dll
004 admfdi.dll
005 admprog.dll
006 atl.dll
007 altnet
all are TYPE = REG_SZ
--------------------------------------------------------------------------
hope that kinda helps...
=)
they weren't like that when i first saw it... there were only 9 then.. now they're 15.. let me make some adjustments..
NAME DATA
(Default) (value not set)
000 ACMru
001 altnetuninstall.exe
002 adm.exe
003 adm4005.exe
004 asm.exe
005 asmend.exe
006 adm25.dll
007 adm4.dll
008 admdata.dll
009 admdloader.dll
010 admfdi.dll
011 admprog.dll
012 atl.dll
013 altnet
all still are type REG_SZ [i think you already know this, but i just don't want to leave anything out]..
anyway, i'll be searching "My Computer" again for ACMru.. i think i've seen that folder before in one of my Mom's.. under "Back ups"..
this is getting insane i think.. :clown::eek::laugh:
never thought it would be this complicated..
still.. havin' fun though.. as crazy as it may sound.. :D:
Hi
This indeed looks quite tricky.
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Turn McAfee off to make sure it won't prevent following registry fix.
Save text below as fix.reg (overwrite previous one) on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\McAfeeToDel]
"c:\\program files\\Altnet"=-
[-HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
is it supposed be very quick? i've read in some threads it took them hours to do a full scan.. well, anyway, here it is..
--------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2
9:04:27 AM 7/10/2008
mbam-log-7-10-2008 (09-04-27).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 113595
Time elapsed: 18 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\flor\Backups\ActiveWallpaper\23663.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\SETUP.EXE (Rogue.Installer) -> Quarantined and deleted successfully.
--------------------------------------------------------------------------
btw, i had to remove comodo. it was interfering with the update of mbam even though i already exited the application in my quick launch bar. just thought i'd say it.
and also i took the liberty of searching the registry again for the word altnet, and it showed the first two from before again.. namely,
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]
there were other four but they were just files i recently created with altnet in the file name. but the folder Software\Microsoft\Search Assistant\ACMru\5603 of HKEY_USERS is no longer there.
hmm.. while replying here (literally), something happened. an error appeared something to do with system32, i can't remember all the words, then my desktop and taskbar suddenly changed into an old classic view of windows like in 98 or something, but it changed back to normal again almost instantaneously. well, again.. just thought i'd say it..
Hi
Let's try to remove the key manually.
Click Start then Run
Type in regedit
Click Ok.
In left pane of registry editor, Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
If Altnet exists then right click on it and choose Delete from the menu.
If you have trouble deleting a key, click once on the key name to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok and attempt to delete the key again.
hi..
sorry for the late reply, i've been having problem with my network connection lately. anyway, how can i restore the backup registry made by ERUNT from before? i think i did something wrong, because everytime i click on the Altnet folder, it displays this error message "Cannot Open Altnet: Error while opening key." and when i click again on Permissions, it just says "You do not have permission to view the current permission settings for Altnet, but you can make permission changes."
because i couldn't find this..
Uncheck Allow inheritible permissions and press copy.
i clicked on the advanced settings found below when i clicked on Permissions, and unchecked "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here." after which, the previously errors I mentioned first then begun.
btw, off topic.. what does "Generic Host Process for Win32 Services" usually mean? that was the error message i mentioned before before with the whole desktop and taskbar changing into classic view or something.
thanks!
This is the reason why you should always ask if you aren't sure of something.
Where did you save the registry you backuped with ERUNT earlier? You have to navigate into that location and run ERDNT.exe file there to restore backuped registry.
Can't say for sure what was that error you meantioned related to.
:sad:
i know.. i know..
i was really havin problem with the net connection so i decided to just do it..
momentary lapse of judgement..
i'm really sorry..
anyway, should i run MBAM and Registry Search tool for the word Altnet again?
Hi
You may run those again.
i'm really sorry again..
here they are..
mbam log..
--------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 2
10:14:04 AM 7/14/2008
mbam-log-7-14-2008 (10-14-04).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 122885
Time elapsed: 21 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--------------------------------------------------------------------------
registry search for altnet
--------------------------------------------------------------------------
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "altnet" 7/14/2008 10:14:58 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\McAfeeToDel]
"c:\\program files\\Altnet"="TOCLEAN"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File2"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\mht]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"
--------------------------------------------------------------------------
i don't know if it's important, but this folder wasn't there anymore...
