View Full Version : Help with Virtumonde
Necroelf
2008-07-22, 20:12
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:34 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: search toolbar - {7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6} - C:\WINDOWS\system32\TOOLBA~1.DLL
O2 - BHO: (no name) - {CD78DBE5-2524-4F4C-AAFC-D312D72A101B} - (no file)
O2 - BHO: (no name) - {D5F874E2-AF0F-44B3-A356-B376D4A0C35E} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {F5236F99-41BF-4EF8-A5BA-DEF787D6C09D} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215148747716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215674241734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1215755202361&h=fea41df657e265d1605cbfb04471f727/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15102/CTPID.cab
O20 - Winlogon Notify: opnkhheE - opnkhheE.dll (file missing)
O20 - Winlogon Notify: winpdc32 - C:\WINDOWS\SYSTEM32\winpdc32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 11955 bytes
pskelley
2008-07-24, 13:57
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
I see the old Vundo leftovers and more may be hidden, but I also see this:
C:\WINDOWS\SYSTEM32\winpdc32.dll <<< according to http://www.greatis.com/appdata/d/w/winpdc32.dll_Removal.htm
That may be a backdoor trojan so you may want to read this information to be safe:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
You can scan that file if you wish: http://virusscan.jotti.org/
If you prefer to reformat, just let me know.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
Necroelf
2008-07-24, 22:17
not sure if you wanted me to say anything besides posting those two things but, I have also noticed that I have ctfmon not sure if that is realy bad or not though . I hope you can get me working like new thanks again for this fast help and all.
ComboFix 08-07-23.5 - Necro 2008-07-24 15:09:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1453 [GMT -5:00]
Running from: C:\Documents and Settings\Necro\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BM571c9964.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\fgakesdl.ini
C:\WINDOWS\system32\gNnWGfii.ini
C:\WINDOWS\system32\gNnWGfii.ini2
C:\WINDOWS\system32\ifbpuryy.ini
C:\WINDOWS\system32\knbchmxt.ini
C:\WINDOWS\system32\kQsYFfhk.ini
C:\WINDOWS\system32\kQsYFfhk.ini2
C:\WINDOWS\system32\kubgocxm.ini
C:\WINDOWS\system32\LmVyIRqr.ini
C:\WINDOWS\system32\LmVyIRqr.ini2
C:\WINDOWS\system32\loUFLkkj.ini
C:\WINDOWS\system32\loUFLkkj.ini2
C:\WINDOWS\system32\nyeywabp.ini
C:\WINDOWS\system32\odybrvkn.ini
C:\WINDOWS\system32\OoUDNqru.ini
C:\WINDOWS\system32\OoUDNqru.ini2
C:\WINDOWS\system32\pVDNoXbc.ini
C:\WINDOWS\system32\pVDNoXbc.ini2
C:\WINDOWS\system32\qocuwcax.ini
C:\WINDOWS\system32\qqfagnib.ini
C:\WINDOWS\system32\rtcbmccb.ini
C:\WINDOWS\system32\tcvyieuv.ini
C:\WINDOWS\system32\usbmuerx.ini
C:\WINDOWS\system32\UvvCKRqr.ini
C:\WINDOWS\system32\UvvCKRqr.ini2
C:\WINDOWS\system32\winhld32.dll
----- BITS: Possible infected sites -----
http://dl1.impulsedriven.com
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-23 18:57 . 2008-07-23 18:57 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-07-23 18:44 . 2008-07-23 18:58 <DIR> d-------- C:\Program Files\Mass Effect
2008-07-22 12:44 . 2008-07-22 12:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-22 12:41 . 2008-07-22 12:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-22 01:30 . 2008-07-22 01:30 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Sierra Entertainment
2008-07-22 00:44 . 2008-07-22 20:43 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\SPORE Creature Creator
2008-07-22 00:28 . 2008-07-22 22:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-22 00:28 . 2008-07-22 22:21 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-07-22 00:28 . 2008-07-22 22:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 00:28 . 2008-07-22 22:21 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-07-21 16:58 . 2008-07-21 16:58 32,256 --a------ C:\WINDOWS\system32\winpdc32.dll
2008-07-21 16:56 . 2008-07-21 16:56 17,920 --a------ C:\WINDOWS\system32\toolbarsch.dll
2008-07-20 20:50 . 2008-07-20 20:50 <DIR> d-------- C:\Program Files\Her Interactive
2008-07-19 12:48 . 2008-07-19 12:48 <DIR> d-------- C:\Program Files\THQ
2008-07-19 12:47 . 2008-07-19 12:47 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\InstallShield
2008-07-19 04:17 . 2008-07-19 04:17 <DIR> d--hs---- C:\Diskeeper
2008-07-19 03:05 . 2008-07-19 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-07-19 03:03 . 2008-07-19 03:04 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-07-19 02:31 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-07-19 02:31 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-07-18 20:01 . 2008-07-18 20:01 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-18 20:00 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-07-18 20:00 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-07-18 20:00 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-07-18 20:00 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-07-18 20:00 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-07-18 20:00 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-07-18 20:00 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-18 20:00 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-07-18 20:00 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-07-18 14:11 . 2008-07-18 14:11 <DIR> d-------- C:\WINDOWS\Spirit Of Wandering The Legend
2008-07-18 14:11 . 2008-07-19 00:47 <DIR> d-------- C:\Program Files\Spirit Of Wandering The Legend
2008-07-18 02:28 . 2008-07-18 02:28 <DIR> d-------- C:\Program Files\Indie Games
2008-07-18 02:22 . 2008-07-18 02:22 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Stardock
2008-07-18 02:16 . 2008-03-12 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Stardock
2008-07-18 02:15 . 2008-07-18 02:15 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2008-07-18 01:39 . 2008-07-19 03:58 <DIR> d-------- C:\Program Files\Anno 1701
2008-07-17 21:53 . 2008-07-19 23:52 <DIR> d-------- C:\Program Files\Strategy First
2008-07-17 18:47 . 2008-07-22 22:47 <DIR> d-------- C:\Program Files\Ubisoft
2008-07-16 21:46 . 2008-07-16 21:46 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Imperium Romanum
2008-07-16 21:43 . 2008-07-16 21:43 <DIR> d-------- C:\Program Files\ProtectDisc Driver Installer
2008-07-16 21:43 . 2008-07-16 21:43 <DIR> d-------- C:\Program Files\Kalypso
2008-07-16 19:42 . 2008-07-16 19:42 <DIR> d-------- C:\MSXML3msms
2008-07-16 19:34 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-16 19:34 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-16 19:34 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-16 18:49 . 2008-07-19 00:07 <DIR> d-------- C:\Program Files\Jade Empire
2008-07-16 18:34 . 2008-07-16 18:34 <DIR> d-------- C:\RootkitNO
2008-07-16 18:02 . 2008-07-16 18:02 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-07-16 17:49 . 2008-07-16 17:49 <DIR> d-------- C:\Program Files\Codemasters
2008-07-16 15:08 . 2008-07-16 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Frozen Codebase LLC
2008-07-16 15:06 . 2008-07-16 15:06 <DIR> d-------- C:\Program Files\Elements of Destruction
2008-07-16 14:40 . 2008-07-16 14:40 0 --a------ C:\WINDOWS\PowerReg.dat
