View Full Version : Want rid of MALWARE and other Fake anti virus ..
ultragravity
2008-09-15, 20:02
My computer is infected with malware and other fake anti virus which change my background wallpaper to blue and consistently open web page showing system scan. I searchd on internet for a spyware and downloaded and purchased Spyware detector, but i fink tht dint worked aswell. Please help me, Appreciate tht.
Following is the log file oh Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57:51, on 15/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\bedwhcjc\fefupclm.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\DJBONN~1\AppData\Local\Temp\atqhotmb.exe
C:\Windows\system32\cpofilwr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O4 - HKCU\..\Run: [Somefox] C:\Users\DJ BoNnEt\AppData\Local\Temp\video1018.cfg.exe
O4 - HKLM\..\Policies\Explorer\Run: [AkuGb1CgrL] C:\ProgramData\bedwhcjc\fefupclm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_236/webolr/OCX/FlashAX.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://32red.microgaming.com/32red/FlashAX2.cab
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 7683 bytes
pskelley
2008-09-16, 21:00
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy. Many of our tools will not work on Vista, so I can promiss only to do my best, if that works for you follow the directions.
1) Do not start multiple posts as you have, that only adds to the confusion. I will trash to other post you started.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
ultragravity
2008-09-16, 23:41
Thanks for you reply.
I did Combo Fix Following is the result.
ComboFix 08-09-15.02 - DJ BoNnEt 2008-09-16 21:20:59.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.316 [GMT 1:00]
Running from: C:\Users\DJ BoNnEt\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Users\DJ BoNnEt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Download programs.url
C:\Users\DJ BoNnEt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games.url
C:\Users\DJ BoNnEt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Translator.url
C:\Users\DJ BoNnEt\Favorites\Download programs.url
C:\Users\DJ BoNnEt\Favorites\Games.url
C:\Users\DJ BoNnEt\Favorites\Translator.url
C:\Users\DJ BoNnEt\Favorites\Videos.url
C:\Users\DJBONN~1\FAVORI~1\Download programs.url
C:\Users\DJBONN~1\FAVORI~1\Games.url
C:\Users\DJBONN~1\FAVORI~1\Translator.url
C:\Users\DJBONN~1\FAVORI~1\Videos.url
C:\Windows\system32\blphc9blj0ea0p.scr
C:\Windows\system32\hxiwlgpm.dat
C:\Windows\system32\lphc9blj0ea0p.exe
C:\Windows\system32\taack.dat
C:\Windows\system32\VBIEWER.OCX
.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 20:13 6,736 ----a-w C:\Windows\system32\drivers\PROCEXP90.SYS
2008-09-16 02:03 --------- d-----w C:\Program Files\Norton 360
2008-09-15 19:37 --------- d-----w C:\Program Files\WMR11
2008-09-15 19:30 --------- d-----w C:\Program Files\Sytexis Software
2008-09-15 19:26 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Sytexis
2008-09-15 19:21 --------- d-----w C:\Program Files\FLVCodec
2008-09-15 16:57 --------- d-----w C:\Program Files\Trend Micro
2008-09-15 16:47 98,304 ----a-w C:\Windows\System32\cpofilwr.exe
2008-09-15 09:43 --------- d-----w C:\Program Files\SpywareDetector
2008-09-15 07:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 16:19 --------- d-----w C:\Program Files\SAV
2008-09-14 15:44 --------- d-----w C:\ProgramData\Symantec
2008-09-14 15:43 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-09-14 15:43 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-09-14 15:43 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-09-14 15:43 --------- d-----w C:\Program Files\Symantec
2008-09-14 15:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-14 04:44 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Symantec
2008-09-14 01:02 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-13 23:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 23:11 106,496 ----a-w C:\Windows\System32\pghidqhk.exe
2008-09-13 23:11 --------- d-----w C:\ProgramData\bedwhcjc
2008-09-11 17:56 --------- d-----w C:\Program Files\MegaSpoof
2008-09-11 03:06 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\TVU Networks
2008-09-11 03:06 --------- d-----w C:\ProgramData\TVU Networks
2008-09-11 03:00 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\PPStream
2008-09-11 02:55 --------- d-----w C:\Program Files\Google
2008-09-10 02:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-08 07:05 --------- d-----w C:\Program Files\Pool Station
2008-09-08 07:03 --------- d-----w C:\Program Files\XAimer
2008-09-05 01:56 --------- d-----w C:\ProgramData\Skype
2008-09-02 21:19 20,481 ----a-w C:\Windows\System32\SystemsHook.dll
2008-09-02 17:35 --------- d-----w C:\Program Files\LightningWare
2008-09-02 04:12 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-09-02 04:06 --------- d-----w C:\Program Files\DivX
2008-09-02 03:41 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Media Player Classic
2008-09-02 03:07 --------- d-----w C:\Program Files\TVersity
2008-08-31 16:19 --------- d---a-w C:\ProgramData\TEMP
2008-08-31 00:55 --------- d-----w C:\Program Files\HiChatter Messenger
2008-08-27 14:35 12,752 ----a-w C:\Windows\System32\SDEarlyDelete.exe
2008-08-27 11:30 917,504 ----a-w C:\Windows\System32\CheckDll.dll
2008-08-25 17:11 --------- d-----w C:\ProgramData\eSellerate
2008-08-25 17:11 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-08-25 11:52 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Microgaming
2008-08-23 23:18 --------- d-----w C:\Program Files\BitLord
2008-08-22 11:26 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\yahoo!
2008-08-22 11:26 --------- d-----w C:\ProgramData\Yahoo!
2008-08-22 11:26 --------- d-----w C:\Program Files\Yahoo!
