View Full Version : Infected no regedit (Resolved)
hi i did something and next thing i know my internet is killer slow. My programs are slow also and i cant get into the registry to fix it. I downloaded the vbs script to get me into regedit but it only works once in a blue moon. Even when i delete the reg entries in safe mode as soon as a reboot they come back. Someone suggested norton antivirus but i know that slows the internet pretty bad. Someone please help i am affraid to pay my bills online with trojans.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:16 AM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chris Diaz\meqsq.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\vs7xj.exe
C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\system.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\njce96ic1s.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\login.exe
C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\mdm.exe
C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\csrss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Chris Diaz\meqsq.exe \s
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vxbik] C:\WINDOWS\system32\vxbik.exe \u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [mswindows restore service] C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\vs7xj.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\csrss.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O10 - Unknown file in Winsock LSP: c:\windows\system32\228390.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\228390.dll
O21 - SSODL: ydUtoDHdepMTG - {94977F5A-3E3D-D5F0-5C01-2BD493E1C27F} - C:\WINDOWS\system32\fq.dll
O22 - SharedTaskScheduler: kjhsf87fhjdsfn93rjkndfdf - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 3956 bytes
Spybot S&D
Smitfraud-C.: [SBI $699198D9] Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-790525478-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run\Windows System Recover!
Smitfraud-C.: [SBI $50922C3E] Executable (File, nothing done)
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\taskmgr.exe
Properties.size=22532
Properties.md5=E61839AEC866FB2707635C0C86EEC819
Properties.filedate=1249164533
Properties.filedatetext=2009-08-01 18:08:53
Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-790525478-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Microsoft.Windows.disableSystemRestore: [SBI $6296EC95] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-790525478-1844237615-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools
PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-790525478-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf
Win32.Agent.icb: [SBI $A0EF69BD] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\mid
Right Media: Tracking cookie (Internet Explorer: Chris Diaz) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-31 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-07-28 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-07-28 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-07-28 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-28 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-07-14 Includes\Malware.sbi (*)
2009-07-28 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-07-28 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-07-28 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-07-28 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-07-22 Includes\Trojans.sbi (*)
2009-07-28 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
No Antivirus
I can see no indication of any Antivirus software.
Use an AntiVirus Software - It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
Paid AV list
Kaspersky (http://www.kaspersky.co.uk/)
ESET NOD32 (http://www.eset.co.uk/)
Free AV list ( Home users only)
Avast (http://www.avast.com/eng/products.html)
Avira AntiVir (http://www.free-av.com/)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week.
If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Antivirus is a MUST
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )
thank you for the help
info.txt logfile of random's system information tool 1.06 2009-08-03 17:26:52
======Uninstall list======
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Agere Systems PCI Soft Modem-->agrsmdel
Battlefield 2(TM)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
Battlefield 2: Special Forces-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{50D4CB89-AF34-4978-96DC-C3034062E901}\setup.exe" -l0x9 -removeonly
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DAEMON Tools Toolbar-->C:\Program Files\DAEMON Tools Toolbar\uninst.exe
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
LimeWire 5.1.4-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC-->C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Sniper Elite Demo-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A979B2D8-E3EE-4523-A26C-4AF0A6809280}\setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
=====HijackThis Backups=====
