PDA

View Full Version : Infected with Virantix & Vurtumonde :(



jaws104
2008-10-09, 00:16
Hi - I can't get rid of these two, had to rename spybot/hijackthis exe's just to get them to work, and AVG can not be enabled?? Anyway HJT log follows

C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\veoh\VeohClient.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - F:\Program Files\veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DeathAdder] E:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTuner] "F:\Program Files\RivaTuner v2.06\RivaTuner.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\ProgramFiles\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UltraMon] "F:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SNM] F:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "F:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [DeskCalc] "f:\program files\deskcalc pro\deskcalc.exe" /hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [9I21gRLDQ2] C:\Documents and Settings\All Users\Application Data\chsxypcz\yzkxyniz.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.uwininstaller.tk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9858E2D8-26F3-488D-B0DD-F36AE70688E1}: NameServer = 194.46.192.141,194.46.192.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{71D31822-81A7-4564-BE10-B481076A186B}: NameServer = 194.46.192.141
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: karna.dat
O21 - SSODL: chkcomwin - {5B5138A4-F5C9-EA13-C2E0-02C993932DFF} - E:\Program Files\ioazzzc\chkcomwin.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - F:\ProgramFiles\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7423 bytes

Shaba
2008-10-09, 11:48
Hi jaws104

HijackThis log cuts off.

Please re-send it :)

jaws104
2008-10-09, 19:39
Oops not sure why - this is everything from the txt file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:19, on 09/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\RivaTuner v2.06\RivaTuner.exe
F:\Program Files\UltraMon\UltraMon.exe
E:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\rundll32.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
E:\Program Files\Razer\DeathAdder\razertra.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\veoh\VeohClient.exe
E:\Program Files\Razer\DeathAdder\razerofa.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - F:\Program Files\veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DeathAdder] E:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTuner] "F:\Program Files\RivaTuner v2.06\RivaTuner.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\ProgramFiles\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UltraMon] "F:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SNM] F:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "F:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [DeskCalc] "f:\program files\deskcalc pro\deskcalc.exe" /hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [9I21gRLDQ2] C:\Documents and Settings\All Users\Application Data\chsxypcz\yzkxyniz.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.uwininstaller.tk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9858E2D8-26F3-488D-B0DD-F36AE70688E1}: NameServer = 194.46.192.141,194.46.192.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{71D31822-81A7-4564-BE10-B481076A186B}: NameServer = 194.46.192.141
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: karna.dat
O21 - SSODL: chkcomwin - {5B5138A4-F5C9-EA13-C2E0-02C993932DFF} - E:\Program Files\ioazzzc\chkcomwin.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - F:\ProgramFiles\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7423 bytes

Shaba
2008-10-09, 19:53
Rename HijackThis.exe to jaws104.exe.

After that:

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

jaws104
2008-10-09, 20:45
A popup is telling me windows explorer has encountered an error and needs to close - but i've left it open for the time being