2008-08-22 11:26 --------- d-----w C:\Program Files\Packard Bell
2008-08-22 11:23 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\skypePM
2008-08-22 02:12 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 20:46 174 --sha-w C:\Program Files\desktop.ini
2008-08-04 14:33 --------- d-----w C:\Program Files\Bytescribe
2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:34 28,160 ----a-w C:\Windows\System32\Apphlpdm.dll
2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-31 03:34 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-07-30 23:47 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-30 16:42 23,888 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-07-25 08:34 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-07-25 08:34 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-07-25 08:34 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-07-25 08:34 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-07-25 08:34 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-07-25 08:34 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-07-25 08:34 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-07-25 08:34 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-07-25 08:34 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-07-23 16:50 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll
2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll
2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll
2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll
2008-07-18 21:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll
2008-07-18 19:44 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-19 03:25 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-06-19 03:25 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-05-28 21:05 1,021,952 ----a-w C:\Program Files\Activator.exe
2008-02-22 19:30 9,046,472 ----a-w C:\Program Files\Alcohol120 retail 1.9.7.6221.exe
2008-02-06 21:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-06 21:58 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-06 21:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-02-16 19:10 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-16 19:10 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-14 13:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008010720080114\index.dat
2008-01-21 15:00 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011420080121\index.dat
2008-01-29 13:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012120080128\index.dat
2008-01-29 20:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 988512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"AkuGb1CgrL"="C:\ProgramData\bedwhcjc\fefupclm.exe" [2008-09-14 61440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\Windows\pss\PalTalk.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AplCfg]
--a------ 2008-09-14 00:11 106496 C:\Windows\System32\pghidqhk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2004-12-09 13:14 1068032 C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2006-11-02 13:35 125440 C:\Windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HiChatter]
--a------ 2008-08-24 18:55 3148288 C:\Program Files\HiChatter Messenger\HiChater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-13 02:48 275800 C:\Program Files\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2004-11-25 13:59 143360 C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2004-11-24 13:29 880640 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-01-11 11:40 232184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-09 13:35 1232896 C:\Program Files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSTray]
--------- 2007-09-17 21:09 552960 C:\Program Files\SiS VGA Utilities\SiSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-03-01 14:24 857648 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-16 03:00 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
--a------ 2007-02-20 17:20 28672 C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
--a------ 2006-12-06 00:38 707360 C:\Windows\vVX1000.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-09-26 20:22 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 13:36 201728 C:\Program Files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2007-09-03 11:39 4702208 C:\Windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
--a------ 2007-08-03 06:22 1826816 C:\Windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EC6EA23B-9A35-4811-82D6-8E7AD6110811}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7004C0FA-1B46-492C-81BF-92778791E96D}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{C21AB4A0-E097-4E12-AFB4-152116E536F2}C:\\program files\\paltalk messenger\\paltalk.exe"= UDP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"UDP Query User{BA7CDBA4-AA03-4C2E-B3CF-3F1CCA0C4A5C}C:\\program files\\paltalk messenger\\paltalk.exe"= TCP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"TCP Query User{3B7F71C8-ECF1-45C5-AD02-26F45EE806D8}C:\\program files\\paltalk messenger\\paltalk.exe"= UDP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"UDP Query User{A8B3E5F8-DBC6-411D-AA03-3AF9ABDDCA91}C:\\program files\\paltalk messenger\\paltalk.exe"= TCP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"{0DB9E773-E1DC-4514-AE98-E07E5A2E73DD}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AA8F40BF-EAA4-4596-A10F-5509A9263360}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DCC171FE-8C5A-4E2B-A5E8-96A7970E204E}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3180D18E-32C4-4C96-88FA-7B303D38DEC6}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CDA5062E-8639-4474-BBEC-6887B7A18557}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F3EA9694-1236-4DA9-ABF8-526B8E8C3AA8}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{411D83E8-EB2D-499B-9A56-EBE551AE409D}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{E3A90BF0-1CC3-41CF-B1ED-421D3FB77845}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{F95C1DDA-D688-4BF7-A7F9-E3FF3B99890B}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{2ACE9084-7234-4017-963F-15B3ADA0A278}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{C4A27154-AF46-462B-A02D-546C12F07B7D}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{03E26DF2-95CE-4313-A388-3939D706742C}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{0875B147-D003-4A6A-A443-B827A966A436}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9571F356-0017-41B2-835F-1A89FAB20758}"= UDP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{666EFB6F-CA08-4388-9BDF-554C7CAD1655}"= TCP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{77624406-AA48-443B-A2FB-D701D1242117}"= UDP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{7FFDB68D-98F0-4E6A-8014-BFBE1402ADE2}"= TCP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{A0CFB4EB-D5B9-4886-87D2-4EABD1C30666}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{541AB76C-8374-49DE-A8AA-81EFB8EB7257}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"TCP Query User{7D31529A-94FC-4F55-B346-D2CCD6C2C5AB}C:\\users\\dj bonnet\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\dj bonnet\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"UDP Query User{7B337831-D04A-49B9-85D0-2080EBDA9205}C:\\users\\dj bonnet\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\dj bonnet\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"{22AC8DC4-24E0-4801-BAA6-063B8BE180F9}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C2AE7D55-253F-47D7-AE7F-4C5FC60FDD7D}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D51F3C21-292E-465E-8E34-6ECEEDF5887B}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9DDB4E36-3D46-4AFD-A634-770F8D5E6DB7}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{47CC6B76-073D-47A0-813A-C2684CEB979F}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{4E2903A8-8694-4F8D-BB9B-2E6E61E326E1}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{B145B8DB-CBEB-4F8E-8A18-5E5A26F2DA3D}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A4B905B5-3384-4D3D-BDAA-EF793FBF0F86}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{23E93E8F-FEFA-49D5-A166-E3D38CBDEF79}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{27E8EE9B-C5C8-4B90-8BCA-C1AE7AFF1434}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{2687C437-FDAF-4356-9D20-86C4A4344382}C:\\program files\\wh gbp casino\\casino.exe"= Disabled:UDP:C:\program files\wh gbp casino\casino.exe:Casino
"UDP Query User{A75FD8B7-F1B5-4C40-9B75-0D909682DE60}C:\\program files\\wh gbp casino\\casino.exe"= Disabled:TCP:C:\program files\wh gbp casino\casino.exe:Casino
"TCP Query User{F3D7BD7C-68E1-434F-9EC9-B7E3A8BFB1EA}C:\\program files\\wh gbp casino\\casinoua.exe"= Disabled:UDP:C:\program files\wh gbp casino\casinoua.exe:CasinoUA
"UDP Query User{4C06FE68-22BA-4C8B-9D60-220F4C050643}C:\\program files\\wh gbp casino\\casinoua.exe"= Disabled:TCP:C:\program files\wh gbp casino\casinoua.exe:CasinoUA
"TCP Query User{3EE8E4EE-C35C-425B-9D9B-6E6DCA47DD13}C:\\program files\\ppstream\\ppstream.exe"= UDP:C:\program files\ppstream\ppstream.exe:PPS????