2008-07-16 03:00 . 2008-07-16 03:00 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Playrix Entertainment
2008-07-16 02:58 . 2008-07-16 02:58 <DIR> d-------- C:\WINDOWS\Fishdom
2008-07-16 02:58 . 2008-07-16 02:59 <DIR> d-------- C:\Program Files\Fishdom
2008-07-16 00:05 . 2008-07-16 00:05 <DIR> d-------- C:\WINDOWS\Etch-a-Sketch - Knobbys Quest
2008-07-16 00:00 . 2008-07-16 00:00 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Pi Eye Games
2008-07-15 23:58 . 2008-07-22 01:00 <DIR> d-------- C:\Program Files\Alex Gordon
2008-07-15 23:51 . 2008-07-15 23:51 17,408 --a------ C:\psapi.dll
2008-07-15 23:35 . 2008-07-15 23:35 0 --a------ C:\WINDOWS\popcreg.dat
2008-07-14 23:59 . 2008-07-14 23:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-14 20:44 . 2008-07-14 20:44 <DIR> d-------- C:\Program Files\PlayLogic
2008-07-13 13:44 . 2008-07-13 13:44 0 --a------ C:\WINDOWS\PhantomofVenice.INI
2008-07-13 13:33 . 2008-07-13 13:33 <DIR> d-------- C:\Documents and Settings\Necro\WINDOWS
2008-07-13 13:07 . 2008-07-13 19:55 <DIR> d-------- C:\Nancy Drew
2008-07-12 23:31 . 2008-07-12 23:31 0 --a------ C:\WINDOWS\game.INI
2008-07-12 21:33 . 2008-07-21 13:43 <DIR> d-------- C:\Program Files\Nancy Drew
2008-07-12 15:00 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-07-12 14:56 . 2008-07-12 14:56 <DIR> d-------- C:\Program Files\Eidos
2008-07-11 18:18 . 2005-07-18 11:23 811,008 --a------ C:\WINDOWS\FeedingFrenzy.scr
2008-07-11 18:12 . 2008-07-16 01:58 208 --a------ C:\WINDOWS\popcinfo.dat
2008-07-11 18:11 . 2008-07-11 18:11 <DIR> d-------- C:\WINDOWS\Mythic Marbles
2008-07-11 17:00 . 2008-07-11 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-07-11 16:40 . 2008-07-11 16:40 <DIR> d-------- C:\WINDOWS\Penguins` Journey
2008-07-11 16:40 . 2008-07-15 18:44 <DIR> d-------- C:\Program Files\Penguins` Journey
2008-07-11 15:40 . 2008-07-12 16:26 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-11 02:19 . 2008-07-11 02:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 01:30 . 2008-07-11 01:30 <DIR> d-------- C:\Program Files\UHS
2008-07-11 01:30 . 2008-07-11 01:31 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\UHS Reader
2008-07-11 00:56 . 2008-07-11 00:56 <DIR> d-------- C:\WINDOWS\Sun
2008-07-11 00:56 . 2008-07-11 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-11 00:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-11 00:55 . 2008-07-11 00:56 <DIR> d-------- C:\Program Files\Java
2008-07-11 00:53 . 2008-07-11 00:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-11 00:45 . 2008-07-11 01:08 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-11 00:45 . 2008-07-11 01:08 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-11 00:45 . 2008-07-11 01:08 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-11 00:45 . 2008-07-11 01:08 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-11 00:29 . 2008-07-11 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-07-11 00:27 . 2008-07-16 01:46 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-07-11 00:27 . 2008-07-16 01:46 <DIR> d-------- C:\Program Files\ATT
2008-07-10 05:11 . 2008-07-10 05:12 <DIR> d-------- C:\Program Files\10 Days Under The Sea
2008-07-10 03:24 . 2008-07-10 03:24 <DIR> dr-h----- C:\Documents and Settings\Necro\Application Data\SecuROM
2008-07-10 02:36 . 2008-07-10 02:39 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\DivX
2008-07-10 02:30 . 2008-07-10 02:31 <DIR> d-------- C:\Program Files\DivX
2008-07-09 22:54 . 2008-07-09 22:54 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\CyberLink
2008-07-09 22:52 . 2008-07-11 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-09 22:50 . 2008-07-11 21:51 <DIR> d-------- C:\Program Files\CyberLink
2008-07-09 22:08 . 2008-07-09 22:08 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-09 22:08 . 2008-07-09 22:08 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-09 21:58 . 2008-07-09 22:08 <DIR> d-------- C:\Program Files\The Witcher
2008-07-09 21:49 . 2008-07-09 21:49 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\WildTangent
2008-07-09 21:48 . 2008-07-16 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-07-09 20:44 . 2008-07-09 20:44 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Vso
2008-07-09 20:43 . 2008-07-09 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-09 02:47 . 2008-07-09 02:47 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-08 18:28 . 2008-07-08 18:28 <DIR> d-------- C:\Program Files\Chocolatier 2 - Secret Ingredients
2008-07-08 16:35 . 2008-07-08 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-07-08 16:34 . 2008-07-08 16:34 <DIR> d-------- C:\Program Files\DragonStone
2008-07-08 11:15 . 2008-07-15 04:00 2,467 --a------ C:\WINDOWS\wininit.ini
2008-07-08 04:59 . 2008-07-15 02:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-08 04:59 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-08 04:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-07-08 04:58 . 2008-07-11 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 04:57 . 2008-07-18 02:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-08 04:57 . 2008-07-11 00:57 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Lavasoft
2008-07-07 23:08 . 2008-07-07 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-07-07 12:34 . 2008-07-15 23:08 110,419 --a------ C:\WINDOWS\BM571c9964.xml
2008-07-07 05:41 . 2008-07-11 21:25 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\PlayFirst
2008-07-07 05:41 . 2008-07-11 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-07 05:36 . 2008-07-07 05:36 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\SulusGames
2008-07-07 02:31 . 2008-07-07 02:31 <DIR> d-------- C:\WINDOWS\Jewelleria
2008-07-07 02:31 . 2008-07-07 02:31 <DIR> d-------- C:\Program Files\Jewelleria
2008-07-07 02:31 . 2008-07-07 02:31 <DIR> d-------- C:\Program Files\Ancient Quest of Saqqarah
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 06:05 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-07-22 06:05 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-07-17 00:23 --------- d-----w C:\Program Files\WildGames
2008-07-16 04:58 --------- d-----w C:\Program Files\PopCap Games
2008-07-05 01:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-04 20:58 --------- d-----w C:\Program Files\Sierra
2008-07-04 20:58 --------- d-----w C:\Program Files\NCSoft
2008-07-04 20:56 --------- d-----w C:\Program Files\Space Rangers 2
2008-07-04 20:54 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-07-04 20:53 --------- d-----w C:\Program Files\Enlight
2008-07-04 20:50 --------- d-----w C:\Program Files\Eidos Interactive
2008-07-04 20:48 --------- d-----w C:\Program Files\Double Fine Productions
2008-07-04 20:46 --------- d-----w C:\Program Files\Electronic Arts
2008-07-04 20:22 --------- d-----w C:\Program Files\WildTangent
2008-07-04 20:21 --------- d-----w C:\Program Files\Western Digital
2008-07-04 20:21 --------- d-----w C:\Program Files\Vuze
2008-07-04 20:21 --------- d-----w C:\Program Files\Sony
2008-07-04 20:21 --------- d-----w C:\Program Files\Smart Mod Manager
2008-07-04 20:21 --------- d-----w C:\Program Files\Singles2
2008-07-04 20:13 --------- d-----w C:\Program Files\SEGA
2008-07-04 20:13 --------- d-----w C:\Program Files\Seagate
2008-07-04 20:13 --------- d-----w C:\Program Files\Reaxxion
2008-07-04 20:12 --------- d-----w C:\Program Files\Plus!