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-07-29]
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [2009-07-29]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-07-29]
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM) [2009-07-29]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-07-29]
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM) [2009-07-29]
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2009-07-29]
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-07-29]
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM) [2009-07-29]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Chris Diaz\wafayoh.exe \s,C:\Documents and Settings\Chris Diaz\rrwk.exe \s [2009-07-29]
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM) [2009-07-29]
O4 - HKLM\..\Run: [rgclowj0ee0a] C:\WINDOWS\system32\qgcjowj0ee0a.exe [2009-07-29]
O15 - Trusted Zone: http://*.mcafee.com (HKLM) [2009-07-29]
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM) [2009-07-29]
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM) [2009-07-29]
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM) [2009-07-29]
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-07-29]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 [2009-07-29]
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\lsass.exe [2009-07-29]
O4 - HKCU\..\Run: [mswindows restore service] C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\ri9jlhoi.exe [2009-07-29]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [2009-07-29]
O21 - SSODL: ydUtoDHdepMTG - {94977F5A-3E3D-D5F0-5C01-2BD493E1C27F} - C:\WINDOWS\system32\fq.dll [2009-07-29]
O22 - SharedTaskScheduler: kjhsf87fhjdsfn93rjkndfdf - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-07-29]
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab [2009-07-29]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab [2009-07-29]
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-07-29]
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install [2009-07-29]
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-07-29]
O4 - HKLM\..\Run: [aev] C:\WINDOWS\system32\aev.exe \u [2009-07-29]
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-07-29]
O22 - SharedTaskScheduler: kjhsf87fhjdsfn93rjkndfdf - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-08-01]
O4 - HKLM\..\Run: [fpu] C:\WINDOWS\system32\fpu.exe \u [2009-08-01]
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-08-01]
O22 - SharedTaskScheduler: kjhsf87fhjdsfn93rjkndfdf - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-08-01]
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-01]
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 [2009-08-01]
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Chris Diaz\nukqkt.exe \s [2009-08-01]
O2 - BHO: C:\WINDOWS\system32\ghaf8jkdfd.dll - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-08-01]
O21 - SSODL: ydUtoDHdepMTG - {94977F5A-3E3D-D5F0-5C01-2BD493E1C27F} - C:\WINDOWS\system32\fq.dll [2009-08-01]
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-01]
O22 - SharedTaskScheduler: kjhsf87fhjdsfn93rjkndfdf - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll [2009-08-01]
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======System event log======
Computer Name: CHRIS-15BC29F3B
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 596
Source Name: Tcpip
Time Written: 20090712205106.000000-240
Event Type: warning
User:
Computer Name: CHRIS-15BC29F3B
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 589
Source Name: Tcpip
Time Written: 20090712132142.000000-240
Event Type: warning
User:
Computer Name: CHRIS-15BC29F3B
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 588
Source Name: Tcpip
Time Written: 20090712121424.000000-240
Event Type: warning
User:
Computer Name: CHRIS-15BC29F3B
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 587
Source Name: Tcpip
Time Written: 20090712103444.000000-240
Event Type: warning
User:
Computer Name: CHRIS-15BC29F3B
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Record Number: 586
Source Name: Tcpip
Time Written: 20090712101036.000000-240
Event Type: warning
User:
=====Application event log=====
Computer Name: CHRIS-15BC29F3B
Event Code: 1000
Message: Faulting application qgcjowj0ee0a.exe, version 0.0.0.0, faulting module urlmon.dll, version 8.0.6001.18806, fault address 0x00029bb7.
Record Number: 159
Source Name: Application Error
Time Written: 20090729172321.000000-240
Event Type: error
User:
Computer Name: CHRIS-15BC29F3B
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.1.3462, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 71
Source Name: Application Hang
Time Written: 20090710000443.000000-240
Event Type: error
User:
Computer Name: CHRIS-15BC29F3B
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 42
Source Name: WinMgmt
Time Written: 20090709114806.000000-240
Event Type: warning
User: CHRIS-15BC29F3B\Chris Diaz
Computer Name: CHRIS-15BC29F3B
Event Code: 1005
Message: Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within 30 days.