"UDP Query User{4C373856-1606-4848-AB65-D5520DB2D09E}C:\\program files\\ppstream\\ppstream.exe"= TCP:C:\program files\ppstream\ppstream.exe:PPS????
"TCP Query User{03B8035D-2ABF-4B76-95BF-381F262E46AA}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{FF0526E5-8BA6-4CC7-BAF3-D1B1008E7E41}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"TCP Query User{A006C09C-9A3D-4382-8844-0871E1421A8E}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1C7F0726-562A-4C9B-91C0-1E7B46347789}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\PPStream\\PPStream.exe"= C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPSÍøÂçµçÊÓ
"C:\\Program Files\\PPStream\\PPSAP.exe"= C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS ÍøÂç¼ÓËÙÆ÷
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080911.001\IDSvix86.sys [2008-08-08 261680]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-01-04 240408]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 SiS6350;SiS6350;C:\Windows\system32\DRIVERS\SISGRKMD.sys [2008-02-21 456192]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2007-06-20 47616]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 7168]
S3 VX1000;VX-1000;C:\Windows\system32\DRIVERS\VX1000.sys [2006-12-06 1963680]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52b473b1-b887-11dc-9a65-d8d01b36dcf1}]
\shell\AutoRun\command - E:\autorun.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-smartchkwin - C:\Windows\system32\lcpmvono.exe
HKCU-Run-Somefox - C:\Users\DJ BoNnEt\AppData\Local\Temp\video1018.cfg.exe
Notify-SDNotify - (no file)
MSConfigStartUp-AntiMalwareGuard - C:\Program Files\AntiMalwareGuard\amg.exe
MSConfigStartUp-AntispywareBot - C:\Program Files\AntispywareBot\AntispywareBot.exe
MSConfigStartUp-Antivirus - C:\Program Files\SAV\sav.exe
MSConfigStartUp-MSPService - C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe
MSConfigStartUp-PWRISOVM - C:\Program Files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\QTTask.exe
MSConfigStartUp-SmpcSys - C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
MSConfigStartUp-Somefox - C:\Users\DJ BoNnEt\AppData\Local\Temp\video1018.cfg.exe
MSConfigStartUp-SweetIM - C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
MSConfigStartUp-Voipwise - C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\DJ BoNnEt\AppData\Roaming\Mozilla\Firefox\Profiles\6eshcky2.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 21:30:14
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-09-16 21:35:59
ComboFix-quarantined-files.txt 2008-09-16 20:34:53
Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 2,889,080,832 bytes free
338 --- E O F --- 2008-09-12 01:23:27
------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:36:45, on 16/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\bedwhcjc\fefupclm.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [AkuGb1CgrL] C:\ProgramData\bedwhcjc\fefupclm.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_236/webolr/OCX/FlashAX.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://32red.microgaming.com/32red/FlashAX2.cab
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 7422 bytes
pskelley
2008-09-17, 00:06
Thanks for returning your information, read and follow the direction carefully and in the numbered order.
In the first HJT log TeaTimer was not running, if it were I would have had you disable it. It is running in the new HJT log?
Click on Format at the top of Notepad and then uncheck Word Wrap and leave it unchecked until we finish.
C:\Program Files\Java\jre1.6.0_03 <<< update Java, see this information.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Please take the time to read this information:
http://forums.spybot.info/showthread.php?t=282
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
2) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
3) Open notepad and copy/paste the text in the codebox below into it:
Folder::
C:\ProgramData\bedwhcjc
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [AkuGb1CgrL] C:\ProgramData\bedwhcjc\fefupclm.exe
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mp...CX/FlashAX.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://32red.microgaming.com/32red/FlashAX2.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run DISK CLEANUP: ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > DISK CLEANUP
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post log from CFScript, the log fram MBAM and a new HJT log.
How is the computer running now.
Thanks
ultragravity
2008-09-17, 04:04
thanks ALOT.. it seems like working now.. I can see the background wallpaper and screensaver options in control panel aswell .. thanks ALOt.. ANother thyng how can i make sure tht it is all gud nw !!
ultragravity
2008-09-17, 04:05
Can i deleat them softwares aswell .. Thanks
pskelley
2008-09-17, 12:43
It is important that you read and follow the directions.
Please post log from CFScript, the log from MBAM and a new HJT log.
ultragravity
2008-09-17, 14:40
sorry about that ..
ComboFix 08-09-15.02 - DJ BoNnEt 2008-09-16 23:17:37.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.261 [GMT 1:00]
Running from: C:\Users\DJ BoNnEt\Desktop\ComboFix.exe
Command switches used :: C:\Users\DJ BoNnEt\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\bedwhcjc
C:\ProgramData\bedwhcjc\fefupclm.exe
.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 22:16 6,736 ----a-w C:\Windows\system32\drivers\PROCEXP90.SYS
2008-09-16 21:57 --------- d-----w C:\Program Files\Sun
2008-09-16 21:56 --------- d-----w C:\Program Files\Java
2008-09-16 21:53 --------- d-----w C:\Program Files\Common Files\Java
2008-09-16 02:03 --------- d-----w C:\Program Files\Norton 360
2008-09-15 19:37 --------- d-----w C:\Program Files\WMR11
2008-09-15 19:30 --------- d-----w C:\Program Files\Sytexis Software
2008-09-15 19:26 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Sytexis
2008-09-15 19:21 --------- d-----w C:\Program Files\FLVCodec
2008-09-15 16:57 --------- d-----w C:\Program Files\Trend Micro
2008-09-15 09:43 --------- d-----w C:\Program Files\SpywareDetector
2008-09-15 07:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 16:19 --------- d-----w C:\Program Files\SAV
2008-09-14 15:44 --------- d-----w C:\ProgramData\Symantec
2008-09-14 15:43 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-09-14 15:43 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-09-14 15:43 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-09-14 15:43 --------- d-----w C:\Program Files\Symantec
2008-09-14 15:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-14 04:44 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Symantec
2008-09-14 01:02 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-13 23:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-11 17:56 --------- d-----w C:\Program Files\MegaSpoof
2008-09-11 03:06 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\TVU Networks
2008-09-11 03:06 --------- d-----w C:\ProgramData\TVU Networks
2008-09-11 03:00 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\PPStream
2008-09-11 02:55 --------- d-----w C:\Program Files\Google
2008-09-10 02:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-08 07:05 --------- d-----w C:\Program Files\Pool Station
2008-09-08 07:03 --------- d-----w C:\Program Files\XAimer
2008-09-05 01:56 --------- d-----w C:\ProgramData\Skype
2008-09-02 17:35 --------- d-----w C:\Program Files\LightningWare
2008-09-02 04:12 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-09-02 04:06 --------- d-----w C:\Program Files\DivX
2008-09-02 03:41 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Media Player Classic
2008-09-02 03:07 --------- d-----w C:\Program Files\TVersity
2008-08-31 16:19 --------- d---a-w C:\ProgramData\TEMP
2008-08-31 00:55 --------- d-----w C:\Program Files\HiChatter Messenger
2008-08-25 17:11 --------- d-----w C:\ProgramData\eSellerate
2008-08-25 17:11 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-08-25 11:52 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Microgaming
2008-08-23 23:18 --------- d-----w C:\Program Files\BitLord
2008-08-22 11:26 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\yahoo!