2008-07-04 20:12 --------- d-----w C:\Program Files\Playboy - The Mansion
2008-07-04 20:10 --------- d-----w C:\Program Files\OceanDive
2008-07-04 20:09 --------- d-----w C:\Program Files\Monte Cristo
2008-07-04 20:09 --------- d-----w C:\Program Files\ModTheSims2.com
2008-07-04 20:09 --------- d-----w C:\Program Files\Microsoft Plus!
2008-07-04 20:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-04 20:07 --------- d-----w C:\Program Files\Maxis
2008-07-04 20:07 --------- d-----w C:\Program Files\Freelancer Mod Manager
2008-07-04 20:06 --------- d-----w C:\Program Files\dvdSanta
2008-07-04 20:06 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-07-04 20:06 --------- d-----w C:\Program Files\DVD Shrink
2008-07-04 20:06 --------- d-----w C:\Program Files\DVD Decrypter
2008-07-04 20:06 --------- d-----w C:\Program Files\Download Manager
2008-07-04 20:06 --------- d-----w C:\Program Files\Common Files\Seagate
2008-07-04 20:03 --------- d-----w C:\Program Files\CENEGA
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:07 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-11 00:07 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-30 19:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 19:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 19:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 19:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 19:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 19:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-03 03:46 6,108,160 ----a-w C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-02 15:56 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 07:45 133576]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-07-22 01:05 15360]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57 1103480]
"MtdAcqu"="C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 08:56 278528]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 18:30 1687824]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-17 19:08 2094352]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 18:50 233472]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [2008-07-04 20:23:37 36864]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2008-07-04 20:22:52 49220]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
2008-07-21 16:58 32256 C:\WINDOWS\system32\winpdc32.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\WildGames\\Penguins!\\penguins.exe"=
"C:\\Program Files\\WildGames\\Penguins!\\penguins-WT.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsole.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsoleService.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsole-wt.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\MergeLocalConfig.exe"=
"C:\\Program Files\\Anno 1701\\Anno1701.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:WILD TAN 1
"80:UDP"= 80:UDP:WILD 3
"443:UDP"= 443:UDP:WILD 2
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 03:19]
S3 GameConsoleService;GameConsoleService;C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe [2008-05-05 17:25]
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 18:58:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-23 20:06:34 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Necro.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-24 18:51:57 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{59CF8D60-F8D7-42F5-9808-CD4594816FD0} - (no file)
Notify-opnkhheE - opnkhheE.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://att.yahoo.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
C:\WINDOWS\Downloaded Program Files\SysReqLab3.osd
C:\WINDOWS\Downloaded Program Files\sysreqlab3.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 15:12:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\winpdc32.dll
.
Completion time: 2008-07-24 15:13:16
ComboFix-quarantined-files.txt 2008-07-24 20:13:12
Pre-Run: 376,030,572,544 bytes free
Post-Run: 376,075,612,160 bytes free
354 --- E O F --- 2008-07-24 18:53:17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:34 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215148747716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215674241734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1215755202361&h=fea41df657e265d1605cbfb04471f727/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15102/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89C554A4-7F52-4EEF-9F49-99965AE1F78E}: NameServer = 66.73.20.40 206.141.193.55
O20 - Winlogon Notify: winpdc32 - C:\WINDOWS\SYSTEM32\winpdc32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 11720 bytes
pskelley
2008-07-24, 22:47
Thanks for returning your information. I have not seen hackers using C:\WINDOWS\system32\ctfmon.exe in a long while, this is what it is:
http://support.microsoft.com/kb/282599
I personally don't use it so I turn it off in MSConfig.
If you are ever in doubut about a file, use one of these scans to find out what it is:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
We still have some work to do, follow the directions carefully and in the numbered order.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Windows Defender
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.
(careful with these instructions)
4) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\SYSTEM32\winpdc32.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
O20 - Winlogon Notify: winpdc32 - C:\WINDOWS\SYSTEM32\winpdc32.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the combofix log from CFScript, the MBAM log and a new HJT log in your next reply.
Tell me how the computer is running now.
Thanks...Phil
Necroelf
2008-07-25, 00:37
First THANK YOU :)I had only one problem while doing those steps, while on step do a system scan only iwht HijackThis I didn't see the line of
020 - winlogon notify: winpdc32 - C:\windows\system32\winpdc.dll
so I could not check that for delete maybe the combofix fixed that on it's step ?
but as far as my pc working when I goto open files now I don't get the msg that I was infected and the internet brower opening up that's a great plus thank you :) so will wait for your reply to see if anything else needs to be done or not.