ComboFix 08-10-08.05 - Administrator 2008-10-09 18:38:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1511 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\brastk.exe
C:\WINDOWS\karna.dat
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\karna.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-08 21:12 . 2008-10-08 21:19 3,104 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-08 20:52 . 2008-10-08 20:52 <DIR> d-------- C:\VundoFix Backups
2008-10-08 20:44 . 2008-10-08 20:44 98,304 --a------ C:\WINDOWS\system32\zmnovqnc.exe
2008-10-08 20:44 . 2001-08-28 14:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-08 19:03 . 2008-10-08 19:03 <DIR> d-------- E:\Program Files\Lavasoft
2008-10-08 19:03 . 2008-10-08 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-08 18:15 . 2008-10-08 18:15 <DIR> d-------- E:\Program Files\AVG
2008-10-08 18:15 . 2008-10-08 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-08 18:06 . 2008-10-08 18:40 65,428 --a------ C:\WINDOWS\system32\wini104552502.exe
2008-10-08 18:05 . 2008-10-08 20:44 156 --a------ C:\Documents and Settings\Administrator\delself.bat
2008-10-05 20:02 . 2008-10-05 20:02 94,208 --a------ C:\WINDOWS\system32\pabolsbu.exe
2008-10-05 08:14 . 2008-10-05 08:14 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-10-05 08:13 . 2008-10-05 08:13 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-10-05 07:48 . 2008-10-05 07:48 <DIR> d-------- E:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-05 07:48 . 2008-10-05 07:48 <DIR> d-------- E:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-05 07:12 . 2008-10-05 07:12 98,304 --a------ C:\WINDOWS\system32\ihmfkpaj.exe
2008-09-15 22:55 . 2008-09-15 22:55 <DIR> d-------- E:\Program Files\RdDrv001
2008-09-15 22:55 . 2006-09-29 02:14 204,800 --a------ C:\WINDOWS\system32\RDDP1027.DAT
2008-09-15 22:55 . 2006-09-28 05:44 79,393 --a------ C:\WINDOWS\system32\drivers\Rdwm1027.sys
2008-09-15 22:55 . 2006-09-28 04:19 57,344 --a------ C:\WINDOWS\system32\RDCP1027.CPL
2008-09-15 22:55 . 2006-09-28 04:17 10,886 --a------ C:\WINDOWS\system32\RdCi1027.dll
2008-09-15 22:55 . 2006-09-27 09:05 4,088 --a------ C:\WINDOWS\system32\Rd3t1027.DAT
2008-09-11 19:44 . 2008-09-11 19:44 <DIR> d-------- C:\Program Files\Common Files\Realtime Soft
2008-09-11 19:44 . 2008-09-11 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-09-11 19:44 . 2008-09-11 19:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-09-10 23:59 . 2008-09-11 00:31 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-09-10 23:58 . 2008-09-10 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 17:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Orbit
2008-10-08 18:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-10-05 09:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-10-05 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-05 05:10 183,120 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-05 05:10 137,480 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-01 14:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-09-19 11:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe
2008-09-19 11:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-09-08 22:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-22 01:00 453,152 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-08-18 11:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-07-22 00:42 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-07-10 22:58 58,904 ----a-w C:\WINDOWS\system32\azipcontmn.dll
2007-12-03 22:58 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-09-25 02:26 19,912 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2006-05-30 08:28 1289728 cca49b59735bb6efe1f22ac414ff4041 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-05-30 15360]
"Steam"="F:\Program Files\Steam\Steam.exe" [2008-10-07 1410296]
"Veoh"="F:\Program Files\veoh\VeohClient.exe" [2008-08-13 3660848]
"SetDefaultMIDI"="MIDIDef.exe" [2005-10-22 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 90112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"IntelliPoint"="E:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"DeathAdder"="E:\Program Files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-11 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-11 81920]
"RivaTuner"="F:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-30 2650112]
"QuickTime Task"="F:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="F:\ProgramFiles\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"UltraMon"="F:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 299520]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2006-05-30 172544]
"CTHelper"="CTHELPER.EXE" [2005-10-22 C:\WINDOWS\CTHELPER.EXE]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-11 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2006-08-15 995328]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\admshui]
--a------ 2008-10-05 07:12 98304 C:\WINDOWS\system32\ihmfkpaj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Quicker Help]
--a------ 2006-06-01 16:27 3167232 E:\Program Files\ASUS\ASUS DH Remote\AsRc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chkinfomsg]
--a------ 2008-10-08 20:44 98304 C:\WINDOWS\system32\zmnovqnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2007-07-19 08:02 2887680 E:\Program Files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-05-11 02:46 200069 E:\Program Files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-05-18 11:29 49152 F:\video\powerdvd\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2006-05-30 08:28 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 22:57 30208 F:\video\powerdvd\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-19 19:22 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\utilaplsys]
--a------ 2008-10-05 20:02 94208 C:\WINDOWS\system32\pabolsbu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\StubInstaller.exe"=
"E:\\Program Files\\Utils\\LimeWire\\LimeWire.exe"=
"E:\\Program Files\\Utils\\eMule\\emule.exe"=
"E:\\Program Files\\Utils\\Azureus\\Azureus.exe"=
"F:\\ProgramFiles\\3DsMax8\\3dsmax.exe"=
"F:\\video\\Backburner\\monitor.exe"=
"F:\\video\\Backburner\\manager.exe"=
"F:\\video\\Backburner\\server.exe"=
"F:\\ProgramFiles\\Soulseek\\slsk.exe"=
"E:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"E:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"F:\\ProgramFiles\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"E:\\Program Files\\Xfire\\xfire.exe"=
"E:\\Program Files\\mIRC\\mirc.exe"=
"E:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"F:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"F:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"F:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"E:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"F:\\ProgramFiles\\iTunes\\iTunes.exe"=
"F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys [2007-08-02 22784]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S3 CyUsb;Cypress Generic USB Driver;C:\WINDOWS\system32\Drivers\CyUsb.sys [2005-03-03 31104]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;C:\WINDOWS\system32\Drivers\MayPro.sys [2006-05-05 12160]
S3 PEEK5;PEEK5 Protocol Driver;F:\MYDOCS~1\AIRCRA~1.2-W\bin\PEEK5.SYS [ ]
S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys [2006-09-28 79393]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-05-22 175872]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-03-31 13532]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c157a676-3430-11dc-b7a6-001731c4429a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.scienceofsleep.net
.
Contents of the 'Scheduled Tasks' folder

2008-06-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DeskCalc - f:\program files\deskcalc pro\deskcalc.exe
HKLM-Run-SNM - F:\Program Files\SpyNoMore\SNM.exe
HKLM-Explorer_Run-9I21gRLDQ2 - C:\Documents and Settings\All Users\Application Data\chsxypcz\yzkxyniz.exe
SSODL-chkcomwin-{5B5138A4-F5C9-EA13-C2E0-02C993932DFF} - E:\Program Files\ioazzzc\chkcomwin.dll
MSConfigStartUp-QuickTime Task - E:\Program Files\QuickTime\qttask.exe
MSConfigStartUp-brastk - brastk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\azr50ssd.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ie/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 18:41:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
F:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
E:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
E:\Program Files\Razer\DeathAdder\razertra.exe
E:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-10-09 18:43:19 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-10-09 17:43:10

Pre-Run: 4,013,948,928 bytes free
Post-Run: 3,913,232,384 bytes free

225

jaws104
2008-10-09, 20:47
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:35, on 09/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\RivaTuner v2.06\RivaTuner.exe
C:\WINDOWS\system32\rundll32.exe
F:\Program Files\UltraMon\UltraMon.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Razer\DeathAdder\razertra.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Razer\DeathAdder\razerofa.exe
F:\Program Files\Steam\Steam.exe
F:\Program Files\veoh\VeohClient.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - F:\Program Files\veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DeathAdder] E:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTuner] "F:\Program Files\RivaTuner v2.06\RivaTuner.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\ProgramFiles\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UltraMon] "F:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "F:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\veoh\VeohClient.exe" /VeohHide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.uwininstaller.tk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9858E2D8-26F3-488D-B0DD-F36AE70688E1}: NameServer = 194.46.192.141,194.46.192.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{71D31822-81A7-4564-BE10-B481076A186B}: NameServer = 194.46.192.141
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - F:\ProgramFiles\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7243 bytes