2008-08-22 11:26 --------- d-----w C:\ProgramData\Yahoo!
2008-08-22 11:26 --------- d-----w C:\Program Files\Yahoo!
2008-08-22 11:26 --------- d-----w C:\Program Files\Packard Bell
2008-08-22 11:23 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\skypePM
2008-08-22 02:12 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 20:46 174 --sha-w C:\Program Files\desktop.ini
2008-08-04 14:33 --------- d-----w C:\Program Files\Bytescribe
2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-30 16:42 23,888 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-05-28 21:05 1,021,952 ----a-w C:\Program Files\Activator.exe
2008-02-22 19:30 9,046,472 ----a-w C:\Program Files\Alcohol120 retail 1.9.7.6221.exe
2008-02-06 21:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-06 21:58 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-06 21:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-02-16 19:10 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-16 19:10 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-14 13:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008010720080114\index.dat
2008-01-21 15:00 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011420080121\index.dat
2008-01-29 13:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012120080128\index.dat
2008-01-29 20:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-16_21.33.38.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-16 15:13:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-16 22:02:40 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-09-16 15:13:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-16 22:02:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-16 20:26:55 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-09-16 22:05:45 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-09-16 20:29:27 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-09-16 22:24:47 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-09-16 22:24:47 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-09-16 20:06:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-16 22:10:37 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-16 20:06:35 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-16 22:10:37 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-16 20:06:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-16 22:10:37 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-09-24 22:30:28 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\Windows\System32\java.exe
- 2007-09-24 22:30:30 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2007-09-24 23:31:42 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-09-16 22:04:06 98,304 ----a-w C:\Windows\System32\pavejqry.exe
- 2008-09-16 15:16:46 67,950 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-16 22:05:06 68,076 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-15 08:10:34 3,034 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-09-16 22:01:15 3,034 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-09-16 15:16:41 51,750 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-16 22:04:59 51,846 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"smartchkwin"="C:\Windows\system32\lcpmvono.exe" [BU]
"uish"="C:\Windows\system32\pavejqry.exe" [2008-09-16 98304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 988512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\Windows\pss\PalTalk.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AplCfg]
--a------ 2008-09-14 00:11 106496 C:\Windows\System32\pghidqhk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2004-12-09 13:14 1068032 C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2006-11-02 13:35 125440 C:\Windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HiChatter]
--a------ 2008-08-24 18:55 3148288 C:\Program Files\HiChatter Messenger\HiChater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-13 02:48 275800 C:\Program Files\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2004-11-25 13:59 143360 C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2004-11-24 13:29 880640 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-01-11 11:40 232184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-09 13:35 1232896 C:\Program Files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSTray]
--------- 2007-09-17 21:09 552960 C:\Program Files\SiS VGA Utilities\SiSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-03-01 14:24 857648 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-16 03:00 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
--a------ 2007-02-20 17:20 28672 C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
--a------ 2006-12-06 00:38 707360 C:\Windows\vVX1000.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-09-26 20:22 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 13:36 201728 C:\Program Files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2007-09-03 11:39 4702208 C:\Windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
--a------ 2007-08-03 06:22 1826816 C:\Windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EC6EA23B-9A35-4811-82D6-8E7AD6110811}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7004C0FA-1B46-492C-81BF-92778791E96D}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{C21AB4A0-E097-4E12-AFB4-152116E536F2}C:\\program files\\paltalk messenger\\paltalk.exe"= UDP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"UDP Query User{BA7CDBA4-AA03-4C2E-B3CF-3F1CCA0C4A5C}C:\\program files\\paltalk messenger\\paltalk.exe"= TCP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"TCP Query User{3B7F71C8-ECF1-45C5-AD02-26F45EE806D8}C:\\program files\\paltalk messenger\\paltalk.exe"= UDP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"UDP Query User{A8B3E5F8-DBC6-411D-AA03-3AF9ABDDCA91}C:\\program files\\paltalk messenger\\paltalk.exe"= TCP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"{0DB9E773-E1DC-4514-AE98-E07E5A2E73DD}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AA8F40BF-EAA4-4596-A10F-5509A9263360}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DCC171FE-8C5A-4E2B-A5E8-96A7970E204E}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3180D18E-32C4-4C96-88FA-7B303D38DEC6}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CDA5062E-8639-4474-BBEC-6887B7A18557}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F3EA9694-1236-4DA9-ABF8-526B8E8C3AA8}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{411D83E8-EB2D-499B-9A56-EBE551AE409D}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{E3A90BF0-1CC3-41CF-B1ED-421D3FB77845}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{F95C1DDA-D688-4BF7-A7F9-E3FF3B99890B}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{2ACE9084-7234-4017-963F-15B3ADA0A278}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{C4A27154-AF46-462B-A02D-546C12F07B7D}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{03E26DF2-95CE-4313-A388-3939D706742C}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{0875B147-D003-4A6A-A443-B827A966A436}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9571F356-0017-41B2-835F-1A89FAB20758}"= UDP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{666EFB6F-CA08-4388-9BDF-554C7CAD1655}"= TCP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{77624406-AA48-443B-A2FB-D701D1242117}"= UDP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{7FFDB68D-98F0-4E6A-8014-BFBE1402ADE2}"= TCP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{A0CFB4EB-D5B9-4886-87D2-4EABD1C30666}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{541AB76C-8374-49DE-A8AA-81EFB8EB7257}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"TCP