Record Number: 28
Source Name: Windows Product Activation
Time Written: 20090709102832.000000-240
Event Type: warning
User:
Computer Name: CHRIS-15BC29F3B
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 11
Source Name: WinMgmt
Time Written: 20090709131404.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\DivX Shared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2c02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
-----------------EOF-----------------
Logfile of random's system information tool 1.06 (written by random/random)
Run by Chris Diaz at 2009-08-03 17:26:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 668 GB (93%) free of 715 GB
Total RAM: 2047 MB (75% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:51 PM, on 8/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\vxbik.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Diaz\My Documents\Downloads\RSIT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Chris Diaz.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vxbik] C:\WINDOWS\system32\vxbik.exe \u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 2930 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-06-29 88363]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-06-10 13758464]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-12 136600]
"vxbik"=C:\WINDOWS\system32\vxbik.exe [2009-08-02 32768]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2"
"C:\WINDOWS\system32\aev.exe"="C:\WINDOWS\system32\aev.exe:*:Enabled:ENABLE"
"C:\Documents and Settings\Chris Diaz\wafayoh.exe"="C:\Documents and Settings\Chris Diaz\wafayoh.exe:*:Enabled:ENABLE"
"C:\WINDOWS\system32\fpu.exe"="C:\WINDOWS\system32\fpu.exe:*:Enabled:ENABLE"
"C:\Documents and Settings\Chris Diaz\nukqkt.exe"="C:\Documents and Settings\Chris Diaz\nukqkt.exe:*:Enabled:ENABLE"
"C:\Documents and Settings\Chris Diaz\meqsq.exe"="C:\Documents and Settings\Chris Diaz\meqsq.exe:*:Enabled:ENABLE"
"C:\WINDOWS\system32\vxbik.exe"="C:\WINDOWS\system32\vxbik.exe:*:Enabled:ENABLE"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======File associations======
.scr - open - "%1" %*
======List of files/folders created in the last 1 months======
2009-08-03 17:26:45 ----D---- C:\rsit
2009-08-03 17:04:00 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 17:03:56 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-03 17:03:56 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-02 07:24:36 ----A---- C:\WINDOWS\system32\vxbik.exe
2009-07-31 06:16:17 ----A---- C:\WINDOWS\wininit.ini
2009-07-31 06:01:06 ----A---- C:\WINDOWS\system32\fpu.exe
2009-07-29 17:17:09 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\AVG8
2009-07-28 20:17:43 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2009-07-28 20:17:40 ----D---- C:\Program Files\DAEMON Tools Toolbar
2009-07-28 20:17:38 ----D---- C:\Program Files\DAEMON Tools Lite
2009-07-28 20:17:16 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 17:14:31 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-28 17:14:31 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 17:11:33 ----D---- C:\Program Files\Trend Micro
2009-07-28 16:57:49 ----A---- C:\WINDOWS\system32\BASSMOD.dll
2009-07-28 16:53:39 ----A---- C:\WINDOWS\system32\aev.exe
2009-07-17 17:13:24 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-07-17 17:13:17 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-07-16 21:22:50 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\WinRAR
2009-07-16 19:16:44 ----D---- C:\Program Files\WinRAR
2009-07-16 19:15:05 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 19:13:11 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 18:33:22 ----D---- C:\Program Files\EA GAMES
2009-07-16 18:27:14 ----D---- C:\Program Files\Steam
2009-07-16 16:38:36 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\dvdcss
2009-07-15 21:30:25 ----D---- C:\Program Files\VideoLAN
2009-07-15 19:18:33 ----D---- C:\WINDOWS\Minidump
2009-07-15 19:01:48 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-14 23:52:40 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-14 23:52:37 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-14 23:52:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-13 03:01:49 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\LimeWire
2009-07-12 15:36:45 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\DivX
2009-07-12 13:50:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-12 13:50:49 ----D---- C:\Program Files\MC2
2009-07-12 13:50:31 ----D---- C:\Program Files\Common Files\InstallShield
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\vxblock.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxwave.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxsfs.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxmas.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxinsi64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxinsa64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxcpyi64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxcpya64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxafs.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\px.dll
2009-07-12 13:44:49 ----D---- C:\Program Files\DivX
2009-07-12 13:44:49 ----D---- C:\Program Files\Common Files\DivX Shared
2009-07-12 10:03:23 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 10:01:11 ----D---- C:\Program Files\BitTorrent
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\java.exe
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-12 10:00:16 ----D---- C:\Program Files\Java
2009-07-12 09:59:58 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Sun
2009-07-12 09:59:57 ----D---- C:\Program Files\LimeWire
2009-07-11 22:12:42 ----A---- C:\WINDOWS\system32\nvudisp.exe
2009-07-11 22:12:31 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2009-07-11 22:12:24 ----D---- C:\NVIDIA
2009-07-11 16:39:51 ----A---- C:\WINDOWS\myClean.bat
2009-07-09 16:57:15 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Mozilla
2009-07-09 16:49:27 ----D---- C:\Program Files\mIRC
2009-07-09 16:49:27 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\mIRC
2009-07-09 13:19:34 ----D---- C:\WINDOWS\SoftwareDistribution