ComboFix 08-07-23.5 - Necro 2008-07-24 16:03:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1378 [GMT -5:00]
Running from: C:\Documents and Settings\Necro\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Necro\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\SYSTEM32\winpdc32.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM571c9964.xml
C:\WINDOWS\SYSTEM32\winpdc32.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-23 18:57 . 2008-07-23 18:57 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-07-23 18:44 . 2008-07-23 18:58 <DIR> d-------- C:\Program Files\Mass Effect
2008-07-22 12:44 . 2008-07-22 12:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-22 12:41 . 2008-07-22 12:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-22 01:30 . 2008-07-22 01:30 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Sierra Entertainment
2008-07-22 00:44 . 2008-07-22 20:43 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\SPORE Creature Creator
2008-07-22 00:28 . 2008-07-22 22:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-22 00:28 . 2008-07-22 22:21 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-07-22 00:28 . 2008-07-22 22:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 00:28 . 2008-07-22 22:21 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-07-21 16:56 . 2008-07-21 16:56 17,920 --a------ C:\WINDOWS\system32\toolbarsch.dll
2008-07-20 20:50 . 2008-07-20 20:50 <DIR> d-------- C:\Program Files\Her Interactive
2008-07-19 12:48 . 2008-07-19 12:48 <DIR> d-------- C:\Program Files\THQ
2008-07-19 12:47 . 2008-07-19 12:47 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\InstallShield
2008-07-19 04:17 . 2008-07-19 04:17 <DIR> d--hs---- C:\Diskeeper
2008-07-19 03:05 . 2008-07-19 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-07-19 03:03 . 2008-07-19 03:04 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-07-19 02:31 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-07-19 02:31 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-07-18 20:01 . 2008-07-18 20:01 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-18 20:00 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-07-18 20:00 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-07-18 20:00 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-07-18 20:00 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-07-18 20:00 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-07-18 20:00 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-07-18 20:00 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-18 20:00 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-07-18 20:00 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-07-18 14:11 . 2008-07-18 14:11 <DIR> d-------- C:\WINDOWS\Spirit Of Wandering The Legend
2008-07-18 14:11 . 2008-07-19 00:47 <DIR> d-------- C:\Program Files\Spirit Of Wandering The Legend
2008-07-18 02:28 . 2008-07-18 02:28 <DIR> d-------- C:\Program Files\Indie Games
2008-07-18 02:22 . 2008-07-18 02:22 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Stardock
2008-07-18 02:16 . 2008-03-12 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Stardock
2008-07-18 02:15 . 2008-07-18 02:15 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2008-07-18 01:39 . 2008-07-19 03:58 <DIR> d-------- C:\Program Files\Anno 1701
2008-07-17 21:53 . 2008-07-19 23:52 <DIR> d-------- C:\Program Files\Strategy First
2008-07-17 18:47 . 2008-07-22 22:47 <DIR> d-------- C:\Program Files\Ubisoft
2008-07-16 21:46 . 2008-07-16 21:46 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Imperium Romanum
2008-07-16 21:43 . 2008-07-16 21:43 <DIR> d-------- C:\Program Files\ProtectDisc Driver Installer
2008-07-16 21:43 . 2008-07-16 21:43 <DIR> d-------- C:\Program Files\Kalypso
2008-07-16 19:42 . 2008-07-16 19:42 <DIR> d-------- C:\MSXML3msms
2008-07-16 19:34 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-16 19:34 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-16 19:34 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-16 18:49 . 2008-07-19 00:07 <DIR> d-------- C:\Program Files\Jade Empire
2008-07-16 18:34 . 2008-07-16 18:34 <DIR> d-------- C:\RootkitNO
2008-07-16 18:02 . 2008-07-16 18:02 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-07-16 17:49 . 2008-07-16 17:49 <DIR> d-------- C:\Program Files\Codemasters
2008-07-16 15:08 . 2008-07-16 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Frozen Codebase LLC
2008-07-16 15:06 . 2008-07-16 15:06 <DIR> d-------- C:\Program Files\Elements of Destruction
2008-07-16 14:40 . 2008-07-16 14:40 0 --a------ C:\WINDOWS\PowerReg.dat
2008-07-16 03:00 . 2008-07-16 03:00 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Playrix Entertainment
2008-07-16 02:58 . 2008-07-16 02:58 <DIR> d-------- C:\WINDOWS\Fishdom
2008-07-16 02:58 . 2008-07-16 02:59 <DIR> d-------- C:\Program Files\Fishdom
2008-07-16 00:05 . 2008-07-16 00:05 <DIR> d-------- C:\WINDOWS\Etch-a-Sketch - Knobbys Quest
2008-07-16 00:00 . 2008-07-16 00:00 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Pi Eye Games
2008-07-15 23:58 . 2008-07-22 01:00 <DIR> d-------- C:\Program Files\Alex Gordon
2008-07-15 23:51 . 2008-07-15 23:51 17,408 --a------ C:\psapi.dll
2008-07-15 23:35 . 2008-07-15 23:35 0 --a------ C:\WINDOWS\popcreg.dat
2008-07-14 23:59 . 2008-07-14 23:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-14 20:44 . 2008-07-14 20:44 <DIR> d-------- C:\Program Files\PlayLogic
2008-07-13 13:44 . 2008-07-13 13:44 0 --a------ C:\WINDOWS\PhantomofVenice.INI
2008-07-13 13:33 . 2008-07-13 13:33 <DIR> d-------- C:\Documents and Settings\Necro\WINDOWS
2008-07-13 13:07 . 2008-07-13 19:55 <DIR> d-------- C:\Nancy Drew
2008-07-12 23:31 . 2008-07-12 23:31 0 --a------ C:\WINDOWS\game.INI
2008-07-12 21:33 . 2008-07-21 13:43 <DIR> d-------- C:\Program Files\Nancy Drew
2008-07-12 15:00 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-07-12 14:56 . 2008-07-12 14:56 <DIR> d-------- C:\Program Files\Eidos
2008-07-11 18:18 . 2005-07-18 11:23 811,008 --a------ C:\WINDOWS\FeedingFrenzy.scr
2008-07-11 18:12 . 2008-07-16 01:58 208 --a------ C:\WINDOWS\popcinfo.dat
2008-07-11 18:11 . 2008-07-11 18:11 <DIR> d-------- C:\WINDOWS\Mythic Marbles
2008-07-11 17:00 . 2008-07-11 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-07-11 16:40 . 2008-07-11 16:40 <DIR> d-------- C:\WINDOWS\Penguins` Journey
2008-07-11 16:40 . 2008-07-15 18:44 <DIR> d-------- C:\Program Files\Penguins` Journey
2008-07-11 15:40 . 2008-07-12 16:26 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-11 02:19 . 2008-07-11 02:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 01:30 . 2008-07-11 01:30 <DIR> d-------- C:\Program Files\UHS
2008-07-11 01:30 . 2008-07-11 01:31 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\UHS Reader
2008-07-11 00:56 . 2008-07-11 00:56 <DIR> d-------- C:\WINDOWS\Sun
2008-07-11 00:56 . 2008-07-11 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-11 00:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-11 00:55 . 2008-07-11 00:56 <DIR> d-------- C:\Program Files\Java
2008-07-11 00:53 . 2008-07-11 00:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-11 00:45 . 2008-07-11 01:08 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-11 00:45 . 2008-07-11 01:08 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-11 00:45 . 2008-07-11 01:08 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-11 00:45 . 2008-07-11 01:08 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-11 00:29 . 2008-07-11 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-07-11 00:27 . 2008-07-16 01:46 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-07-11 00:27 . 2008-07-16 01:46 <DIR> d-------- C:\Program Files\ATT
2008-07-10 05:11 . 2008-07-10 05:12 <DIR> d-------- C:\Program Files\10 Days Under The Sea
2008-07-10 03:24 . 2008-07-10 03:24 <DIR> dr-h----- C:\Documents and Settings\Necro\Application Data\SecuROM
2008-07-10 02:36 . 2008-07-10 02:39 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\DivX
2008-07-10 02:30 . 2008-07-10 02:31 <DIR> d-------- C:\Program Files\DivX
2008-07-09 22:54 . 2008-07-09 22:54 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\CyberLink
2008-07-09 22:52 . 2008-07-11 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-09 22:50 . 2008-07-11 21:51 <DIR> d-------- C:\Program Files\CyberLink
2008-07-09 22:08 . 2008-07-09 22:08 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-09 22:08 . 2008-07-09 22:08 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-09 21:58 . 2008-07-09 22:08 <DIR> d-------- C:\Program Files\The Witcher
2008-07-09 21:49 . 2008-07-09 21:49 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\WildTangent
2008-07-09 21:48 . 2008-07-16 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-07-09 20:44 . 2008-07-09 20:44 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Vso