Query User{7D31529A-94FC-4F55-B346-D2CCD6C2C5AB}C:\\users\\dj bonnet\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\dj bonnet\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"UDP Query User{7B337831-D04A-49B9-85D0-2080EBDA9205}C:\\users\\dj bonnet\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\dj bonnet\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"{22AC8DC4-24E0-4801-BAA6-063B8BE180F9}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C2AE7D55-253F-47D7-AE7F-4C5FC60FDD7D}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D51F3C21-292E-465E-8E34-6ECEEDF5887B}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9DDB4E36-3D46-4AFD-A634-770F8D5E6DB7}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{47CC6B76-073D-47A0-813A-C2684CEB979F}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{4E2903A8-8694-4F8D-BB9B-2E6E61E326E1}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{B145B8DB-CBEB-4F8E-8A18-5E5A26F2DA3D}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A4B905B5-3384-4D3D-BDAA-EF793FBF0F86}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{23E93E8F-FEFA-49D5-A166-E3D38CBDEF79}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{27E8EE9B-C5C8-4B90-8BCA-C1AE7AFF1434}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{2687C437-FDAF-4356-9D20-86C4A4344382}C:\\program files\\wh gbp casino\\casino.exe"= Disabled:UDP:C:\program files\wh gbp casino\casino.exe:Casino
"UDP Query User{A75FD8B7-F1B5-4C40-9B75-0D909682DE60}C:\\program files\\wh gbp casino\\casino.exe"= Disabled:TCP:C:\program files\wh gbp casino\casino.exe:Casino
"TCP Query User{F3D7BD7C-68E1-434F-9EC9-B7E3A8BFB1EA}C:\\program files\\wh gbp casino\\casinoua.exe"= Disabled:UDP:C:\program files\wh gbp casino\casinoua.exe:CasinoUA
"UDP Query User{4C06FE68-22BA-4C8B-9D60-220F4C050643}C:\\program files\\wh gbp casino\\casinoua.exe"= Disabled:TCP:C:\program files\wh gbp casino\casinoua.exe:CasinoUA
"TCP Query User{3EE8E4EE-C35C-425B-9D9B-6E6DCA47DD13}C:\\program files\\ppstream\\ppstream.exe"= UDP:C:\program files\ppstream\ppstream.exe:PPS????
"UDP Query User{4C373856-1606-4848-AB65-D5520DB2D09E}C:\\program files\\ppstream\\ppstream.exe"= TCP:C:\program files\ppstream\ppstream.exe:PPS????
"TCP Query User{03B8035D-2ABF-4B76-95BF-381F262E46AA}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{FF0526E5-8BA6-4CC7-BAF3-D1B1008E7E41}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"TCP Query User{A006C09C-9A3D-4382-8844-0871E1421A8E}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1C7F0726-562A-4C9B-91C0-1E7B46347789}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\PPStream\\PPStream.exe"= C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPSÍøÂçµçÊÓ
"C:\\Program Files\\PPStream\\PPSAP.exe"= C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS ÍøÂç¼ÓËÙÆ÷
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080911.001\IDSvix86.sys [2008-08-08 261680]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-01-04 240408]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R3 SiS6350;SiS6350;C:\Windows\system32\DRIVERS\SISGRKMD.sys [2008-02-21 456192]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2007-06-20 47616]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 7168]
S3 VX1000;VX-1000;C:\Windows\system32\DRIVERS\VX1000.sys [2006-12-06 1963680]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52b473b1-b887-11dc-9a65-d8d01b36dcf1}]
\shell\AutoRun\command - E:\autorun.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKLM-Explorer_Run-AkuGb1CgrL - C:\ProgramData\bedwhcjc\fefupclm.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 23:24:29
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-09-16 23:35:20
ComboFix-quarantined-files.txt 2008-09-16 22:34:15
ComboFix2.txt 2008-09-16 20:36:00
Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 3,441,651,712 bytes free
299 --- E O F --- 2008-09-12 01:23:27
----------------------------------------------------
Malwarebytes' Anti-Malware 1.28
Database version: 1163
Windows 6.0.6000
17/09/2008 02:00:08
mbam-log-2008-09-17 (02-00-08).txt
Scan type: Full Scan (C:\|)
Objects scanned: 159083
Time elapsed: 1 hour(s), 25 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Casino (Adware.Casino) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\SAV\sav0.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav1.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:36, on 17/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\pavejqry.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O4 - HKCU\..\Run: [uish] C:\Windows\system32\pavejqry.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 6365 bytes
pskelley
2008-09-17, 16:24
Thanks for returning that information, we still have issues, you are keeping this computer offline when not troubleshooting this problems, correct? follow these directions.
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\Windows\System32\pavejqry.exe
C:\Windows\system32\lcpmvono.exe
C:\Windows\System32\pghidqhk.exe
Folder::
C:\ProgramData\bedwhcjc
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(may be gone)
O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O4 - HKCU\..\Run: [uish] C:\Windows\system32\pavejqry.exe
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Post the log from CFScript and a new HJT log.
How is the computer running now?
Thanks
ultragravity
2008-09-18, 04:23
THANKS ALOT FOR YOU HELP.
FOLLOWING THE REPORTS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:16:40, on 18/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 6219 bytes
-----------------------------------------------------
ComboFix 08-09-16.05 - DJ BoNnEt 2008-09-18 2:04:56.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.244 [GMT 1:00]
Running from: C:\Users\DJ BoNnEt\Desktop\ComboFix.exe
Command switches used :: C:\Users\DJ BoNnEt\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\pavejqry.exe
C:\Windows\System32\pghidqhk.exe
.
