PDA

View Full Version : Painful reoccuring malware



Skeckulous
2009-07-07, 09:53
And the cat came back...

Keep having various virus, trojans, malware coming back.
I've unhooked it from the net because whenever it's connected I just get loads of Symantec e-mail blocked messages.

Did a HJT run and these don't look so hot:

O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\SKECKU~1.SCO\LOCALS~1\Temp\n7mdath.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{EEF4A14A-95C7-400B-AAD4-BF98210D8762}: NameServer = 66.75.160.63,66.75.160.64



Here's the full HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:34 PM, on 7/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Skeckulous.SCOTT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlayOn] C:\Program Files\MediaMall\PlayOn.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\SKECKU~1.SCO\LOCALS~1\Temp\n7mdath.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEF4A14A-95C7-400B-AAD4-BF98210D8762}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usc.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = usc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu
O20 - AppInit_DLLs: WIKI.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7890 bytes


:thanks:

km2357
2009-07-07, 21:09
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!

km2357
2009-07-07, 21:23
Is RoadRunner your ISP?


Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include the Uninstall List,C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.

Use multiple posts if you can't fit everything into one post.

Skeckulous
2009-07-07, 23:56
Road Runner is my ISP.

Got the following error after trying Combofix...

!! ALERT !! It is NOT SAFE to contine!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: You may be infected with a file patching virus. "Virut"

Ran Combofix in safemode and it seemed to work.
As I am using a USB stick to transfer the files, what precautions do I need to take to make sure I don't transfer the virus?
I've already run the Symantec W32.Virut Removal Tool and apparently it hasn't worked.

Below is my uninstall log:

_______________________________________________

AC3Filter (remove only)
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Premiere 6.0
Adobe Reader 7.0.5
Advanced RealMedia Export Plug-in for Premiere 6.0
Apex Video Converter Free 7.11
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI HYDRAVISION
ATI Multimedia Center 8.6.0.0
ATI Parental Control & Encoder
ATI Remote Wonder 2.0
AuthorScript Engine 1.0
Azureus Vuze
Belkin Wireless G Plus MIMO USB Network Adapter
Cisco Systems VPN Client 4.8.00.0440
Combined Community Codec Pack 2007-07-22
Critical Update for Windows Media Player 11 (KB959772)
D64 Editor
DAO
DivX Content Uploader
DivX Player
DivX Web Player
DLDIrc
ffdshow [rev 1324] [2007-07-01]
FileAlyzer
Flickr Uploadr 2.3
Google Gears
GUIDE PLUS+(TM) for Windows® System - ATI
HD Tune 2.55
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
iPod for Windows 2006-01-10
ISO Recorder
iTunes
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Medal of Honor Pacific Assault(tm)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.11)
MSN Music Assistant
Neverwinter Nights
Orb MyCast PlugIn 1.0
PlayOn 2.59.3336
PlayOn PlugIn for Channel9
QuickTime
RealPlayer
Revo Uninstaller 1.80
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steam
Symantec AntiVirus
Synergy
Torque 2D SDK (remove only)
Tribal IDE version Beta 3.8OS
TVersity Codec Pack 1.1
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6c
VME 1.2
Winamp
Winamp Remote
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver


----------------------------------------------------------------
COMBOFIX.EXE LOG (Ran in safemode because it wouldn't run otherwise):
----------------------------------------------------------------

ComboFix 09-07-07.05 - Skeckulous 07/07/2009 13:28.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.679 [GMT -7:00]
Running from: c:\documents and settings\Skeckulous.SCOTT\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ohhvpdqo.exe
c:\recycler\S-1-5-21-1078081533-1647877149-839522115-1003
c:\recycler\S-1-5-21-9634172621-3621685716-403554359-9793
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\Installer\96fe0b8.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\ld12.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000021_.tmp.dll
c:\windows\system32\_000022_.tmp.dll
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\_000111_.tmp.dll
c:\windows\system32\drivers\bc6c2bcc.sys
c:\windows\system32\drivers\ss.sys
c:\windows\system32\grffr83hn.dll
c:\windows\system32\resdll.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACwsqmoqoyptiyerqht.db
c:\windows\system32\UACwylhchfqdlaeycdjb.dll
c:\windows\system32\UACxxluxpnblaskrgoej.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wscsvc32.exe