2008-07-09 20:43 . 2008-07-09 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-09 02:47 . 2008-07-09 02:47 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-08 18:28 . 2008-07-08 18:28 <DIR> d-------- C:\Program Files\Chocolatier 2 - Secret Ingredients
2008-07-08 16:35 . 2008-07-08 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-07-08 16:34 . 2008-07-08 16:34 <DIR> d-------- C:\Program Files\DragonStone
2008-07-08 11:15 . 2008-07-15 04:00 2,467 --a------ C:\WINDOWS\wininit.ini
2008-07-08 04:59 . 2008-07-15 02:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-08 04:59 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-08 04:59 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-07-08 04:58 . 2008-07-11 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 04:57 . 2008-07-18 02:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-08 04:57 . 2008-07-11 00:57 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Lavasoft
2008-07-07 23:08 . 2008-07-07 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-07-07 05:41 . 2008-07-11 21:25 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\PlayFirst
2008-07-07 05:41 . 2008-07-11 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-07 05:36 . 2008-07-07 05:36 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\SulusGames
2008-07-07 02:31 . 2008-07-07 02:31 <DIR> d-------- C:\WINDOWS\Jewelleria
2008-07-07 02:31 . 2008-07-07 02:31 <DIR> d-------- C:\Program Files\Jewelleria
2008-07-07 02:31 . 2008-07-07 02:31 <DIR> d-------- C:\Program Files\Ancient Quest of Saqqarah
2008-07-07 02:29 . 2008-07-07 02:31 <DIR> d-------- C:\WINDOWS\Ancient Quest of Saqqarah
2008-07-07 02:13 . 2008-07-07 02:19 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Ancient Quest of Saqqarah__bfg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 06:05 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-07-22 06:05 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-07-17 00:23 --------- d-----w C:\Program Files\WildGames
2008-07-16 04:58 --------- d-----w C:\Program Files\PopCap Games
2008-07-05 01:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-04 20:58 --------- d-----w C:\Program Files\Sierra
2008-07-04 20:58 --------- d-----w C:\Program Files\NCSoft
2008-07-04 20:56 --------- d-----w C:\Program Files\Space Rangers 2
2008-07-04 20:54 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-07-04 20:53 --------- d-----w C:\Program Files\Enlight
2008-07-04 20:50 --------- d-----w C:\Program Files\Eidos Interactive
2008-07-04 20:48 --------- d-----w C:\Program Files\Double Fine Productions
2008-07-04 20:46 --------- d-----w C:\Program Files\Electronic Arts
2008-07-04 20:22 --------- d-----w C:\Program Files\WildTangent
2008-07-04 20:21 --------- d-----w C:\Program Files\Western Digital
2008-07-04 20:21 --------- d-----w C:\Program Files\Vuze
2008-07-04 20:21 --------- d-----w C:\Program Files\Sony
2008-07-04 20:21 --------- d-----w C:\Program Files\Smart Mod Manager
2008-07-04 20:21 --------- d-----w C:\Program Files\Singles2
2008-07-04 20:13 --------- d-----w C:\Program Files\SEGA
2008-07-04 20:13 --------- d-----w C:\Program Files\Seagate
2008-07-04 20:13 --------- d-----w C:\Program Files\Reaxxion
2008-07-04 20:12 --------- d-----w C:\Program Files\Plus!
2008-07-04 20:12 --------- d-----w C:\Program Files\Playboy - The Mansion
2008-07-04 20:10 --------- d-----w C:\Program Files\OceanDive
2008-07-04 20:09 --------- d-----w C:\Program Files\Monte Cristo
2008-07-04 20:09 --------- d-----w C:\Program Files\ModTheSims2.com
2008-07-04 20:09 --------- d-----w C:\Program Files\Microsoft Plus!
2008-07-04 20:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-04 20:07 --------- d-----w C:\Program Files\Maxis
2008-07-04 20:07 --------- d-----w C:\Program Files\Freelancer Mod Manager
2008-07-04 20:06 --------- d-----w C:\Program Files\dvdSanta
2008-07-04 20:06 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-07-04 20:06 --------- d-----w C:\Program Files\DVD Shrink
2008-07-04 20:06 --------- d-----w C:\Program Files\DVD Decrypter
2008-07-04 20:06 --------- d-----w C:\Program Files\Download Manager
2008-07-04 20:06 --------- d-----w C:\Program Files\Common Files\Seagate
2008-07-04 20:03 --------- d-----w C:\Program Files\CENEGA
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:07 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-11 00:07 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-30 19:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 19:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 19:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 19:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 19:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 19:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-03 03:46 6,108,160 ----a-w C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-24_15.12.58.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-24 21:08:08 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_1ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-02 15:56 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 07:45 133576]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-07-22 01:05 15360]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57 1103480]
"MtdAcqu"="C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 08:56 278528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 18:30 1687824]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-17 19:08 2094352]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 18:50 233472]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [2008-07-04 20:23:37 36864]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2008-07-04 20:22:52 49220]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\WildGames\\Penguins!\\penguins.exe"=
"C:\\Program Files\\WildGames\\Penguins!\\penguins-WT.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsole.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsoleService.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsole-wt.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\MergeLocalConfig.exe"=
"C:\\Program Files\\Anno 1701\\Anno1701.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:WILD TAN 1
"80:UDP"= 80:UDP:WILD 3
"443:UDP"= 443:UDP:WILD 2
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 03:19]
S3 GameConsoleService;GameConsoleService;C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe [2008-05-05 17:25]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 21:10:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-23 20:06:34 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Necro.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-24 18:51:57 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 16:11:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2008-07-24 16:15:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 21:15:17
ComboFix2.txt 2008-07-24 20:13:17
Pre-Run: 376,086,212,608 bytes free
Post-Run: 375,984,910,336 bytes free
333 --- E O F --- 2008-07-24 18:53:17
Malwarebytes' Anti-Malware 1.23
Database version: 988
Windows 5.1.2600 Service Pack 2
5:27:19 PM 7/24/2008
mbam-log-7-24-2008 (17-27-19).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 267050
Time elapsed: 58 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\WinRAR\Default.SFX (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\myclqukx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\toolbarsch.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:54 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215148747716
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215674241734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1215755202361&h=fea41df657e265d1605cbfb04471f727/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15102/CTPID.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 11406 bytes
pskelley
2008-07-25, 01:17
Thanks for returning your information and the feedback, this is the next step:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
Necroelf
2008-07-25, 01:26
yes I would like to install that program I do have my windows cd but it is an older version before the sp1 even. so just tell me if I can still use that or get it from somewhere. also I have been wondering if I should install sp3 when all is said and done here. I was told that sp3 has tons of bugs in it still and ppl have trouble connecting to the internet after they install that. but first things first I know lets get that recovery program, again thanks :)
pskelley
2008-07-25, 01:41
If you have a Windows XP Operating System CD, it should have Recovery Console on it. Make sure it is not a restore disk or other OEM junk. I must be a Windows XP OS CD.