2009-07-09 13:19:33 ----SD---- C:\WINDOWS\system32\Microsoft
2009-07-09 13:19:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-09 13:16:46 ----D---- C:\WINDOWS\system32\xircom
2009-07-09 13:16:46 ----D---- C:\Program Files\xerox
2009-07-09 13:16:46 ----D---- C:\Program Files\microsoft frontpage
2009-07-09 13:16:41 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-09 13:16:40 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2009-07-09 13:16:31 ----A---- C:\WINDOWS\control.ini
2009-07-09 13:16:31 ----A---- C:\AUTOEXEC.BAT
2009-07-09 13:16:20 ----A---- C:\WINDOWS\OEWABLog.txt
2009-07-09 13:16:17 ----A---- C:\WINDOWS\system32\mapi32.dll
2009-07-09 13:15:44 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-09 13:15:44 ----RD---- C:\WINDOWS\Offline Web Pages
2009-07-09 13:15:44 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-07-09 13:15:40 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-07-09 13:15:36 ----HD---- C:\Program Files\WindowsUpdate
2009-07-09 13:15:22 ----D---- C:\WINDOWS\system32\DirectX
2009-07-09 13:15:07 ----A---- C:\WINDOWS\system32\atrace.dll
2009-07-09 13:15:05 ----A---- C:\WINDOWS\system32\desktop.ini
2009-07-09 13:15:05 ----A---- C:\WINDOWS\desktop.ini
2009-07-09 13:15:00 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2009-07-09 13:14:59 ----D---- C:\Program Files\Common Files\Services
2009-07-09 13:14:59 ----A---- C:\WINDOWS\system32\acctres.dll
2009-07-09 13:14:57 ----SD---- C:\WINDOWS\Tasks
2009-07-09 13:14:57 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2009-07-09 13:14:56 ----D---- C:\Program Files\Common Files\MSSoap
2009-07-09 13:14:53 ----D---- C:\WINDOWS\srchasst
2009-07-09 13:14:52 ----D---- C:\WINDOWS\system32\Macromed
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuweb.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wups.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wucltui.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuauserv.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuaueng.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\wuauclt.exe
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\wuapi.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\qmgr.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2009-07-09 13:14:46 ----D---- C:\Program Files\Movie Maker
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\safrslv.dll
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\safrdm.dll
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\racpldlg.dll
2009-07-09 13:14:40 ----D---- C:\WINDOWS\system32\Restore
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\srsvc.dll
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\srrstr.dll
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\srclient.dll
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\fltmc.exe
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\fltlib.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\msconf.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\mnmdd.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\ils.dll
2009-07-09 13:14:37 ----D---- C:\Program Files\NetMeeting
2009-07-09 13:14:37 ----A---- C:\WINDOWS\system32\msoert2.dll
2009-07-09 13:14:37 ----A---- C:\WINDOWS\system32\msoeacct.dll
2009-07-09 13:14:36 ----A---- C:\WINDOWS\system32\inetres.dll
2009-07-09 13:14:36 ----A---- C:\WINDOWS\system32\inetcomm.dll
2009-07-09 13:14:34 ----D---- C:\Program Files\Outlook Express
2009-07-09 13:14:34 ----A---- C:\WINDOWS\system32\schedsvc.dll
2009-07-09 13:14:34 ----A---- C:\WINDOWS\system32\mstinit.exe
2009-07-09 13:14:34 ----A---- C:\WINDOWS\system32\mstask.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\isign32.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\inetcfg.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\icwphbk.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\icwdial.dll
2009-07-09 13:14:29 ----D---- C:\Program Files\Common Files\System
2009-07-09 13:14:28 ----D---- C:\Program Files\Internet Explorer
2009-07-09 13:14:19 ----D---- C:\Program Files\ComPlus Applications
2009-07-09 13:14:17 ----A---- C:\WINDOWS\vbaddin.ini
2009-07-09 13:14:17 ----A---- C:\WINDOWS\vb.ini
2009-07-09 13:14:14 ----D---- C:\WINDOWS\Registration
2009-07-09 13:13:54 ----D---- C:\Program Files\Windows Media Player
2009-07-09 13:13:54 ----D---- C:\Program Files\Online Services
2009-07-09 13:13:50 ----D---- C:\Program Files\Messenger
2009-07-09 13:13:47 ----D---- C:\Program Files\MSN Gaming Zone
2009-07-09 13:13:47 ----A---- C:\WINDOWS\system32\write.exe
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\winchat.exe
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\sndvol32.exe
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\hticons.dll
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\avwav.dll
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\avtapi.dll
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\avmeter.dll
2009-07-09 13:13:35 ----A---- C:\WINDOWS\system32\getuname.dll
2009-07-09 13:13:35 ----A---- C:\WINDOWS\system32\charmap.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\winmine.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\sol.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\reset.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\mshearts.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\freecell.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\calc.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tslabels.ini
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tskill.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tscon.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\shadow.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\rwinsta.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\regini.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\qwinsta.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\qappsrv.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\msg.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\logoff.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\cdmodem.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\mtxex.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\mtxdm.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\comrepl.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\comaddin.dll