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_drv
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_drv
-------\Service_uacd.sys
-------\Service_bc6c2bcc


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-07 04:20 . 2009-07-07 04:20 -------- d-----w- c:\program files\Trend Micro
2009-07-06 16:07 . 2009-07-06 16:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-06 16:05 . 2009-07-06 16:05 -------- d-----w- c:\windows\ERUNT
2009-07-06 03:46 . 2009-07-06 03:25 2986872 ----a-w- C:\FixVirut.com
2009-07-06 03:38 . 2009-07-06 03:38 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-06 03:25 . 2009-07-06 03:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-07-05 20:34 . 2009-07-05 20:34 63488 ----a-w- C:\scfsiab.exe
2009-07-05 20:34 . 2009-07-05 20:34 124846 ----a-w- C:\mkvknro.exe
2009-07-05 20:34 . 2009-07-05 22:10 39424 ----a-w- C:\lmkgwrym.exe
2009-07-05 20:32 . 2009-07-05 20:32 -------- d-sh--w- c:\windows\System Volume Information
2009-07-05 20:31 . 2009-07-05 22:19 -------- d-----w- c:\program files\drv
2009-07-05 20:31 . 2009-07-05 22:10 96768 ----a-w- C:\fdvjfx.exe
2009-07-05 20:31 . 2009-07-05 22:31 39424 ----a-w- C:\tcburi.exe
2009-07-05 20:31 . 2009-07-05 20:31 205940 ----a-w- C:\gklrwl.exe
2009-07-05 20:31 . 2009-07-05 22:10 11264 ----a-w- C:\gswrij.exe
2009-07-04 01:42 . 2009-07-04 01:46 -------- d-----w- c:\documents and settings\Skeckulous.SCOTT\Application Data\Move Networks
2009-07-04 01:42 . 2009-03-09 18:34 971776 ----a-w- c:\documents and settings\Skeckulous.SCOTT\Application Data\Mozilla\Firefox\Profiles\v0cemxsq.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
2009-07-04 00:14 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-04 00:13 . 2009-07-06 15:07 -------- d-----w- c:\windows\ie8updates
2009-07-04 00:12 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-04 00:12 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-04 00:09 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-04 00:09 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-07-04 00:09 . 2009-07-06 15:05 -------- dc----w- c:\windows\ie8
2009-07-02 05:05 . 2009-07-02 15:05 -------- d-----w- c:\documents and settings\Skeckulous.SCOTT\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 20:40 . 2006-01-31 23:39 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-07 19:07 . 2008-04-17 02:34 -------- d-----w- c:\documents and settings\Skeckulous.SCOTT\Application Data\uTorrent
2009-07-06 14:50 . 2006-01-30 16:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 13:27 . 2006-01-31 23:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-07-06 03:04 . 2009-07-06 03:04 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-06 03:04 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-07-06 03:04 . 2004-08-04 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
2009-07-05 23:02 . 2006-01-30 18:27 107008 ----a-w- c:\windows\UninstallFirefox.exe
2009-07-05 23:02 . 2006-02-23 03:14 299520 ----a-w- c:\windows\uninst.exe
2009-07-05 23:00 . 2006-01-30 18:06 141312 ----a-w- c:\windows\system32\sessmgr.exe
2009-07-05 22:59 . 2004-08-04 12:00 53760 ----a-w- c:\windows\system32\narrator.exe
2009-07-05 22:58 . 2004-08-04 12:00 7680 ----a-w- c:\windows\system32\forcedos.exe
2009-07-05 22:58 . 2004-08-04 12:00 20992 ----a-w- c:\windows\system32\fontview.exe
2009-07-05 22:58 . 2004-08-04 12:00 14848 ----a-w- c:\windows\system32\fc.exe
2009-07-05 22:58 . 2004-08-04 12:00 24064 ----a-w- c:\windows\system32\extrac32.exe
2009-07-05 22:58 . 2004-08-04 12:00 15872 ----a-w- c:\windows\system32\expand.exe
2009-07-05 22:58 . 2004-08-04 12:00 50688 ----a-w- c:\windows\system32\eventcreate.exe
2009-07-05 22:58 . 2004-08-04 12:00 193024 ----a-w- c:\windows\system32\eudcedit.exe
2009-07-05 22:58 . 2004-08-04 12:00 1298432 ----a-w- c:\windows\system32\dxdiag.exe
2009-07-05 22:58 . 2004-08-04 12:00 180224 ----a-w- c:\windows\system32\dwwin.exe
2009-07-05 22:58 . 2004-08-04 12:00 17920 ----a-w- c:\windows\system32\dvdupgrd.exe
2009-07-05 22:58 . 2001-08-17 22:36 55296 ----a-w- c:\windows\system32\dvdplay.exe
2009-07-05 22:58 . 2006-10-19 03:00 249856 ------w- c:\windows\system32\drmupgds.exe