Shaba
2008-10-09, 20:49
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

jaws104
2008-10-09, 20:53
3DMark05
3DMark06
3DS Max DDS Plug-In
7-Zip 4.42
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 2.0
Adobe Photoshop CS2
Adobe Premiere Pro 2.0
Adobe Reader 7.0
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
AlphaZIP [Trial]
AnalogX NetStat Live
Apple Software Update
Applian FLV Player
ASUS DH Remote
ASUS WiFi-AP Solo
AsusUpdate
ATITool Overclocking Utility
Autodesk 3ds Max 8
Autodesk 3ds Max 8 Architectural Materials
Autodesk 3ds Max 8 Reference Files
Autodesk DWF Viewer
AutoHotkey 1.0.47.02
Azureus
Backburner
Baldur's Gate(TM) II - Throne of Bhaal (TM)
Battlefield 2142
BF2142 1.25 Clan mod v 2.10
BF2142Pro 1.1
BioShock
Black & WhiteŽ 2
Bonjour
Calculator
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CC Get MAC Address 2.2
Close Combat Cross of Iron
Company of Heroes
Creative Jukebox Driver
CryEngine(R)2 Sandbox(TM)2
Crysis(R)
Cycling '74 Pluggo v3.5.1
DellTouch
Deus Ex
Diablo II
Digital Audio System
DivX Codec
DivX Content Uploader
DivX Player
DivX Web Player
Driver Cleaner 3
DShow Viewer
EA Link
EA SPORTS online 2007
E-MU PatchMix DSP
eMule
Europa Universalis III
EVE Launcher 1.0.4
Eve Miner Tool 1.4.0.5
EVEMon
EVE-ONLINE (remove only)
EVEREST Ultimate Edition v3.01
Fallout2
Fraps (remove only)
Google Earth
Half-Life 2: Episode Two
Half-Life(R) 2
Hero Editor V0.96
Hero Editor V0.96 (f:\Program Files\Diablo II\mods\hero\)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP USB Disk Storage Format Tool
iTunes
J2SE Runtime Environment 5.0 Update 8
KeyTweak - Keyboard Remapper (remove only)
LimeWire 4.12.15
MadOnion.com/3DMark2001 SE
Marvell Miniport Driver
MetalGearSolid2 Substance
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
mIRC
Moffsoft Calculator 2
MotoGP URT 3
Mozilla Firefox (2.0.0.6)
MP3 Splitter & Joiner 3.27
MSXML 6.0 Parser
N.I. Kontakt v2.1.1
Native Instruments Absynth v3.0
Native Instruments B4 Tone Wheels Bundle v1.11
Native Instruments Battery v2.0
Native Instruments Electronic Instruments 2 XT
Native Instruments FM7
Native Instruments Reaktor v5.1.0
Native Instruments Reaktor v5.1.0 Addon
Native_Instruments_Reaktor_v5_User_Library_SEQUENZERS_ADDON
Nero Suite
NetTools 5.0
NifSkope (remove only)
NVIDIA DDS Utilities
NVIDIA Drivers
NVIDIA Photoshop Plug-ins
Oblivion
Oblivion - Construction Set
Oblivion - Knights of the Nine
Oblivion - Spell Tomes
OpenAL
Orbit
PC Probe II
Portal
PowerDVD
PunkBuster Services
QuickTime
Rainbow Six Vegas
Razer DeathAdder(TM) Mouse
RealPlayer
Realtek High Definition Audio Driver
Reason 3.0
ReBirth RB-338 2.0
RivaTuner v2.06
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0005]
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Task Manager 1.7
Seismovision 3 (remove only)
Sid Meier's Civilization 4
Sins of a Solar Empire
Sins of a Solar Empire
Sony Sound Forge 8.0d
SoulSeek Client 156c
SpeedFan (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SSF Realism Mod v2.2 For Swat4 The Original
Steam
Steinberg Cubase SX v3.0.2.623
SWAT 4
SWAT 4 - The Stetchkov Syndicate
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
Team Fortress 2
TeamSpeak 2 RC2
TES Construction Set
The Core Media Player 4.0
The Longest Journey
The Witcher
Tiger Woods PGA TOUR 07
TigerGame PS/PS2 Game Controller Adapter
Tom Clancy's Ghost Recon Advanced WarfighterŽ 2
Tom Clancy's Splinter Cell Chaos Theory
UFO Aftershock
UltraMon
URL Snooper v2.22.01
Ventrilo Client
VeohTV BETA
VideoLAN VLC media player 0.8.5
ViewSonic Monitor Drivers
Waves Diamond Bundle v5.2
Westwood Shared Internet Components
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
WinRAR archiver
World in Conflict - DEMO
X Plugin Manager 2.12
X Script Manager 1.85
X3 Bonus Package 3.1.07
X3 Sector Planner
X3: Reunion v1.4.03
Xfire (remove only)
Zen Micro Media Explorer

Shaba
2008-10-09, 20:55
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus
eMule
LimeWire 4.12.15
SoulSeek Client 156c

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall log scan when finished and post the log back here.

jaws104
2008-10-13, 22:22
I have a couple of new questionable entries on hjt now too btw