2009-07-09 13:13:31 ----A---- C:\WINDOWS\system32\stclient.dll
2009-07-09 13:13:31 ----A---- C:\WINDOWS\system32\comsnap.dll
2009-07-09 13:13:28 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2009-07-09 13:13:18 ----D---- C:\Program Files\MSN
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\sndrec32.exe
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\mplay32.exe
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\hypertrm.dll
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\accwiz.exe
2009-07-09 13:13:16 ----D---- C:\Program Files\Windows NT
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\spider.exe
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\mspaint.exe
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\clipbrd.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\termsrv.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\sessmgr.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\remotepg.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdshost.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdpclip.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdchost.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\mstsc.exe
2009-07-09 13:13:14 ----D---- C:\WINDOWS\system32\MsDtc
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\xolehlp.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\qprocess.exe
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\mtxoci.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\msdtctm.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\icaapi.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2009-07-09 13:13:13 ----D---- C:\WINDOWS\system32\Com
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\msdtclog.dll
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\msdtc.exe
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\colbact.dll
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\clbcatex.dll
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\catsrvps.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\comuid.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\comsvcs.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\clbcatq.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\catsrvut.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\catsrv.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\servdeps.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\mmfutil.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\licwmi.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\cmprops.dll
2009-07-09 12:28:13 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-07-09 12:28:09 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-07-09 12:28:05 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-07-09 12:28:02 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-07-09 12:27:59 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-07-09 12:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2009-07-09 12:27:43 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-07-09 12:27:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-07-09 12:27:26 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2009-07-09 12:19:06 ----A---- C:\WINDOWS\system32\D3DX9_41.dll
2009-07-09 12:19:06 ----A---- C:\WINDOWS\system32\d3dx10_41.dll
2009-07-09 12:19:06 ----A---- C:\WINDOWS\system32\D3DCompiler_41.dll
2009-07-09 12:19:05 ----A---- C:\WINDOWS\system32\XAudio2_4.dll
2009-07-09 12:19:05 ----A---- C:\WINDOWS\system32\XAPOFX1_3.dll
2009-07-09 12:19:04 ----A---- C:\WINDOWS\system32\xactengine3_4.dll
2009-07-09 12:19:04 ----A---- C:\WINDOWS\system32\X3DAudio1_6.dll
2009-07-09 12:19:03 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2009-07-09 12:19:03 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2009-07-09 12:19:03 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2009-07-09 12:19:02 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2009-07-09 12:19:02 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2009-07-09 12:19:01 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2009-07-09 12:19:01 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2009-07-09 12:19:00 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2009-07-09 12:19:00 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2009-07-09 12:18:59 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2009-07-09 12:18:59 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2009-07-09 12:18:59 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2009-07-09 12:18:58 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2009-07-09 12:18:57 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2009-07-09 12:18:57 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2009-07-09 12:18:57 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2009-07-09 12:18:56 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2009-07-09 12:18:56 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2009-07-09 12:18:56 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2009-07-09 12:18:55 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2009-07-09 12:18:54 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2009-07-09 12:18:54 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2009-07-09 12:18:53 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2009-07-09 12:18:53 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2009-07-09 12:18:53 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2009-07-09 12:18:52 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2009-07-09 12:18:52 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2009-07-09 12:18:50 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2009-07-09 12:18:50 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2009-07-09 12:18:50 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2009-07-09 12:18:49 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2009-07-09 12:18:48 