2009-07-05 22:58 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\driverquery.exe
2009-07-05 22:55 . 2008-09-03 14:27 32768 ------w- c:\windows\slrundll.exe
2009-07-05 22:55 . 2008-10-27 09:20 165376 ----a-w- c:\windows\setup1.exe
2009-07-05 22:51 . 2006-01-30 18:08 18432 ----a-w- c:\windows\pchealth\helpctr\binaries\hscupd.exe
2009-07-05 22:51 . 2006-01-30 18:08 99840 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2009-07-05 22:51 . 2006-01-30 18:08 769024 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2009-07-05 22:50 . 2006-01-31 23:48 306688 ----a-w- c:\windows\IsUninst.exe
2009-07-05 22:49 . 2009-07-04 00:09 45568 ----a-w- c:\windows\system32\SET43.tmp
2009-07-05 22:49 . 2009-07-04 00:09 12288 ----a-w- c:\windows\system32\SET42.tmp
2009-07-05 22:48 . 2004-08-04 12:00 10752 ----a-w- c:\windows\hh.exe
2009-07-05 21:44 . 2007-12-05 18:07 3096576 ---ha-w- c:\documents and settings\Skeckulous.SCOTT\Application Data\U3\temp\Launchpad Removal.exe
2009-07-05 21:44 . 2007-01-10 16:29 110592 ----a-w- c:\documents and settings\Skeckulous.SCOTT\Application Data\U3\temp\cleanup.exe
2009-07-05 21:44 . 2007-11-04 01:50 212992 ----a-w- c:\documents and settings\Skeckulous.SCOTT\Application Data\ppStream\update.exe
2009-07-03 18:13 . 2009-02-25 02:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MediaMall
2009-06-13 04:45 . 2009-02-25 02:14 -------- d-----w- c:\program files\Common Files\ffdshowEx
2009-05-22 21:39 . 2009-02-25 02:14 -------- d-----w- c:\program files\MediaMall
2009-05-22 21:32 . 2006-01-30 18:18 166840 ----a-w- c:\documents and settings\Skeckulous.SCOTT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 21:09 . 2009-05-22 21:09 290736 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-22 21:08 . 2009-05-22 21:08 -------- d-----w- c:\program files\MSBuild
2009-05-22 21:08 . 2009-05-22 21:08 -------- d-----w- c:\program files\Reference Assemblies
2009-05-20 10:55 . 2009-05-20 10:55 99840 ----a-w- c:\windows\system32\MediaInfo_InfoTip.dll
2009-05-20 10:52 . 2009-05-20 10:52 1753088 ----a-w- c:\windows\system32\MediaInfo.dll
2009-05-13 05:15 . 2009-07-04 00:12 915456 ------w- c:\windows\system32\SETC7.tmp
2009-05-13 05:15 . 2009-07-04 00:12 5936128 ------w- c:\windows\system32\SETC9.tmp
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 21:22 . 2009-07-04 00:12 1985024 ------w- c:\windows\system32\SETCC.tmp
2009-04-30 21:22 . 2009-07-04 00:12 1207808 ------w- c:\windows\system32\SETC8.tmp
2009-04-30 21:22 . 2009-07-04 00:12 25600 ------w- c:\windows\system32\SETCA.tmp
2009-04-30 21:22 . 2009-07-04 00:12 11064832 ------w- c:\windows\system32\SETCD.tmp
2009-04-29 04:56 . 2009-07-04 00:09 827392 ----a-w- c:\windows\system32\SET57.tmp
2009-04-29 04:56 . 2009-07-04 00:09 233472 ----a-w- c:\windows\system32\SET54.tmp
2009-04-29 04:56 . 2004-08-04 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-04-29 04:56 . 2009-07-04 00:09 671232 ----a-w- c:\windows\system32\SET4D.tmp
2009-04-29 04:56 . 2009-07-04 00:09 44544 ----a-w- c:\windows\system32\SET4F.tmp
2009-04-29 04:56 . 2009-07-04 00:09 1159680 ----a-w- c:\windows\system32\SET52.tmp
2009-04-29 04:56 . 2009-07-04 00:09 105984 ----a-w- c:\windows\system32\SET51.tmp
2009-04-29 04:56 . 2009-07-04 00:09 102912 ----a-w- c:\windows\system32\SET4E.tmp
2009-04-29 04:56 . 2009-07-04 00:09 477696 ----a-w- c:\windows\system32\SET49.tmp
2009-04-29 04:56 . 2009-07-04 00:09 193024 ----a-w- c:\windows\system32\SET4C.tmp
2009-04-29 04:56 . 2009-07-04 00:09 3596288 ----a-w- c:\windows\system32\SET47.tmp
2009-04-28 09:06 . 2009-07-04 00:09 389120 ----a-w- c:\windows\system32\SET29.tmp
2009-04-28 09:05 . 2009-07-04 00:09 90624 ----a-w- c:\windows\system32\SET2B.tmp
2009-04-25 05:26 . 2009-07-04 00:09 161792 ----a-w- c:\windows\system32\SET2E.tmp
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2009-07-05 22:41 14336 A0F41F317C6C4AD769CD5B5075E588C5 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2009-07-05 22:55 14336 6ACBB87D7A97409B2928B5D1A3997D1C c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 34304 AFE816B6687D49C0616BB924D424D53C c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[7] 2009-07-06 16:07 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\dllcache\user32.dll