3DMark05
3DMark06
3DS Max DDS Plug-In
7-Zip 4.42
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 2.0
Adobe Photoshop CS2
Adobe Premiere Pro 2.0
Adobe Reader 7.0
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
AlphaZIP [Trial]
AnalogX NetStat Live
Apple Software Update
Applian FLV Player
ASUS DH Remote
ASUS WiFi-AP Solo
AsusUpdate
ATITool Overclocking Utility
Autodesk 3ds Max 8
Autodesk 3ds Max 8 Architectural Materials
Autodesk 3ds Max 8 Reference Files
Autodesk DWF Viewer
AutoHotkey 1.0.47.02
Backburner
Baldur's Gate(TM) II - Throne of Bhaal (TM)
Battlefield 2142
BF2142 1.25 Clan mod v 2.10
BF2142Pro 1.1
BioShock
Black & WhiteŽ 2
Bonjour
Calculator
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CC Get MAC Address 2.2
Close Combat Cross of Iron
Company of Heroes
Creative Jukebox Driver
CryEngine(R)2 Sandbox(TM)2
Crysis(R)
Cycling '74 Pluggo v3.5.1
DellTouch
Deus Ex
Diablo II
Digital Audio System
DivX Codec
DivX Content Uploader
DivX Player
DivX Web Player
Driver Cleaner 3
DShow Viewer
EA Link
EA SPORTS online 2007
E-MU PatchMix DSP
Europa Universalis III
EVE Launcher 1.0.4
Eve Miner Tool 1.4.0.5
EVEMon
EVE-ONLINE (remove only)
EVEREST Ultimate Edition v3.01
Fallout2
Fraps (remove only)
Google Earth
Half-Life 2: Episode Two
Half-Life(R) 2
Hero Editor V0.96
Hero Editor V0.96 (f:\Program Files\Diablo II\mods\hero\)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP USB Disk Storage Format Tool
iTunes
J2SE Runtime Environment 5.0 Update 8
KeyTweak - Keyboard Remapper (remove only)
MadOnion.com/3DMark2001 SE
Marvell Miniport Driver
MetalGearSolid2 Substance
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
mIRC
Moffsoft Calculator 2
MotoGP URT 3
Mozilla Firefox (2.0.0.6)
MP3 Splitter & Joiner 3.27
MSXML 6.0 Parser
N.I. Kontakt v2.1.1
Native Instruments Absynth v3.0
Native Instruments B4 Tone Wheels Bundle v1.11
Native Instruments Battery v2.0
Native Instruments Electronic Instruments 2 XT
Native Instruments FM7
Native Instruments Reaktor v5.1.0
Native Instruments Reaktor v5.1.0 Addon
Native_Instruments_Reaktor_v5_User_Library_SEQUENZERS_ADDON
Nero Suite
NetTools 5.0
NifSkope (remove only)
NVIDIA DDS Utilities
NVIDIA Drivers
NVIDIA Photoshop Plug-ins
Oblivion
Oblivion - Construction Set
Oblivion - Knights of the Nine
Oblivion - Spell Tomes
Orbit
PC Probe II
Portal
PowerDVD
PunkBuster Services
QuickTime
Rainbow Six Vegas
Razer DeathAdder(TM) Mouse
RealPlayer
Realtek High Definition Audio Driver
Reason 3.0
ReBirth RB-338 2.0
RivaTuner v2.06
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0005]
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Seismovision 3 (remove only)
Sid Meier's Civilization 4
Sins of a Solar Empire
Sins of a Solar Empire
Sony Sound Forge 8.0d
SpeedFan (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SSF Realism Mod v2.2 For Swat4 The Original
Steam
Steinberg Cubase SX v3.0.2.623
SWAT 4
SWAT 4 - The Stetchkov Syndicate
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
Team Fortress 2
TeamSpeak 2 RC2
TES Construction Set
The Core Media Player 4.0
The Longest Journey
The Witcher
Tiger Woods PGA TOUR 07
TigerGame PS/PS2 Game Controller Adapter
Tom Clancy's Ghost Recon Advanced WarfighterŽ 2
Tom Clancy's Splinter Cell Chaos Theory
UFO Aftershock
UltraMon
URL Snooper v2.22.01
Ventrilo Client
VeohTV BETA
VideoLAN VLC media player 0.8.5
ViewSonic Monitor Drivers
Waves Diamond Bundle v5.2
Westwood Shared Internet Components
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
WinRAR archiver
World in Conflict - DEMO
X Plugin Manager 2.12
X Script Manager 1.85
X3 Bonus Package 3.1.07
X3 Sector Planner
X3: Reunion v1.4.03
Xfire (remove only)
Zen Micro Media Explorer

jaws104
2008-10-13, 22:28
http://img143.imageshack.us/img143/6633/solutionclasstk4.th.jpg (http://img143.imageshack.us/my.php?image=solutionclasstk4.jpg)http://img143.imageshack.us/images/thpix.gif (http://g.imageshack.us/thpix.php)

Shaba
2008-10-13, 22:30
What entries do you mean?

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\drivers\beep.sys

Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

jaws104
2008-10-13, 22:44
Sorry bout formatting - not sure what you wanted me to do with beep thing


A-Squared Found nothing
AntiVir Found TR/Dldr.BHO.PE
ArcaVir Found Trojan.Psw.Qqpass.Wb
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found BHO.FCU
BitDefender Found Trojan.Generic.750253
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.BHO.pe
Dr.Web Found Trojan.Popuper.7420
F-Prot Antivirus Found W32/Downldr2.DQCH
F-Secure Anti-Virus Found Trojan-Downloader.Win32.BHO.pe
G DATA Found nothing
Ikarus Found Trojan-Downloader.Win32.BHO.pe
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.BHO.pe
NOD32 Found probably a variant of Win32/TrojanClicker.Agent.NEB (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.BHO.pe

Shaba
2008-10-13, 22:46
Are those scan results of C:\WINDOWS\system32\drivers\beep.sys?

jaws104
2008-10-13, 22:49
No that's the result of scanning nt2vbcn.dll which is the unremovable file spybot picked up - you can see it in the image i posted above

I also scanned beep.sys but it came up all clear -

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Shaba
2008-10-14, 15:56
I still don't believe that it would be clean (due to time modified) and we take no risks.