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2009-07-09 12:18:48 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2009-07-09 12:18:48 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2009-07-09 12:18:47 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2009-07-09 12:18:47 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2009-07-09 12:18:46 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2009-07-09 12:18:46 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2009-07-09 12:18:46 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2009-07-09 12:18:45 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2009-07-09 12:18:45 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2009-07-09 12:18:44 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2009-07-09 12:18:44 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2009-07-09 12:18:42 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2009-07-09 12:18:42 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2009-07-09 12:18:41 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2009-07-09 12:18:41 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-07-09 12:18:40 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2009-07-09 12:18:40 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2009-07-09 12:18:40 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-07-09 12:18:39 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2009-07-09 12:18:39 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2009-07-09 12:18:38 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2009-07-09 12:18:38 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2009-07-09 12:18:37 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2009-07-09 12:18:37 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2009-07-09 12:18:36 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2009-07-09 12:18:36 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2009-07-09 12:18:36 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2009-07-09 12:18:35 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2009-07-09 12:18:35 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2009-07-09 12:18:34 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2009-07-09 12:18:34 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2009-07-09 12:18:33 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2009-07-09 12:18:32 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2009-07-09 12:17:33 ----D---- C:\Program Files\SystemRequirementsLab
2009-07-09 12:07:06 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-07-09 12:07:00 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2009-07-09 12:06:50 ----D---- C:\Program Files\Windows Media Connect 2
2009-07-09 12:06:42 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2009-07-09 12:06:16 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-07-09 12:06:03 ----D---- C:\WINDOWS\system32\LogFiles
2009-07-09 12:05:53 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2009-07-09 12:05:24 ----SHD---- C:\RECYCLER
2009-07-09 12:05:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-07-09 12:05:17 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-07-09 12:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-09 12:05:08 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-07-09 12:05:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-09 12:04:58 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-07-09 12:04:54 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-07-09 12:04:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-07-09 12:04:43 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-07-09 12:04:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-09 12:04:22 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-09 12:04:13 ----HDC---- C:\WINDOWS\$NtUninstallKB969897$
2009-07-09 12:04:08 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-07-09 12:04:03 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-09 12:03:59 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-07-09 12:03:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-07-09 12:03:50 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-07-09 12:03:45 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-07-09 12:03:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-07-09 12:03:08 ----A---- C:\WINDOWS\system32\ksuser.dll
2009-07-09 12:02:59 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-07-09 12:02:55 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2009-07-09 12:02:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-07-09 12:02:34 ----D---- C:\WINDOWS\ie8updates
2009-07-09 12:02:24 ----D---- C:\WINDOWS\WBEM
2009-07-09 12:01:39 ----HDC---- C:\WINDOWS\ie8
2009-07-09 11:59:27 ----HD---- C:\WINDOWS\msdownld.tmp
2009-07-09 11:59:22 ----D---- C:\WINDOWS\Logs
2009-07-09 11:56:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-07-09 11:55:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-09 11:55:04 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-09 11:54:59 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-09 11:54:55 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-09 11:54:49 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-07-09 11:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-07-09 11:54:38 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-07-09 11:54:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-07-09 11:54:25 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-09 11:51:51 ----D---- C:\WINDOWS\Prefetch
2009-07-09 11:47:33 ----D---- C:\WINDOWS\system32\en-us
2009-07-09 11:47:32 ----D---- C:\WINDOWS\system32\scripting
2009-07-09 11:47:32 ----D---- C:\WINDOWS\l2schemas
2009-07-09 11:47:31 ----D---- C:\WINDOWS\system32\en
2009-07-09 11:47:31 ----D---- C:\WINDOWS\system32\bits
2009-07-09 11:45:50 ----D---- C:\Program Files\Common Files\Adobe
2009-07-09 11:44:56 ----D---- C:\WINDOWS\ServicePackFiles
2009-07-09 11:43:43 ----D---- C:\Program Files\Adobe
2009-07-09 11:43:35 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-07-09 11:43:32 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-07-09 11:42:23 ----D---- C:\WINDOWS\network diagnostic