If you have that, you can always boot to the Recovery Console right from the CD in an emergency.
I was told that sp3 has tons of bugs in it still and ppl have trouble connecting to the internet after they install that
I was almost through the installation and received an error and had to remove the SP, so I sent for a CD from Microsoft and will wait until it comes to try again.
http://support.microsoft.com/kb/322389/ <<< CD is $4. but with shipping it is a bit over $10.
If you are ready to move on, then remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Let's be sure no System Restore files are infected:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Instead of another scan, why don't you update and run Symantec and Windows Defender. If all is well at that point, here is information to help you keep it that way.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Necroelf
2008-07-25, 01:50
when I went to the system restor tab I go this error
Run a DLL as an app has encountered a problem and needs to close.
oh and for my windows cd it is just the upgrade for windows xp not the full one so I cannot get that program from it.thanks again :)
pskelley
2008-07-25, 02:04
oh and for my windows cd it is just the upgrade for windows xp not the full one so I cannot get that program from it.
I posted instruction for installing it before combofix is removed?
look here for help with that error message:
http://www.google.com/search?hl=en&q=Run+a+DLL+as+an+app+has+encountered+a+problem+and+needs+to+close&btnG=Google+Search
Thanks
Necroelf
2008-07-25, 02:22
ok I didn't totaly upderstand it the first time I read it . but I will get that installed while takling to you, have to do it the hard way since there is no floppy drive in my pc anymore hehe. but I did uninstall the program you had said to my bad for not getting sys restor in first hope it doesn' mess anything up with my pc or in you helping me
Necroelf
2008-07-25, 03:43
here is the log after I redownloaded combofix and installed recovery like you had suggested earlier, I know I should not be posting till you have posted but wanted us both on the same page like. so now we can continue from where you left off at the point where you were going to have me unistall combofix I belive ?
again sorry about my messup :)
ComboFix 08-07-24.1 - Necro 2008-07-24 20:37:57.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1294 [GMT -5:00]
Running from: C:\Documents and Settings\Necro\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Necro\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.
2008-07-24 20:22 . 2008-07-24 20:22 <DIR> d-------- C:\WINDOWS\NV22684768.TMP
2008-07-24 19:25 . 2008-07-24 19:25 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-24 19:23 . 2008-07-24 19:23 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Windows Search
2008-07-24 19:21 . 2008-07-24 19:21 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-24 19:21 . 2008-07-24 19:21 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-07-24 19:21 . 2008-07-24 19:21 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Windows Desktop Search
2008-07-24 19:20 . 2008-07-24 20:22 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-24 19:20 . 2008-03-07 11:56 192,000 --------- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-07-24 19:20 . 2008-03-07 11:56 98,304 --------- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-07-24 19:19 . 2008-07-24 19:21 <DIR> d-------- C:\720cb47b1790897738be02
2008-07-24 16:21 . 2008-07-24 16:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 16:21 . 2008-07-24 16:21 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Malwarebytes
2008-07-24 16:21 . 2008-07-24 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 16:21 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 16:21 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-23 18:57 . 2008-07-23 18:57 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-07-23 18:44 . 2008-07-23 18:58 <DIR> d-------- C:\Program Files\Mass Effect
2008-07-22 12:44 . 2008-07-22 12:44 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-22 12:41 . 2008-07-22 12:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-22 01:30 . 2008-07-22 01:30 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Sierra Entertainment
2008-07-22 00:44 . 2008-07-22 20:43 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\SPORE Creature Creator
2008-07-22 00:28 . 2008-07-22 22:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-22 00:28 . 2008-07-22 22:21 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-07-22 00:28 . 2008-07-22 22:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 00:28 . 2008-07-22 22:21 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-07-20 20:50 . 2008-07-20 20:50 <DIR> d-------- C:\Program Files\Her Interactive
2008-07-19 12:48 . 2008-07-19 12:48 <DIR> d-------- C:\Program Files\THQ
2008-07-19 12:47 . 2008-07-19 12:47 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\InstallShield
2008-07-19 04:17 . 2008-07-19 04:17 <DIR> d--hs---- C:\Diskeeper
2008-07-19 03:05 . 2008-07-19 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-07-19 03:03 . 2008-07-19 03:04 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-07-19 02:31 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-07-19 02:31 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-07-18 20:01 . 2008-07-18 20:01 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-18 20:00 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-07-18 20:00 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-07-18 20:00 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-07-18 20:00 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-07-18 20:00 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-07-18 20:00 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-07-18 20:00 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-18 20:00 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-07-18 20:00 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-07-18 14:11 . 2008-07-18 14:11 <DIR> d-------- C:\WINDOWS\Spirit Of Wandering The Legend
2008-07-18 14:11 . 2008-07-19 00:47 <DIR> d-------- C:\Program Files\Spirit Of Wandering The Legend
2008-07-18 02:28 . 2008-07-18 02:28 <DIR> d-------- C:\Program Files\Indie Games
2008-07-18 02:22 . 2008-07-18 02:22 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Stardock
2008-07-18 02:16 . 2008-03-12 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Stardock
2008-07-18 02:15 . 2008-07-18 02:15 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2008-07-18 01:39 . 2008-07-19 03:58 <DIR> d-------- C:\Program Files\Anno 1701
2008-07-17 21:53 . 2008-07-19 23:52 <DIR> d-------- C:\Program Files\Strategy First
2008-07-17 18:47 . 2008-07-22 22:47 <DIR> d-------- C:\Program Files\Ubisoft
2008-07-16 21:46 . 2008-07-16 21:46 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Imperium Romanum
2008-07-16 21:43 . 2008-07-16 21:43 <DIR> d-------- C:\Program Files\ProtectDisc Driver Installer
2008-07-16 21:43 . 2008-07-16 21:43 <DIR> d-------- C:\Program Files\Kalypso
2008-07-16 19:42 . 2008-07-16 19:42 <DIR> d-------- C:\MSXML3msms