[-HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]
when as far as i can remember, i backed up my registry before running the fix for this one... or not... anyway, just a thought...
sorry again... thanks!
Hi
No need to worry about these:
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File2"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\mht]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"
I've attached registry fix (extract from zip to your desktop) that I want you to run in safe mode (http://www.computerhope.com/issues/chsafe.htm#02). After done so, reboot into normal mode and do a registry search with altnet.
Attention: Following registry fix is meant to be use only in this case. Using it on some other case may cause system malfunction!
hmm... still there...
--------------------------------------------------------------------------
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "altnet" 7/15/2008 8:32:15 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Altnet\\Dashboard"
Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log, along with a new HijackThis log in your next reply.
here they are... =) the Altnet folder's not there anymore... =)
but, if you don't mind, what's this one exactly? =)
THANKS! :D:
[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Altnet\\Dashboard"
--------------------------------------------------------------------------
avenger
--------------------------------------------------------------------------
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Altnet" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
--------------------------------------------------------------------------
HiJackThis log
--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:06 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 4461 bytes
--------------------------------------------------------------------------
Hi
That registry value just shows what has been last viewed with regedit. That's not harmful :)
Now it's time to get rid of tools we used.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
hi..
just have a few questions about the hosts file.. =)
-why is the "disabled" option for the DNS client recommended and not "manual"?
-and-
-do i need a hosts file manager like HostsMan or HostsXpert?
anyway, is it done? PCs clean now? =) =)
-why is the "disabled" option for the DNS client recommended and not "manual"?
"change the setting from automatic to manual" <- I don't think I meantioned disabled there ;)
-do i need a hosts file manager like HostsMan or HostsXpert?
Not necessarily. Mvps hosts file is enough (remember to update it occasionally though). :)
anyway, is it done? PCs clean now? =) =)
Yep. I think we're ready.
:laugh:
i meant from the page that i got the hosts file. it mentioned there that "disabled" option is recommended. of course i followed your instructions, but, was just wondering what's the diff. :D: :D:
anyway, please bear with me. just a few more questions and i'll be done. :D:
i can't seem to find the exact instructions on the FAQs of the page for the hosts file, so..
-how do i actually update it?
-if for one reason or another, i have/want to remove/disable the hosts file for a while. how do i do it?
-how do i "add" an address that i usually go to, to the list? it might not actually be recommendable, but just if i wanted to... :D:
-and last but not least, uhm.. which of the two would you be inclined to use more as firewall, COMODO or ZoneAlarm? in terms of user friendliness.. for the "technologically challenged" individual.. :D: :D: :laugh:
Hi
-how do i actually update it?
You have to visit the hosts site again for an update.
-if for one reason or another, i have/want to remove/disable the hosts file for a while. how do i do it?
You can get HostsXpert (http://www.funkytoad.com/content/view/13/31/) and use its 'Restore MS Hosts' feature to restore the hosts file to Microsoft's original hosts file that blocks nothing.
-how do i "add" an address that i usually go to, to the list? it might not actually be recommendable, but just if i wanted to...
That can be done with HostsXpert too. :) It can be done manually by inserting new line with following format into c:\windows\system32\drivers\etc\HOSTS file:
127.0.0.1 badSiteDomain
-and last but not least, uhm.. which of the two would you be inclined to use more as firewall, COMODO or ZoneAlarm? in terms of user friendliness.. for the "technologically challenged" individual..
I think both would do. I'd probably choose COMODO. Remember though to not install SafeSurf toolbar.
at last!!! :eek:
:yahoo: :beerbeerb:
you're the best! :bigthumb: :2thumb: :bow:
i don't know what else to say except for what has already been said.. :D:
[to avoid repetition of cheesiness, still can't believe i said it, but.. please refer to post 20 of this thread in page 2] :laugh:
seriously though, thanks for everything man! you've been a very big help!
i guess you can archive this now. :D:
take it easy! keep up the good work.. 'till next time? :D:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.