Download clean beep.sys from here (http://andymanchesta.com/Files/XP/beep.sys ) and copy it to C:\WINDOWS\system32\drivers\ and
C:\WINDOWS\system32\dllcache folders.

After that:

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\zmnovqnc.exe
C:\WINDOWS\system32\wini104552502.exe
C:\Documents and Settings\Administrator\delself.bat
C:\WINDOWS\system32\pabolsbu.exe
C:\WINDOWS\system32\ihmfkpaj.exe
C:\WINDOWS\system32\nt2vbcn.dll

Folder::
C:\Documents and Settings\Administrator\Application Data\Azureus

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\StubInstaller.exe"=-
"E:\\Program Files\\Utils\\LimeWire\\LimeWire.exe"=-
"E:\\Program Files\\Utils\\eMule\\emule.exe"=-
"E:\\Program Files\\Utils\\Azureus\\Azureus.exe"=-
"F:\\ProgramFiles\\Soulseek\\slsk.exe"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

jaws104
2008-10-19, 00:03
ComboFix 08-10-18.01 - Administrator 2008-10-18 21:59:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1460 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFSCRIPT.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Administrator\delself.bat
C:\WINDOWS\system32\ihmfkpaj.exe
C:\WINDOWS\system32\nt2vbcn.dll
C:\WINDOWS\system32\pabolsbu.exe
C:\WINDOWS\system32\wini104552502.exe
C:\WINDOWS\system32\zmnovqnc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Azureus
C:\Documents and Settings\Administrator\Application Data\Azureus\.certs
C:\Documents and Settings\Administrator\Application Data\Azureus\.keystore
C:\Documents and Settings\Administrator\Application Data\Azureus\.lock
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile1.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile10.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile17.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile18.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile19.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile20.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile3.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile4.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile5.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile6.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile7.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile8.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\08E68D2E3812E87403ABB974B40605C503374C26\fmfile9.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\0BCA512E8CA5C5207108E41D01D0CEC6B40A8DF4.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\0BCA512E8CA5C5207108E41D01D0CEC6B40A8DF4.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\219EF2D49D43D9C5089A0A4DFED098198A766FE2.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\219EF2D49D43D9C5089A0A4DFED098198A766FE2.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\24DCA2D5C5AD565727CA36F66B182D8F92C495AE.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\24DCA2D5C5AD565727CA36F66B182D8F92C495AE.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\2DD5638A95C4A4B8756FD1B796C12644B543FCE0.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\2DD5638A95C4A4B8756FD1B796C12644B543FCE0.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\30B0F399310CCEB5FDBF0158FC2F8D46B6BE7F0B.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\30B0F399310CCEB5FDBF0158FC2F8D46B6BE7F0B.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\3D98B939904F4759D262B1C29D39E4E77BFE5280.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\3D98B939904F4759D262B1C29D39E4E77BFE5280.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\3D98B939904F4759D262B1C29D39E4E77BFE5280\fmfile1.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\3F7EC5F6E333B6108EA1B5A84975599682DF0884.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\3F7EC5F6E333B6108EA1B5A84975599682DF0884.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\45767D3BF06B1B44F1603C1962B52EBD700700D2.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\45767D3BF06B1B44F1603C1962B52EBD700700D2.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\59F4AB91820E38BDB8023FE9AD764CD7D4F108F4.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\59F4AB91820E38BDB8023FE9AD764CD7D4F108F4.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\5C7A0C305610D2B89B7A857C1664A3DFDB5545B9.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\5C7A0C305610D2B89B7A857C1664A3DFDB5545B9.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\5DB6119D34F1CA6AAE609FFE849582BF4AACDB3D.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\5DB6119D34F1CA6AAE609FFE849582BF4AACDB3D.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\5E33D3F73BECBE416359AD032CB46E16DE146B24.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\5E33D3F73BECBE416359AD032CB46E16DE146B24.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\61CFE790BD87E8AD23C130E5CA044FFEC9ED1672.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\61CFE790BD87E8AD23C130E5CA044FFEC9ED1672.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\62B3660F444A472897ABD20C7130E9F3182451BD.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\62B3660F444A472897ABD20C7130E9F3182451BD.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\672C6823C81AE793D2563A92D07E1B69D64AE99F.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\672C6823C81AE793D2563A92D07E1B69D64AE99F.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\67478A7C353518760BC4B8E64E9C1C7918B05808.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\67478A7C353518760BC4B8E64E9C1C7918B05808.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\7E5D73BBBE956E002486CB0126B1CF359ABA1DE4.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\7E5D73BBBE956E002486CB0126B1CF359ABA1DE4.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\8EA2E2715E273885CB207E7B43D82E88CC3FCCCC.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\8EA2E2715E273885CB207E7B43D82E88CC3FCCCC.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\9790663AC3F9FB447A48B4EE48075F25037388B6.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\9790663AC3F9FB447A48B4EE48075F25037388B6.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\97AB8B91995EB6D18E499A79AE79690223CDF5A6.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\97AB8B91995EB6D18E499A79AE79690223CDF5A6.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\A62FA1C79E7394B889D0D9A80F8E4ADAA911F7F4.