[7] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
[-] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
[-] 2007-08-22 12:55 665600 A1BC17EB3758D73C3938B2318820F5B4 c:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2007-12-07 00:44 666112 085A7C37F9C6EDE1BA870B7DBEC06399 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[-] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll
[7] 2008-04-21 06:56 666624 2E7DE1BF9418B071799EB53DE8CC22F5 c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[7] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[7] 2008-06-23 16:12 667136 611ACE3F4201E9610AF8452F7C268995 c:\windows\$hf_mig$\KB953838\SP2QFE\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
[7] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[7] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2009-05-13 05:10 915456 C0EB6850C8A02A154281749DC61FAF22 c:\windows\$hf_mig$\KB969897-IE8\SP3QFE\wininet.dll
[7] 2008-06-23 15:38 659456 9EEA04BC4C3FA521D256D89940FAB4DB c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2004-08-04 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2006-03-04 03:33 658432 1C0979C7A489BEE573CD0BF4AD94BB06 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:23 658432 38AB7A56F566D9AAAD31812494944824 c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:02 658944 2B4DB890936430C71419037039502752 c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-09-14 08:39 658944 621AF3F6174A3F60677F5230E28BCC07 c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-10-23 15:17 658944 6B2735ADFF5A5D3B9130CA4A794722F0 c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 13:37 658944 8C393DF5234CBCBFF1EE31902D6B40AE c:\windows\$NtUninstallKB931768$\wininet.dll
[-] 2007-02-20 09:48 658944 30D1C47E40EFBB792FF8D3C3B51CE507 c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-04-18 12:31 658944 B7156CD97E739F3014BC4D61758F868A c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-06-26 14:09 658944 184E47C8F7B331025E6DC92740DB188F c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2007-08-22 13:12 658944 1901AD51DA8BE9F8B38D5D526E5D1788 c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-10-11 06:13 659456 2005AD86A22AEE68E21EE59F9CCB77F2 c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2007-12-07 01:07 659456 57D1B5150CF6331FAC6B3E04C1FCB966 c:\windows\$NtUninstallKB947864$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2008-02-16 08:59 659456 0C690E77C0E924C45B4D7045B182FFF1 c:\windows\$NtUninstallKB950759_0$\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$NtUninstallKB953838$\wininet.dll
[7] 2008-04-21 07:04 659456 1EFB8A3EA8454AEC1BB8A240A2845598 c:\windows\$NtUninstallKB953838_0$\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\ie7\wininet.dll
[7] 2007-08-14 01:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-05-13 05:15 915456 366C72AF6970DB7BB39AB0142BF09DB5 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3GDR\wininet.dll
[7] 2009-05-13 05:10 915456 C0EB6850C8A02A154281749DC61FAF22 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3QFE\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[7] 2009-05-13 05:15 915456 366C72AF6970DB7BB39AB0142BF09DB5 c:\windows\system32\dllcache\wininet.dll