((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 23:12 6,736 ----a-w C:\Windows\system32\drivers\PROCEXP90.SYS
2008-09-17 11:56 --------- d-----w C:\Program Files\Pool Station
2008-09-17 01:00 --------- d-----w C:\Program Files\SAV
2008-09-16 23:01 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-16 23:00 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Malwarebytes
2008-09-16 23:00 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-16 22:59 --------- d-----w C:\ProgramData\Zylom
2008-09-16 21:57 --------- d-----w C:\Program Files\Sun
2008-09-16 21:56 --------- d-----w C:\Program Files\Java
2008-09-16 21:53 --------- d-----w C:\Program Files\Common Files\Java
2008-09-16 02:03 --------- d-----w C:\Program Files\Norton 360
2008-09-15 19:37 --------- d-----w C:\Program Files\WMR11
2008-09-15 19:30 --------- d-----w C:\Program Files\Sytexis Software
2008-09-15 19:26 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Sytexis
2008-09-15 19:21 --------- d-----w C:\Program Files\FLVCodec
2008-09-15 16:57 --------- d-----w C:\Program Files\Trend Micro
2008-09-15 16:47 98,304 ----a-w C:\Windows\System32\cpofilwr.exe
2008-09-15 09:43 --------- d-----w C:\Program Files\SpywareDetector
2008-09-15 07:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 15:44 --------- d-----w C:\ProgramData\Symantec
2008-09-14 15:43 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-09-14 15:43 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-09-14 15:43 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-09-14 15:43 --------- d-----w C:\Program Files\Symantec
2008-09-14 15:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-14 04:44 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Symantec
2008-09-14 01:02 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-13 23:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-11 17:56 --------- d-----w C:\Program Files\MegaSpoof
2008-09-11 03:06 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\TVU Networks
2008-09-11 03:06 --------- d-----w C:\ProgramData\TVU Networks
2008-09-11 03:00 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\PPStream
2008-09-11 02:55 --------- d-----w C:\Program Files\Google
2008-09-10 02:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 23:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-09 23:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-09-08 07:03 --------- d-----w C:\Program Files\XAimer
2008-09-05 01:56 --------- d-----w C:\ProgramData\Skype
2008-09-02 21:19 20,481 ----a-w C:\Windows\System32\SystemsHook.dll
2008-09-02 17:35 --------- d-----w C:\Program Files\LightningWare
2008-09-02 04:12 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-09-02 04:06 --------- d-----w C:\Program Files\DivX
2008-09-02 03:41 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Media Player Classic
2008-09-02 03:07 --------- d-----w C:\Program Files\TVersity
2008-08-31 16:19 --------- d---a-w C:\ProgramData\TEMP
2008-08-31 00:55 --------- d-----w C:\Program Files\HiChatter Messenger
2008-08-27 14:35 12,752 ----a-w C:\Windows\System32\SDEarlyDelete.exe
2008-08-27 11:30 917,504 ----a-w C:\Windows\System32\CheckDll.dll
2008-08-25 17:11 --------- d-----w C:\ProgramData\eSellerate
2008-08-25 17:11 --------- d-----w C:\Program Files\Common Files\eSellerate
2008-08-25 11:52 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\Microgaming
2008-08-23 23:18 --------- d-----w C:\Program Files\BitLord
2008-08-22 11:26 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\yahoo!
2008-08-22 11:26 --------- d-----w C:\ProgramData\Yahoo!
2008-08-22 11:26 --------- d-----w C:\Program Files\Yahoo!
2008-08-22 11:26 --------- d-----w C:\Program Files\Packard Bell
2008-08-22 11:23 --------- d-----w C:\Users\DJ BoNnEt\AppData\Roaming\skypePM
2008-08-22 02:12 --------- d-----w C:\Program Files\Windows Mail
2008-08-05 20:46 174 --sha-w C:\Program Files\desktop.ini
2008-08-04 14:33 --------- d-----w C:\Program Files\Bytescribe
2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:34 28,160 ----a-w C:\Windows\System32\Apphlpdm.dll
2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-31 03:34 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-07-30 23:47 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-30 16:42 23,888 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-07-25 08:34 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-07-25 08:34 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-07-25 08:34 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-07-25 08:34 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-07-25 08:34 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-07-25 08:34 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-07-25 08:34 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-07-25 08:34 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-07-25 08:34 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-07-23 16:50 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll
2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll
2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll
2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll
2008-07-18 21:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll
2008-07-18 19:44 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-02-06 21:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-06 21:58 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-06 21:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-02-16 19:10 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-16 19:10 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-14 13:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008010720080114\index.dat
2008-01-21 15:00 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011420080121\index.dat
2008-01-29 13:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012120080128\index.dat
2008-01-29 20:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-16_21.33.38.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-16 15:13:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-17 23:07:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-09-16 15:13:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-17 23:07:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-16 20:26:55 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-09-17 23:10:05 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-09-17 23:10:05 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-09-16 20:29:27 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-09-18 01:10:48 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-09-16 20:06:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-18 00:19:16 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-16 20:06:35 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-18 00:19:16 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-16 20:06:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-18 00:19:16 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-16 20:20:49 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-18 01:04:39 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-18 01:04:39 262,144 ---ha-w C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1
- 2007-09-24 22:30:28 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\Windows\System32\java.exe
- 2007-09-24 22:30:30 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2007-09-24 23:31:42 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\Windows\System32\javaws.exe
- 2008-09-16 15:16:46 11,516 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3335814581-3972811892-259792903-1002_UserData.bin
+ 2008-09-17 23:10:12 11,572 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3335814581-3972811892-259792903-1002_UserData.bin
- 2008-09-16 15:16:46 67,950 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-17 23:10:12 68,546 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-15 08:10:34 3,034 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-09-16 22:01:15 3,034 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-09-16 15:16:41 51,750 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-17 23:10:06 52,126 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"smartchkwin"="C:\Windows\system32\lcpmvono.exe" [BU]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 988512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\Windows\pss\PalTalk.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2004-12-09 13:14 1068032 C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2006-11-02 13:35 125440 C:\Windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HiChatter]