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\A62FA1C79E7394B889D0D9A80F8E4ADAA911F7F4.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\AC01364F2EE88AB5F02A3E8B6EFBBDC4F0D9C0D9.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\AC01364F2EE88AB5F02A3E8B6EFBBDC4F0D9C0D9.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\AC90766B6CEF0335C860BD4E394D549781609FA1.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\AC90766B6CEF0335C860BD4E394D549781609FA1.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\AF9B51788A0A5B22176C48B07DCE428F768722F6.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\AF9B51788A0A5B22176C48B07DCE428F768722F6.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\B9E434B69FD761030B3462264B9D7DA748961F3B.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\B9E434B69FD761030B3462264B9D7DA748961F3B.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\cache.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\CB126A3F643E140015B543EA30ABB06BC4390ED9.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\CB126A3F643E140015B543EA30ABB06BC4390ED9.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\D6260E2B69F9C7D0DD5D87A6AEBDD9662F79C040.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\D6260E2B69F9C7D0DD5D87A6AEBDD9662F79C040.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\D882733551FF191F0EA543A29E7A473081528074.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\D882733551FF191F0EA543A29E7A473081528074.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\DBE3F1B0B99C7C3D825BBEA58EB12CD235861EFD.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\DBE3F1B0B99C7C3D825BBEA58EB12CD235861EFD.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\DE5BA75C6A82EDAB575439AB5675251C070583C7.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\DE5BA75C6A82EDAB575439AB5675251C070583C7.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\DF60DC8272724BC2373664FAA9FB02B2E0B18186.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\DF60DC8272724BC2373664FAA9FB02B2E0B18186.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\E408B7B15249293C4C662B22DD4E237342AC766D.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\E408B7B15249293C4C662B22DD4E237342AC766D.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\EC04769E54C2C4DE0A2D2FA25FE180934EA243F2.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\EC04769E54C2C4DE0A2D2FA25FE180934EA243F2.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\F4069C1BD1879798F92485959F95BAAD6A4DD9DC.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\F4069C1BD1879798F92485959F95BAAD6A4DD9DC.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\F60248F57621FDE2F4D87B31814DE4C9635349BA.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\F60248F57621FDE2F4D87B31814DE4C9635349BA.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\FAB5BD4AF7B798A873899D156C21C29109C90821.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\FAB5BD4AF7B798A873899D156C21C29109C90821.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\FEF8ABEE49C444FA762B05767C3D588776FCCF9E.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\FEF8ABEE49C444FA762B05767C3D588776FCCF9E.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\active\FFEE8E5AB9DFF4524079107193071A6E7A9DF64E.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\active\FFEE8E5AB9DFF4524079107193071A6E7A9DF64E.dat.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\azureus.config
C:\Documents and Settings\Administrator\Application Data\Azureus\azureus.config.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\azureus.statistics
C:\Documents and Settings\Administrator\Application Data\Azureus\azureus.statistics.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\banips.config
C:\Documents and Settings\Administrator\Application Data\Azureus\banips.config.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\dht\addresses.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\dht\contacts.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\dht\diverse.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\dht\general.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\dht\version.dat
C:\Documents and Settings\Administrator\Application Data\Azureus\downloads.config
C:\Documents and Settings\Administrator\Application Data\Azureus\downloads.config.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\filters.config
C:\Documents and Settings\Administrator\Application Data\Azureus\ipfilter.cache
C:\Documents and Settings\Administrator\Application Data\Azureus\logs\alerts_1.log
C:\Documents and Settings\Administrator\Application Data\Azureus\logs\debug_1.log
C:\Documents and Settings\Administrator\Application Data\Azureus\logs\debug_2.log
C:\Documents and Settings\Administrator\Application Data\Azureus\logs\seltrace_1.log
C:\Documents and Settings\Administrator\Application Data\Azureus\logs\seltrace_2.log
C:\Documents and Settings\Administrator\Application Data\Azureus\logs\thread_1.log
C:\Documents and Settings\Administrator\Application Data\Azureus\logs\thread_2.log
C:\Documents and Settings\Administrator\Application Data\Azureus\tmp\AZU50750.tmp
C:\Documents and Settings\Administrator\Application Data\Azureus\tmp\AZU50751.tmp
C:\Documents and Settings\Administrator\Application Data\Azureus\tmp\AZU50752.tmp
C:\Documents and Settings\Administrator\Application Data\Azureus\tmp\AZU50753.tmp
C:\Documents and Settings\Administrator\Application Data\Azureus\tmp\AZU50754.tmp
C:\Documents and Settings\Administrator\Application Data\Azureus\tmp\AZU50755.tmp
C:\Documents and Settings\Administrator\Application Data\Azureus\tracker.config
C:\Documents and Settings\Administrator\Application Data\Azureus\tracker.config.bak
C:\Documents and Settings\Administrator\Application Data\Azureus\update.log
C:\Documents and Settings\Administrator\Application Data\Azureus\update.properties
C:\Documents and Settings\Administrator\delself.bat
C:\WINDOWS\system32\32m7jqRH.exe.a_a
C:\WINDOWS\system32\37U7v65n.exe
C:\WINDOWS\system32\37U7v65n.exe.a_a
C:\WINDOWS\system32\37U7v65n.exe_
C:\WINDOWS\system32\ihmfkpaj.exe
C:\WINDOWS\system32\nt2dVbcN.dll
C:\WINDOWS\system32\pabolsbu.exe
C:\WINDOWS\system32\wini104552502.exe
C:\WINDOWS\system32\zmnovqnc.exe
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job