2008-07-16 19:34 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-16 19:34 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-16 19:34 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-16 18:49 . 2008-07-19 00:07 <DIR> d-------- C:\Program Files\Jade Empire
2008-07-16 18:34 . 2008-07-16 18:34 <DIR> d-------- C:\RootkitNO
2008-07-16 18:02 . 2008-07-16 18:02 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-07-16 17:49 . 2008-07-16 17:49 <DIR> d-------- C:\Program Files\Codemasters
2008-07-16 15:08 . 2008-07-16 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Frozen Codebase LLC
2008-07-16 15:06 . 2008-07-16 15:06 <DIR> d-------- C:\Program Files\Elements of Destruction
2008-07-16 14:40 . 2008-07-16 14:40 0 --a------ C:\WINDOWS\PowerReg.dat
2008-07-16 03:00 . 2008-07-16 03:00 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Playrix Entertainment
2008-07-16 02:58 . 2008-07-16 02:58 <DIR> d-------- C:\WINDOWS\Fishdom
2008-07-16 02:58 . 2008-07-16 02:59 <DIR> d-------- C:\Program Files\Fishdom
2008-07-16 00:05 . 2008-07-16 00:05 <DIR> d-------- C:\WINDOWS\Etch-a-Sketch - Knobbys Quest
2008-07-16 00:00 . 2008-07-16 00:00 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Pi Eye Games
2008-07-15 23:58 . 2008-07-22 01:00 <DIR> d-------- C:\Program Files\Alex Gordon
2008-07-15 23:51 . 2008-07-15 23:51 17,408 --a------ C:\psapi.dll
2008-07-15 23:35 . 2008-07-15 23:35 0 --a------ C:\WINDOWS\popcreg.dat
2008-07-14 23:59 . 2008-07-14 23:59 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-14 20:44 . 2008-07-14 20:44 <DIR> d-------- C:\Program Files\PlayLogic
2008-07-13 13:44 . 2008-07-13 13:44 0 --a------ C:\WINDOWS\PhantomofVenice.INI
2008-07-13 13:33 . 2008-07-13 13:33 <DIR> d-------- C:\Documents and Settings\Necro\WINDOWS
2008-07-13 13:07 . 2008-07-13 19:55 <DIR> d-------- C:\Nancy Drew
2008-07-12 23:31 . 2008-07-12 23:31 0 --a------ C:\WINDOWS\game.INI
2008-07-12 21:33 . 2008-07-21 13:43 <DIR> d-------- C:\Program Files\Nancy Drew
2008-07-12 15:00 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-07-12 14:56 . 2008-07-12 14:56 <DIR> d-------- C:\Program Files\Eidos
2008-07-11 18:18 . 2005-07-18 11:23 811,008 --a------ C:\WINDOWS\FeedingFrenzy.scr
2008-07-11 18:12 . 2008-07-16 01:58 208 --a------ C:\WINDOWS\popcinfo.dat
2008-07-11 18:11 . 2008-07-11 18:11 <DIR> d-------- C:\WINDOWS\Mythic Marbles
2008-07-11 17:00 . 2008-07-11 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-07-11 16:40 . 2008-07-11 16:40 <DIR> d-------- C:\WINDOWS\Penguins` Journey
2008-07-11 16:40 . 2008-07-15 18:44 <DIR> d-------- C:\Program Files\Penguins` Journey
2008-07-11 15:40 . 2008-07-12 16:26 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-11 02:19 . 2008-07-11 02:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-11 01:30 . 2008-07-11 01:30 <DIR> d-------- C:\Program Files\UHS
2008-07-11 01:30 . 2008-07-11 01:31 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\UHS Reader
2008-07-11 00:56 . 2008-07-11 00:56 <DIR> d-------- C:\WINDOWS\Sun
2008-07-11 00:56 . 2008-07-11 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-11 00:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-11 00:55 . 2008-07-11 00:56 <DIR> d-------- C:\Program Files\Java
2008-07-11 00:53 . 2008-07-11 00:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-11 00:45 . 2008-07-11 01:08 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-11 00:45 . 2008-07-11 01:08 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-11 00:45 . 2008-07-11 01:08 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-11 00:45 . 2008-07-11 01:08 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-11 00:29 . 2008-07-11 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-07-11 00:27 . 2008-07-16 01:46 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-07-11 00:27 . 2008-07-16 01:46 <DIR> d-------- C:\Program Files\ATT
2008-07-10 05:11 . 2008-07-10 05:12 <DIR> d-------- C:\Program Files\10 Days Under The Sea
2008-07-10 03:24 . 2008-07-10 03:24 <DIR> dr-h----- C:\Documents and Settings\Necro\Application Data\SecuROM
2008-07-10 02:36 . 2008-07-10 02:39 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\DivX
2008-07-10 02:30 . 2008-07-10 02:31 <DIR> d-------- C:\Program Files\DivX
2008-07-09 22:54 . 2008-07-09 22:54 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\CyberLink
2008-07-09 22:52 . 2008-07-11 03:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-09 22:50 . 2008-07-11 21:51 <DIR> d-------- C:\Program Files\CyberLink
2008-07-09 22:08 . 2008-07-09 22:08 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-09 22:08 . 2008-07-09 22:08 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-09 21:58 . 2008-07-09 22:08 <DIR> d-------- C:\Program Files\The Witcher
2008-07-09 21:49 . 2008-07-09 21:49 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\WildTangent
2008-07-09 21:48 . 2008-07-16 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-07-09 20:44 . 2008-07-09 20:44 <DIR> d-------- C:\Documents and Settings\Necro\Application Data\Vso
2008-07-09 20:43 . 2008-07-09 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-09 02:47 . 2008-07-09 02:47 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-08 18:28 . 2008-07-08 18:28 <DIR> d-------- C:\Program Files\Chocolatier 2 - Secret Ingredients
2008-07-08 16:35 . 2008-07-08 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayPond
2008-07-08 16:34 . 2008-07-08 16:34 <DIR> d-------- C:\Program Files\DragonStone
2008-07-08 11:15 . 2008-07-15 04:00 2,467 --a------ C:\WINDOWS\wininit.ini
2008-07-08 04:59 . 2008-07-15 02:37 <DIR> d-------- C:\Program Files\SpywareBlaster
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 03:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 06:05 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-07-22 06:05 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-07-17 00:23 --------- d-----w C:\Program Files\WildGames
2008-07-16 04:58 --------- d-----w C:\Program Files\PopCap Games
2008-07-05 01:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-04 20:58 --------- d-----w C:\Program Files\Sierra
2008-07-04 20:58 --------- d-----w C:\Program Files\NCSoft
2008-07-04 20:56 --------- d-----w C:\Program Files\Space Rangers 2
2008-07-04 20:54 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-07-04 20:53 --------- d-----w C:\Program Files\Enlight
2008-07-04 20:50 --------- d-----w C:\Program Files\Eidos Interactive
2008-07-04 20:48 --------- d-----w C:\Program Files\Double Fine Productions
2008-07-04 20:46 --------- d-----w C:\Program Files\Electronic Arts
2008-07-04 20:22 --------- d-----w C:\Program Files\WildTangent
2008-07-04 20:21 --------- d-----w C:\Program Files\Western Digital
2008-07-04 20:21 --------- d-----w C:\Program Files\Vuze
2008-07-04 20:21 --------- d-----w C:\Program Files\Sony
2008-07-04 20:21 --------- d-----w C:\Program Files\Smart Mod Manager
2008-07-04 20:21 --------- d-----w C:\Program Files\Singles2
2008-07-04 20:13 --------- d-----w C:\Program Files\SEGA
2008-07-04 20:13 --------- d-----w C:\Program Files\Seagate
2008-07-04 20:13 --------- d-----w C:\Program Files\Reaxxion
2008-07-04 20:12 --------- d-----w C:\Program Files\Plus!