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2009-07-06 03:04 361600 A29E1209F925A0E9B330E11DA5FC7BAB c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-07-06 03:04 361600 A29E1209F925A0E9B330E11DA5FC7BAB c:\windows\system32\drivers\TCPIP.SYS

[-] 2009-07-05 22:42 502272 6CA30E8B2F62EA4438F5FE66FB673E32 c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2009-07-05 22:55 507904 18E70EEABD8800CC2C23C09C556B2613 c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[7] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[7] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 22:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 12:00 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 12:55 2057600 1D659BFB788ED2BA45075624B748D249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 02:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 23:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 12:00 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 14:17 2180352 8F0DEAB1F81FB83F9C5995853CE48B9F c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 00:12 1053696 AD2DE65EB728F80951EDC2A4827CF2A9 c:\windows\explorer.exe
[-] 2009-07-05 22:37 1033216 C3436AB51BE9E9187100B683B08B8EEA c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2009-07-05 22:39 1033216 D45E8A13DC8A4481D7422FEE648F1377 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2009-07-05 22:44 1032192 9A369E5BB5DA182ACC06A0046754ADE9 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1053696 A2F0FD67BFD8C029F2E2118FAB853674 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2009-02-06 11:06 130560 6225AE8ED0F23CB3CF2D67DB0B7BD5F8 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-04 12:00 128000 E4D8135BA3FB769BA198D7171578D9BC c:\windows\$NtServicePackUninstall$\services.exe
[-] 2009-07-05 22:45 108544 E8C1590102E30E6151CFB1021E5B4527 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2009-07-05 22:54 108544 E8C1590102E30E6151CFB1021E5B4527 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[-] 2009-02-06 11:11 130560 A44B9F94991E2BF64833218FDE8A7C5F c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 12:00 33280 7625C1415CBF6EF09C3AA6C8768AB0BA c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2009-07-05 22:54 13312 C486CF480DCE7616C31EAC73BDBB5C52 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2009-07-05 22:38 15360 3AAC89CB86578104DCC780E07A656002 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2009-07-05 22:53 15360 AB7B5CB5DFAF6E2A4487318D5CF06644 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2009-07-06 03:04 15360 AB7B5CB5DFAF6E2A4487318D5CF06644 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 77824 1EF4D278BBE82E9E0C3C37AEBBB41849 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2009-07-05 22:41 57856 8CDA722234DED2269E7DB236AC908B1B c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2009-07-05 22:42 57856 12AF40451DFB676310EEABC15343AFE4 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2009-07-05 22:55 57856 000667ECAE761E93082F45361E38A1B9 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 77824 1C4FC8F4639712F1E6A20A5AF96FF051 c:\windows\system32\spoolsv.exe

[-] 2008-04-14 00:12 131072 A2C8A515156AA96661907A28ED0C7E44 c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 22:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 22:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[-] 2009-07-05 22:41 24576 A9D315C56DA96A9B4DEAF83006071227 c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2009-07-05 22:55 26112 64C207D0F804BFE77C50B5A1A62A506D c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2009-07-05 23:01 26112 64C207D0F804BFE77C50B5A1A62A506D c:\windows\system32\userinit.exe