.
((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2008-10-13 01:34 . 2008-10-13 01:34 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-10-12 02:26 . 2008-10-18 15:14 69,632 --a------ C:\WINDOWS\system32\nt2dVbcN.dl_
2008-10-11 19:49 . 2008-10-11 19:48 30,272 --a------ C:\WINDOWS\system32\32m7jqRH.exe
2008-10-08 21:12 . 2008-10-08 21:19 3,104 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-08 20:52 . 2008-10-08 20:52 <DIR> d-------- C:\VundoFix Backups
2008-10-08 20:44 . 2008-10-18 21:53 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-08 20:44 . 2008-10-18 21:53 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-10-08 19:03 . 2008-10-08 19:03 <DIR> d-------- E:\Program Files\Lavasoft
2008-10-08 19:03 . 2008-10-08 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-08 18:15 . 2008-10-08 18:15 <DIR> d-------- E:\Program Files\AVG
2008-10-08 18:15 . 2008-10-08 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-05 08:14 . 2008-10-05 08:14 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-10-05 08:13 . 2008-10-05 08:13 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-10-05 07:48 . 2008-10-05 07:48 <DIR> d-------- E:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-05 07:48 . 2008-10-05 07:48 <DIR> d-------- E:\Program Files\SDHelper (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 23:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Orbit
2008-10-13 19:19 --------- d-----w E:\Program Files\Utils
2008-10-13 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-10-08 18:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-10-05 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-05 05:10 183,120 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-05 05:10 137,480 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-01 14:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-09-19 11:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe
2008-09-19 11:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-09-15 21:55 --------- d-----w E:\Program Files\RdDrv001
2008-09-11 18:44 --------- d-----w C:\Program Files\Common Files\Realtime Soft
2008-09-11 18:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-09-11 18:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-09-10 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-09-08 22:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-22 01:00 453,152 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-08-18 11:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-07-22 00:42 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-12-03 22:58 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-09-25 02:26 19,912 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2006-05-30 08:28 668672 e8183db3295a0d7104b978351418b51f C:\WINDOWS\system32\wininet.dll

2006-05-30 08:28 1289728 cca49b59735bb6efe1f22ac414ff4041 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-09_18.42.52.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-13 18:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2006-05-30 07:28:14 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
- 2007-08-13 18:39:00 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2006-05-30 07:28:14 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
- 2006-09-23 13:12:50 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2006-05-30 07:28:14 1,025,024 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-08-13 18:42:54 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
+ 2006-05-30 07:28:14 35,328 ----a-w C:\WINDOWS\system32\corpol.dll
- 2007-08-13 18:39:20 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2006-05-30 07:28:14 61,440 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2007-08-13 18:39:00 123,904 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2006-05-30 07:28:14 99,840 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-05-30 07:28:14 66,560 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-18 21:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2007-08-13 18:42:54 17,408 -c--a-w C:\WINDOWS\system32\dllcache\corpol.dll
+ 2006-05-30 07:28:14 35,328 -c--a-w C:\WINDOWS\system32\dllcache\corpol.dll
- 2007-08-13 18:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2006-05-30 07:28:14 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-13 18:35:38 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2006-05-30 07:28:14 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-13 18:54:10 131,584 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2006-05-30 07:28:14 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-13 18:39:06 54,784 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2006-05-30 07:28:14 34,304 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-13 18:39:26 152,064 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2006-05-30 07:28:14 139,264 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-13 17:56:54 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2006-05-30 07:28:14 221,184 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-13 18:39:50 382,976 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2006-05-30 07:28:14 323,584 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-13 18:44:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2006-05-30 07:28:14 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-08-13 18:45:18 78,336 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2006-05-30 07:28:14 81,920 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2007-08-13 18:54:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2006-05-30 07:28:14 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-08-13 18:39:12 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2006-05-30 07:28:14 62,976 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2007-08-13 18:36:06 36,352 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2006-05-30 07:28:14 35,840 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2007-08-13 18:39:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2006-05-30 07:28:14 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-08-13 18:38:04 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2006-05-30 07:28:14 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-08-13 18:54:10 27,136 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2006-05-30 07:28:14 15,872 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-08-13 18:44:18 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2006-05-30 07:28:14 22,016 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2007-08-13 18:32:30 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2006-05-30 07:28:14 29,184 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2007-08-13 18:54:10 475,648 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2006-05-30 07:28:14 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-13 18:01:12 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2006-05-30 07:28:14 56,832 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2007-08-13 18:54:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2006-05-30 07:28:14 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2007-08-13 18:44:26 192,000 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2006-05-30 07:28:14 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-13 18:54:10 670,720 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2006-05-30 07:28:14 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-13 18:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2006-05-30 07:28:14 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-08-13 18:54:10 413,696 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2006-05-30 07:28:14 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-08-13 18:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2006-05-30 07:28:14 848,384 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2006-05-30 07:28:14 430,592 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2008-07-18 21:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2006-05-30 07:28:14 111,104 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-18 21:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2006-05-30 07:28:14 1,134,592 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-18 21:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2006-05-30 07:28:14 112,640 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-18 21:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2006-05-30 07:28:14 36,864 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-18 21:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2006-05-30 07:28:14 120,320 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 21:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2007-08-13 18:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2006-05-30 07:28:14 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-13 18:35:38 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2006-05-30 07:28:14 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-13 18:54:10 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2006-05-30 07:28:14 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-13 18:39:06 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2006-05-30 07:28:14 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-13 18:39:26 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2006-05-30 07:28:14 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-13 18:39:54 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2006-05-30 07:28:14 233,472 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-13 17:56:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2006-05-30 07:28:14 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-13 18:39:50 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2006-05-30 07:28:14 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-13 18:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2006-05-30 07:28:14 81,920 ----a-w C:\WINDOWS\system32\ieencode.dll
- 2007-08-13 18:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2006-05-30 07:28:14 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-08-13 18:39:10 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2006-05-30 07:28:14 62,976 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-13 18:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2006-05-30 07:28:14 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2007-08-13 18:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2006-05-30 07:28:14 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2007-08-13 18:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2006-05-30 07:28:14 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-08-13 18:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2006-05-30 07:28:14 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-08-13 18:54:10 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2006-05-30 07:28:14 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-08-13 18:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2006-05-30 07:28:14 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2007-08-13 18:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2006-05-30 07:28:14 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
- 2007-08-13 18:54:12 3,578,368 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2006-05-30 07:28:14 3,123,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-13 18:54:10 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2006-05-30 07:28:14 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-13 18:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2006-05-30 07:28:14 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2007-08-13 18:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2006-05-30 07:28:14 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
- 2007-08-13 18:44:26 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2006-05-30 07:28:14 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-13 18:54:10 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-05-30 07:28:14 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-13 18:44:06 101,376 ----a-w C:\WINDOWS\system32\occache.dll
+ 2006-05-30 07:28:14 387,584 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-08-13 18:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2006-05-30 07:28:14 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-09-23 13:12:50 1,497,088 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2006-05-30 07:28:14 2,099,200 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2006-09-23 13:12:50 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2006-05-30 07:28:14 477,696 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-07-18 21:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
- 2007-08-13 18:44:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2006-05-30 07:28:14 49,664 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-13 18:54:10 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2006-05-30 07:28:14 623,616 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-13 18:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2006-05-30 07:28:14 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2007-08-13 18:54:10 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2006-05-30 07:28:14 439,808 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-05-30 15360]
"Steam"="F:\Program Files\Steam\Steam.exe" [2008-10-07 1410296]
"Veoh"="F:\Program Files\veoh\VeohClient.exe" [2008-08-13 3660848]
"SetDefaultMIDI"="MIDIDef.exe" [2005-10-22 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 90112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"IntelliPoint"="E:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"DeathAdder"="E:\Program Files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-11 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-11 81920]
"RivaTuner"="F:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-30 2650112]
"QuickTime Task"="F:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="F:\ProgramFiles\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"UltraMon"="F:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 299520]
"CTHelper"="CTHELPER.EXE" [2005-10-22 C:\WINDOWS\CTHELPER.EXE]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-11 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
ASUS WiFi-AP Solo.lnk - C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe [2006-08-15 995328]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Quicker Help]
--a------ 2006-06-01 16:27 3167232 E:\Program Files\ASUS\ASUS DH Remote\AsRc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2007-07-19 08:02 2887680 E:\Program Files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-05-11 02:46 200069 E:\Program Files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-05-18 11:29 49152 F:\video\powerdvd\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2006-05-30 08:28 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 22:57 30208 F:\video\powerdvd\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-19 19:22 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\ProgramFiles\\3DsMax8\\3dsmax.exe"=
"F:\\video\\Backburner\\monitor.exe"=
"F:\\video\\Backburner\\manager.exe"=
"F:\\video\\Backburner\\server.exe"=
"E:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"E:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"F:\\ProgramFiles\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"F:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"E:\\Program Files\\Xfire\\xfire.exe"=
"E:\\Program Files\\mIRC\\mirc.exe"=
"E:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"F:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"F:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"F:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"F:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"E:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"F:\\ProgramFiles\\iTunes\\iTunes.exe"=
"F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 DAdderFltr;DeathAdder Mouse;C:\WINDOWS\system32\drivers\dadder.sys [2007-08-02 22784]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S3 CyUsb;Cypress Generic USB Driver;C:\WINDOWS\system32\Drivers\CyUsb.sys [2005-03-03 31104]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;C:\WINDOWS\system32\Drivers\MayPro.sys [2006-05-05 12160]
S3 PEEK5;PEEK5 Protocol Driver;F:\MYDOCS~1\AIRCRA~1.2-W\bin\PEEK5.SYS [ ]
S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys [2006-09-28 79393]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-05-22 175872]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-03-31 13532]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c157a676-3430-11dc-b7a6-001731c4429a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.scienceofsleep.net
.
Contents of the 'Scheduled Tasks' folder