--a------ 2008-08-24 18:55 3148288 C:\Program Files\HiChatter Messenger\HiChater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-13 02:48 275800 C:\Program Files\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2004-11-25 13:59 143360 C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2004-11-24 13:29 880640 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-01-11 11:40 232184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-09 13:35 1232896 C:\Program Files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSTray]
--------- 2007-09-17 21:09 552960 C:\Program Files\SiS VGA Utilities\SiSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-03-01 14:24 857648 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-16 03:00 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
--a------ 2007-02-20 17:20 28672 C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
--a------ 2006-12-06 00:38 707360 C:\Windows\vVX1000.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-09-26 20:22 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 13:36 201728 C:\Program Files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2007-09-03 11:39 4702208 C:\Windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
--a------ 2007-08-03 06:22 1826816 C:\Windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EC6EA23B-9A35-4811-82D6-8E7AD6110811}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7004C0FA-1B46-492C-81BF-92778791E96D}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{C21AB4A0-E097-4E12-AFB4-152116E536F2}C:\\program files\\paltalk messenger\\paltalk.exe"= UDP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"UDP Query User{BA7CDBA4-AA03-4C2E-B3CF-3F1CCA0C4A5C}C:\\program files\\paltalk messenger\\paltalk.exe"= TCP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"TCP Query User{3B7F71C8-ECF1-45C5-AD02-26F45EE806D8}C:\\program files\\paltalk messenger\\paltalk.exe"= UDP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"UDP Query User{A8B3E5F8-DBC6-411D-AA03-3AF9ABDDCA91}C:\\program files\\paltalk messenger\\paltalk.exe"= TCP:C:\program files\paltalk messenger\paltalk.exe:PaltalkScene
"{0DB9E773-E1DC-4514-AE98-E07E5A2E73DD}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AA8F40BF-EAA4-4596-A10F-5509A9263360}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DCC171FE-8C5A-4E2B-A5E8-96A7970E204E}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3180D18E-32C4-4C96-88FA-7B303D38DEC6}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CDA5062E-8639-4474-BBEC-6887B7A18557}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F3EA9694-1236-4DA9-ABF8-526B8E8C3AA8}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{411D83E8-EB2D-499B-9A56-EBE551AE409D}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{E3A90BF0-1CC3-41CF-B1ED-421D3FB77845}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{F95C1DDA-D688-4BF7-A7F9-E3FF3B99890B}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{2ACE9084-7234-4017-963F-15B3ADA0A278}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{C4A27154-AF46-462B-A02D-546C12F07B7D}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{03E26DF2-95CE-4313-A388-3939D706742C}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{0875B147-D003-4A6A-A443-B827A966A436}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9571F356-0017-41B2-835F-1A89FAB20758}"= UDP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{666EFB6F-CA08-4388-9BDF-554C7CAD1655}"= TCP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{77624406-AA48-443B-A2FB-D701D1242117}"= UDP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{7FFDB68D-98F0-4E6A-8014-BFBE1402ADE2}"= TCP:C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:Voipwise
"{A0CFB4EB-D5B9-4886-87D2-4EABD1C30666}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{541AB76C-8374-49DE-A8AA-81EFB8EB7257}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"TCP Query User{7D31529A-94FC-4F55-B346-D2CCD6C2C5AB}C:\\users\\dj bonnet\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\dj bonnet\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"UDP Query User{7B337831-D04A-49B9-85D0-2080EBDA9205}C:\\users\\dj bonnet\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\dj bonnet\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"{22AC8DC4-24E0-4801-BAA6-063B8BE180F9}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C2AE7D55-253F-47D7-AE7F-4C5FC60FDD7D}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D51F3C21-292E-465E-8E34-6ECEEDF5887B}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9DDB4E36-3D46-4AFD-A634-770F8D5E6DB7}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{47CC6B76-073D-47A0-813A-C2684CEB979F}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{4E2903A8-8694-4F8D-BB9B-2E6E61E326E1}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{B145B8DB-CBEB-4F8E-8A18-5E5A26F2DA3D}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A4B905B5-3384-4D3D-BDAA-EF793FBF0F86}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{23E93E8F-FEFA-49D5-A166-E3D38CBDEF79}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{27E8EE9B-C5C8-4B90-8BCA-C1AE7AFF1434}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{2687C437-FDAF-4356-9D20-86C4A4344382}C:\\program files\\wh gbp casino\\casino.exe"= Disabled:UDP:C:\program files\wh gbp casino\casino.exe:Casino
"UDP Query User{A75FD8B7-F1B5-4C40-9B75-0D909682DE60}C:\\program files\\wh gbp casino\\casino.exe"= Disabled:TCP:C:\program files\wh gbp casino\casino.exe:Casino
"TCP Query User{F3D7BD7C-68E1-434F-9EC9-B7E3A8BFB1EA}C:\\program files\\wh gbp casino\\casinoua.exe"= Disabled:UDP:C:\program files\wh gbp casino\casinoua.exe:CasinoUA
"UDP Query User{4C06FE68-22BA-4C8B-9D60-220F4C050643}C:\\program files\\wh gbp casino\\casinoua.exe"= Disabled:TCP:C:\program files\wh gbp casino\casinoua.exe:CasinoUA
"TCP Query User{3EE8E4EE-C35C-425B-9D9B-6E6DCA47DD13}C:\\program files\\ppstream\\ppstream.exe"= UDP:C:\program files\ppstream\ppstream.exe:PPS????
"UDP Query User{4C373856-1606-4848-AB65-D5520DB2D09E}C:\\program files\\ppstream\\ppstream.exe"= TCP:C:\program files\ppstream\ppstream.exe:PPS????
"TCP Query User{03B8035D-2ABF-4B76-95BF-381F262E46AA}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{FF0526E5-8BA6-4CC7-BAF3-D1B1008E7E41}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"TCP Query User{A006C09C-9A3D-4382-8844-0871E1421A8E}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1C7F0726-562A-4C9B-91C0-1E7B46347789}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\PPStream\\PPStream.exe"= C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPSÍøÂçµçÊÓ
"C:\\Program Files\\PPStream\\PPSAP.exe"= C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS ÍøÂç¼ÓËÙÆ÷
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080913.004\IDSvix86.sys [2008-08-08 261680]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-01-04 240408]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R3 SiS6350;SiS6350;C:\Windows\system32\DRIVERS\SISGRKMD.sys [2008-02-21 456192]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2007-06-20 47616]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 7168]
S3 VX1000;VX-1000;C:\Windows\system32\DRIVERS\VX1000.sys [2006-12-06 1963680]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52b473b1-b887-11dc-9a65-d8d01b36dcf1}]
\shell\AutoRun\command - E:\autorun.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-uish - C:\Windows\system32\pavejqry.exe
MSConfigStartUp-AplCfg - C:\Windows\system32\pghidqhk.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 02:11:14
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-09-18 2:14:58
ComboFix-quarantined-files.txt 2008-09-18 01:13:53
ComboFix2.txt 2008-09-16 22:35:22
ComboFix3.txt 2008-09-16 20:36:00
Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 4,163,993,600 bytes free
343 --- E O F --- 2008-09-16 22:46:55
pskelley
2008-09-18, 12:33
We have a few isues and at this point I am not sure if it is because you are missing stuff. I would appreciate it if you would follow the directions very carefully, if there is something you can not complete, make me aware of it. I asked this:
How is the computer running now?