[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-04 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[7] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[7] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[7] 2004-08-04 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

[7] 2004-08-04 12:00 167936 9C3C12975C97119412802B181FBEEFFE c:\windows\$NtServicePackUninstall$\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\ServicePackFiles\i386\appmgmts.dll
[7] 2008-04-14 00:11 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll

[7] 2004-08-04 12:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2009-07-05 106496]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-08-12 208896]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2280448]
"Google Update"="c:\documents and settings\Skeckulous.SCOTT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-16 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-07-06 15360]
"PlayOn"="c:\program files\MediaMall\PlayOn.exe" [2009-07-05 53248]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 224256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 67184]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-12-30 120640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-07-05 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 356352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 299008]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 65536]
"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [2009-07-05 1585152]

c:\documents and settings\Skeckulous.SCOTT\Start Menu\Programs\Startup\
ęTorrent.lnk - c:\program files\uTorrent\uTorrent.exe [2008-4-16 270128]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-31 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 49664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533c5b84-ec70-11d2-9505-00c04f79deaf}]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\Synergy\\synergys.exe"=
"c:\\NeverwinterNights\\NWN\\nwupdate.exe"=
"c:\\Torque2D\\TGB_LevelBuilder_Beta2\\games\\T2D.exe"=
"c:\\NeverwinterNights\\NWN\\nwserver.exe"=
"c:\\Program Files\\Steam\\SteamApps\\skeckulous\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LightningWare\\VME 1.2\\VME Manager.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"8085:TCP"= 8085:TCP:drv

R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [1/5/2008 4:34 PM 6016]
S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/18/2009 4:25 AM 4315648]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [1/30/2006 9:08 AM 140416]
S3 o1394bul;o1394bul;\??\c:\docume~1\SKECKU~1.SCO\LOCALS~1\Temp\o1394bul.sys --> c:\docume~1\SKECKU~1.SCO\LOCALS~1\Temp\o1394bul.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/30/2004 3:19 PM 153416]
S4 Hidnsrswlnp;Hidnsrswlnp;c:\windows\system32\drivers\smclib.sys [8/4/2004 5:00 AM 14592]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-776561741-839522115-1003Core.job
- c:\documents and settings\Skeckulous.SCOTT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-16 06:31]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-776561741-839522115-1003UA.job
- c:\documents and settings\Skeckulous.SCOTT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-16 06:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d76ab2a1-00f3-42bd-f434-00bbc39c8953} - (no file)
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-Steam - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: adobe.com\www
TCP: {EEF4A14A-95C7-400B-AAD4-BF98210D8762} = 66.75.160.63,66.75.160.64
FF - ProfilePath - c:\documents and settings\Skeckulous.SCOTT\Application Data\Mozilla\Firefox\Profiles\v0cemxsq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Skeckulous.SCOTT\Application Data\Mozilla\Firefox\Profiles\v0cemxsq.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Skeckulous.SCOTT\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 13:40
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(304)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3400)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-07 13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 20:51

Pre-Run: 17,659,015,168 bytes free
Post-Run: 17,686,659,072 bytes free

464 --- E O F --- 2009-07-04 00:14

km2357
2009-07-08, 08:01
Road Runner is my ISP.

Then you do not need to worry about this line in the HJT log:

O17 - HKLM\System\CCS\Services\Tcpip\..\{EEF4A14A-95C7-400B-AAD4-BF98210D8762}: NameServer = 66.75.160.63,66.75.160.64

Both of those IP Adresses belong to Road Runner. :)



Got the following error after trying Combofix...

!! ALERT !! It is NOT SAFE to contine!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

http://www.bleepingcomputer.com/comb...o-use-combofix
Note: You may be infected with a file patching virus. "Virut"

Ran Combofix in safemode and it seemed to work.
As I am using a USB stick to transfer the files, what precautions do I need to take to make sure I don't transfer the virus?
I've already run the Symantec W32.Virut Removal Tool and apparently it hasn't worked.