2008-07-04 20:12 --------- d-----w C:\Program Files\Playboy - The Mansion
2008-07-04 20:10 --------- d-----w C:\Program Files\OceanDive
2008-07-04 20:09 --------- d-----w C:\Program Files\Monte Cristo
2008-07-04 20:09 --------- d-----w C:\Program Files\ModTheSims2.com
2008-07-04 20:09 --------- d-----w C:\Program Files\Microsoft Plus!
2008-07-04 20:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-04 20:07 --------- d-----w C:\Program Files\Maxis
2008-07-04 20:07 --------- d-----w C:\Program Files\Freelancer Mod Manager
2008-07-04 20:06 --------- d-----w C:\Program Files\dvdSanta
2008-07-04 20:06 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-07-04 20:06 --------- d-----w C:\Program Files\DVD Shrink
2008-07-04 20:06 --------- d-----w C:\Program Files\DVD Decrypter
2008-07-04 20:06 --------- d-----w C:\Program Files\Download Manager
2008-07-04 20:06 --------- d-----w C:\Program Files\Common Files\Seagate
2008-07-04 20:03 --------- d-----w C:\Program Files\CENEGA
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:07 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-11 00:07 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-30 19:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 19:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 19:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 19:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 19:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 19:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-27 03:21 1,582,592 ------w C:\WINDOWS\system32\tquery.dll
2008-05-27 03:21 1,418,240 ------w C:\WINDOWS\system32\mssrch.dll
2008-05-27 03:19 97,792 ------w C:\WINDOWS\system32\UncCplExt.dll
2008-05-27 03:19 273,408 ------w C:\WINDOWS\system32\oeph.dll
2008-05-27 03:19 2,048 ------w C:\WINDOWS\system32\UncRes.dll
2008-05-27 03:19 143,872 ------w C:\WINDOWS\system32\UncDMS.dll
2008-05-27 03:19 131,072 ------w C:\WINDOWS\system32\UncPH.dll
2008-05-27 03:19 11,264 ------w C:\WINDOWS\system32\oephRes.dll
2008-05-27 03:19 108,032 ------w C:\WINDOWS\system32\UncNE.dll
2008-05-27 03:18 71,680 ------w C:\WINDOWS\system32\propdefs.dll
2008-05-27 03:18 56,320 ------w C:\WINDOWS\system32\xmlfilter.dll
2008-05-27 03:18 44,032 ------w C:\WINDOWS\system32\msstrc.dll
2008-05-27 03:18 439,808 ------w C:\WINDOWS\system32\searchindexer.exe
2008-05-27 03:18 38,400 ------w C:\WINDOWS\system32\rtffilt.dll
2008-05-27 03:18 350,208 ------w C:\WINDOWS\system32\mssph.dll
2008-05-27 03:18 231,936 ------w C:\WINDOWS\system32\msshsq.dll
2008-05-27 03:18 203,776 ------w C:\WINDOWS\system32\mssphtb.dll
2008-05-27 03:18 184,832 ------w C:\WINDOWS\system32\searchprotocolhost.exe
2008-05-27 03:17 87,552 ------w C:\WINDOWS\system32\searchfilterhost.exe
2008-05-27 03:17 87,552 ------w C:\WINDOWS\system32\mssitlb.dll
2008-05-27 03:17 754,176 ------w C:\WINDOWS\system32\propsys.dll
2008-05-27 03:17 60,416 ------w C:\WINDOWS\system32\msscntrs.dll
2008-05-27 03:17 34,816 ------w C:\WINDOWS\system32\msscb.dll
2008-05-27 03:17 32,768 ------w C:\WINDOWS\system32\mssprxy.dll
2008-05-27 03:17 301,568 ------w C:\WINDOWS\system32\srchadmin.dll
2008-05-27 03:17 11,776 ------w C:\WINDOWS\system32\msshooks.dll
2008-05-27 02:59 18,904 ------w C:\WINDOWS\system32\structuredqueryschematrivial.bin
2008-05-27 02:59 106,605 ------w C:\WINDOWS\system32\structuredqueryschema.bin
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-03 03:46 6,108,160 ----a-w C:\WINDOWS\system32\dllcache\nv4_disp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-02 15:56 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 07:45 133576]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-07-22 01:05 15360]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57 1103480]
"MtdAcqu"="C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 08:56 278528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 18:30 1687824]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-17 19:08 2094352]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 18:50 233472]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [2008-07-04 20:23:37 36864]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2008-07-04 20:22:52 49220]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\WildGames\\Penguins!\\penguins.exe"=
"C:\\Program Files\\WildGames\\Penguins!\\penguins-WT.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsole.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsoleService.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\GameConsole-wt.exe"=
"C:\\Program Files\\WildGames\\Game Console - WildGames\\MergeLocalConfig.exe"=
"C:\\Program Files\\Anno 1701\\Anno1701.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:WILD TAN 1
"80:UDP"= 80:UDP:WILD 3
"443:UDP"= 443:UDP:WILD 2
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 03:19]
S3 GameConsoleService;GameConsoleService;C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe [2008-05-05 17:25]
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - WSEARCH
.
Contents of the 'Scheduled Tasks' folder
"2008-07-25 00:02:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-23 20:06:34 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Necro.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-24 18:51:57 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://att.yahoo.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O17 -: HKLM\CCS\Interface\{89C554A4-7F52-4EEF-9F49-99965AE1F78E}: NameServer = 66.73.20.40 206.141.193.55
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
C:\WINDOWS\Downloaded Program Files\SysReqLab3.osd
C:\WINDOWS\Downloaded Program Files\sysreqlab3.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 20:39:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-24 20:40:12
ComboFix-quarantined-files.txt 2008-07-25 01:40:08
ComboFix2.txt 2008-07-25 01:32:58
ComboFix3.txt 2008-07-24 21:15:24
Pre-Run: 375,707,033,600 bytes free
Post-Run: 375,673,704,448 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
349 --- E O F --- 2008-07-24 18:53:17
pskelley
2008-07-25, 13:21
Please take the time to read and follow all directions carefully, since a mistake can turn the computer into a plant stand, if there is something you don't understand, STOP and take the time to ask.
Return to my post #8 and start with this line:
If you are ready to move on, then remove combofix from your computer like this:
Thanks
Necroelf
2008-07-25, 21:22
Ok combofix is uninstalled now, I did the steps before as well having it install the restore, only problem is that dll still stops when I try to goto sysytem resotre.even tho it said it was working correctly.I had printed out all the stuff on microsoft page to try to get it to work and nothing. so not sure what is next.if I really need to get that to work I don't know how it wont start at all even in safe mode under administrator.
Necroelf
2008-07-25, 21:38
Forgot to put in I did the norton and windows defender scans tho and they found nothing. if I can get system restore to work after I get sp3 in sometime I will do that as soon as I can. I will go and buy it as well best to have a cd anyway for just in case sorry about this extra post but thought you should know eveything I can think of atm :) and thanks again for all this great help :)