Please try to descripe any symptoms of malware, add any comments you think will help. I am not in front of the computer, you are.
1) C:\Windows\System32\cpofilwr.exe <<< I need information about this file, make sure you can all files and folders a visiable for Vista:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#vista
Upload that file to: http://virusscan.jotti.org/ and post the results. Here are two other scans if jotti is busy.
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
2) O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com <<< did you put this item in the Hosts file?
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\Windows\system32\lcpmvono.exe <<< delete that file
4) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Post that uninstall list and a new HJT log and the information from the file scan.
Please tell me how the computer is running now.
Thanks
ultragravity
2008-09-18, 15:15
Hi.. Sorry about earlier... The computer is running good.. but whn i go to Control Panel > Security centre > There only used to be FIREWALL, AUTOMATIC UPDATING AND OTHER SECURITY SETTINGS. But since i got attacked by VIRUS there is another option there as MALWARE PROTECTION.
I went online to scan the file you told me to do ..
Service load: 0% 100%
File: cpofilwr.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6db7e6bd9f52feb5ce66c58e8fedb86d
Packers detected: -
---------------------------------
2) O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com <<< did you put this item in the Hosts file?
I DINT UNDERSTAND THIS... CAN YOU ECPLAIN HOW TO PUT THT IN HOST FILE.. COZ I CAN SEE THAT IN HIJACL THIS WHN I DO SYSTEM SCAN ONLY..
---
I shut everything and opened HIJACK THIS but i didnt found the following there
O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
------
IN C:/Windows/System32 there is no such file lcpmvono.exe
-------
The following is the Uninstall List Frm HIJACk this.
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Shockwave Player
AppCore
ATK Hotkey
Backup
BitLord 1.1
ccCommon
Compatibility Pack for the 2007 Office system
Creator 9
DivX Converter
DivX Web Player
Firefox
Flash Player 9 Internet Explorer
Football Manager 2008
GearDrvs
HDReg
HiChatter Messenger
HijackThis 2.0.2
Java(TM) 6 Update 7
K-Lite Mega Codec Pack 4.1.7
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft LifeCam
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 9 SE
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Multimedia Combo Set Driver
Nokia Connectivity Cable Driver
Nokia PC Suite
Norton 360
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 2007
Norton 360 HTMLHelp
Norton Confidential Core
OpenOffice.org Installer 1.0
PaltalkScene
PlayFLV
RealPlayer
Realtek High Definition Audio Driver
Roxio Creator 9 LE
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Visio 2007 (KB947590)
Shockwave player 10
SiS VGA Utilities
Skype 3.2.2.163
SPBBC 32bit
Spybot - Search & Destroy
SuperMegaSpoof 2.0
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
Synaptics Pointing Device Driver
System Requirements Lab
TSP_CODEC
Update for Office 2007 (KB946691)
VideoLAN VLC media player 0.8.6d
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger
---------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:14:17, on 18/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 6111 bytes
--------------------------------------
The computer running is arrite...
pskelley
2008-09-18, 16:07
but whn i go to Control Panel > Security centre > There only used to be FIREWALL, AUTOMATIC UPDATING AND OTHER SECURITY SETTINGS. But since i got attacked by VIRUS there is another option there as MALWARE PROTECTION.
I am sorry but I have no idea what you are saying to me here? you will need to explain so I can understand.
File: cpofilwr.exe
Status: INFECTED/MALWARE
This item is malware, delete that file.
C:\Windows\System32\cpofilwr.exe <<< there
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
Is this your computer? And you don't know what is in your Hosts file?
http://www.mvps.org/winhelp2002/hosts.htm <<< see this
Uninstall List:
Adobe Reader 8
Adobe Reader 8.1.2
These are our of date and hackers exploit that to infect you. Dowload the newest version:
Adobe Reader 9.0
http://www.filehippo.com/download_adobe_reader/
uninstall old versions
BitLord 1.1 <<< see our policy in the link:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
uninstall all p2p programs on the computer
If you have no problems with those instructions, then remove combofix from the computer:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Update Symantec and scan your system, if you have problems with Symantec, contact tech support for instruction:
http://www.symantec.com/enterprise/support/index.jsp
If all is well at this point, let me know and I will close your topic.
Get maximum performance from Windows Vista
http://windowshelp.microsoft.com/windows/en-us/Help/596FB57F-CC9D-4AC5-A813-5C0830E9156A1033.mspx
All information will not apply to Vista:
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
ultragravity
2008-09-19, 04:47
Hi I did read that guide but I cant understand where is the host file .. I deleated C:\Windows\System32\cpofilwr.exe .. .. I read the guide but styll i am not sure wht to do with host file.
pskelley
2008-09-19, 15:54
read the guide but styll i am not sure wht to do with host file.
Nothing, you can look at the Hosts file like this:
To view the Hosts file:
Start -> Run -> Copy the following to the box and hit enter:
C:\WINDOWS\System32\drivers\etc\HOSTS
Since you seemed to not know what it was, I posted that information so you could learn: Information about that item:
http://www.google.com/search?hl=en&q=serial.alcohol-soft.com+&btnG=Google+Search&aq=f&oq=
ultragravity
2008-09-20, 01:40
okay thanks i got it but i cant see O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com in the host file.. What shall i do next ?
pskelley
2008-09-20, 02:18
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
Close all programs but HJT and all browser windows, then click on "Fix Checked"