The message you got is a warning to not download ComboFix from an unauthorized source/mirror. Do you remember where you downloaded ComboFix from? If you did not download it by visiting

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and downloading it from one of the three official mirrors:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Then you'll need to delete ComboFix.exe and download it from a proper mirror/website. If you need to do that, please run ComboFix again (this time in Normal Mode) and post the log in your next reply.

If you did download ComboFix from one of the three websites I posted above, then ComboFix should work fine in Normal Mode, no need to run it in Safe Mode.

As for Virut, I didn't see any signs of it in your HJT log, so it looks like you don't have it. The ComboFix warning is just a precaution that you might have Virut if you download ComboFix from an unofficial source, not that you do have it.



However, I would like for you to scan some files for me:


Step # 1 Upload Files

Go to Jotti (http://virusscan.jotti.org)
Copy the following line into the white textbox:
c:\windows\system32\svchost.exe
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

c:\windows\explorer.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\userinit.exe

If Jotti is busy, Go to VirusTotal (http://www.virustotal.com/en/indexf.html) and scan the file(s) there.


In your next post/reply, I need to see the following:

1. Jotti/Virustotal results
2. A fresh ComboFix Log (only if you originally didn't download ComboFix from an official mirror/website)

Skeckulous
2009-07-08, 08:47
I downloaded it from here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Using the first mirror link, so it's official.

Whenever I connected the computer to the internet I get a continuous series of messages from Symantec saying that e-mails with viruses are being sent out.
Kind of makes it hard to go to websites but I can give it a try, assuming it's not being blocked (like the Symantec site).

Also on original scans I did have the Virut virus and cleaned it but it kept coming back so not sure if it's still around.

Skeckulous
2009-07-08, 08:56
I also cannot start the windows firewall. It has been disabled and will not start back up.

Skeckulous
2009-07-08, 09:01
Just tried running Combofix again and Symantec popped up saying it found the Virut virus and got the Combofix error again.

:(

Skeckulous
2009-07-08, 09:13
So tried to get online with the computer. Didn't work.
Also it won't open Internet Explorer now though Firefox still works...

km2357
2009-07-08, 21:18
If Symantec says that it keeps finding Virut and you mention that your original scans (I assume before you came here to Safer Networking) said you have/had Virut, then we have to assume that you still have Virut on your system. :sad:

Since Virut is a really nasty virus, there is really only one thing to do to assure that your computer is free of it:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, an expert for malware removal, and an MS-MVP, additionally has a blog post about Virut (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html).

I suggest you start backing up all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
Because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows:

http://web.mit.edu/ist/products/winxp/advanced/reinstall-format.html

Skeckulous
2009-07-08, 21:51
*sigh*

So only option is reformatting then?

Skeckulous
2009-07-08, 23:53
Also, any worry that the virus could have transferred to my thumb drive?

Also would the virus be only located on the C drive or all drives attached to the computer?

Just wondering how the virus works and how it jumps around.

km2357
2009-07-09, 08:19
If you want your computer to be fully clean from Virut, then yes the only option is to reformat and reinstall Windows. There's no guarantee you'll get every infected file if you try to clean and Virut can and will mess up .exe files so you may end up reinstalling a lot of your programs. It'd be best to get it all in one go by reformatting.

As far as I'm aware Virut can't be transfered to your thumb drive by itself, it doesn't actively seek out thumb drives. If you put a file that was infected with Virut onto your thumb drive then it could spread to other computers that way. I would scan your thumb drive (especially any exe/.scr/.htm/.html/.xml/.zip/.rar files that may be on it) with your Anti-Virus.

I believe it may be only on the C: Drive. Has Symantec found Virut on any other drive besides C:? If it has you'll need to reformat those as well. If not, you may want to reformat them anyway to be on the safe side or at least scan them with your AV to be sure.

Those three links I put in my last post will give you a lot info about Virut.

km2357
2009-07-12, 07:41
Skeckulous? Are you still there?

km2357
2009-07-15, 07:41
This topic has been archived due to inactivity.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start a new topic.