2008-06-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-10-17 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-17 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-17 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-18 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-12 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]

2008-10-11 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\32m7jqRH.exe [2008-10-11 19:48]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-admshui - C:\WINDOWS\system32\ihmfkpaj.exe
MSConfigStartUp-chkinfomsg - C:\WINDOWS\system32\zmnovqnc.exe
MSConfigStartUp-utilaplsys - C:\WINDOWS\system32\pabolsbu.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 22:01:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-18 22:01:54
ComboFix-quarantined-files.txt 2008-10-18 21:01:26
ComboFix2.txt 2008-10-09 17:43:19

Pre-Run: 3,572,858,880 bytes free
Post-Run: 3,847,086,080 bytes free

543

jaws104
2008-10-19, 00:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:04:11, on 18/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\Razer\DeathAdder\razerhid.exe
F:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\veoh\VeohClient.exe
E:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
E:\Program Files\Razer\DeathAdder\razertra.exe
F:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
E:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - F:\Program Files\veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DeathAdder] E:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTuner] "F:\Program Files\RivaTuner v2.06\RivaTuner.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\ProgramFiles\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UltraMon] "F:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "F:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Veoh] "F:\Program Files\veoh\VeohClient.exe" /VeohHide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.uwininstaller.tk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9858E2D8-26F3-488D-B0DD-F36AE70688E1}: NameServer = 194.46.192.141,194.46.192.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{71D31822-81A7-4564-BE10-B481076A186B}: NameServer = 194.46.192.141
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - F:\ProgramFiles\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - F:\ProgramFiles\3DsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6478 bytes

Shaba
2008-10-19, 12:12
Install one antivirus from below:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

After that:

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\nt2dVbcN.dl_
C:\WINDOWS\system32\32m7jqRH.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Shaba
2008-10-24, 11:10
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.