2009-07-09 11:40:46 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-07-09 11:40:45 ----D---- C:\Program Files\NOS
2009-07-09 11:40:04 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-07-09 11:39:39 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Macromedia
2009-07-09 11:39:39 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Adobe
2009-07-09 11:37:10 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-09 11:36:31 ----D---- C:\Program Files\Mozilla Firefox
2009-07-09 11:31:30 ----A---- C:\WINDOWS\system32\wpa.bak
2009-07-09 11:30:25 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-07-09 11:09:08 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-07-09 10:54:45 ----D---- C:\WINDOWS\system32\PreInstall
2009-07-09 10:54:44 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2009-07-09 10:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2009-07-09 10:54:25 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2009-07-09 10:30:05 ----D---- C:\Program Files\McAfee
2009-07-09 10:28:35 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Identities
2009-07-09 10:28:34 ----HD---- C:\Program Files\Uninstall Information
2009-07-09 10:28:31 ----SD---- C:\Documents and Settings\Chris Diaz\Application Data\Microsoft
2009-07-09 10:28:31 ----ASH---- C:\Documents and Settings\Chris Diaz\Application Data\desktop.ini
2009-07-09 10:22:09 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-07-09 06:12:04 ----A---- C:\WINDOWS\system32\h323log.txt
2009-07-09 06:08:25 ----A---- C:\WINDOWS\system32\usbui.dll
2009-07-09 06:07:37 ----A---- C:\WINDOWS\imsins.BAK
2009-07-09 06:07:35 ----SHD---- C:\WINDOWS\Installer
2009-07-09 06:07:35 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-09 06:07:34 ----D---- C:\Program Files\Common Files\ODBC
2009-07-09 06:07:34 ----A---- C:\WINDOWS\ODBCINST.INI
2009-07-09 06:07:32 ----RD---- C:\Program Files
2009-07-09 06:07:32 ----D---- C:\Program Files\Common Files\SpeechEngines
2009-07-09 06:07:32 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-07-09 06:07:32 ----D---- C:\Program Files\Common Files
2009-07-09 06:07:30 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2009-07-09 06:07:30 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2009-07-09 06:07:30 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdur.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdru.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2009-07-09 06:07:26 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdest.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdro.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\irclass.dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\dgsetup.dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2009-07-09 06:07:20 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2009-07-09 06:07:20 ----A---- C:\WINDOWS\TASKMAN.EXE
2009-07-09 06:07:20 ----A---- C:\WINDOWS\system32\batt.dll
2009-07-09 06:07:19 ----A---- C:\WINDOWS\system32\storprop.dll
2009-07-09 06:07:19 ----A---- C:\WINDOWS\notepad.exe
2009-07-09 06:07:13 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2009-07-09 06:07:12 ----RA---- C:\WINDOWS\SET25.tmp
2009-07-09 06:07:10 ----RA---- C:\WINDOWS\SET8.tmp
2009-07-09 06:07:08 ----RA---- C:\WINDOWS\SET4.tmp
2009-07-09 06:07:06 ----RA---- C:\WINDOWS\SET3.tmp
2009-07-09 06:07:02 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-09 06:07:02 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-09 06:06:56 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-07-09 06:06:36 ----A---- C:\WINDOWS\setuplog.txt
2009-07-09 06:06:33 ----SHD---- C:\System Volume Information
2009-07-09 06:06:33 ----D---- C:\Documents and Settings
2009-07-09 06:05:50 ----SH---- C:\boot.ini
2009-07-08 11:56:07 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-08 11:56:07 ----RSD---- C:\WINDOWS\Fonts
2009-07-08 11:56:07 ----RD---- C:\WINDOWS\Web
2009-07-08 11:56:07 ----HD---- C:\WINDOWS\inf
2009-07-08 11:56:07 ----D---- C:\WINDOWS\WinSxS
2009-07-08 11:56:07 ----D---- C:\WINDOWS\twain_32
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\wins
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\wbem
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\usmt
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\spool
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\ShellExt
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\Setup
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\ras
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\oobe
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\npp
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\mui
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\inetsrv
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\IME
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\icsxml
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\ias
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\export
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\drivers
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\dhcp
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\config
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\3com_dmi
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\3076
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\2052
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1054
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1042
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1041
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1037
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1033
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1031
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1028
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1025
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system
2009-07-08 11:56:07 ----D---- C:\WINDOWS\security
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Resources
2009-07-08 11:56:07 ----D---- C:\WINDOWS\repair
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Provisioning
2009-07-08 11:56:07 ----D---- C:\WINDOWS\PeerNet
2009-07-08 11:56:07 ----D---- C:\WINDOWS\pchealth
2009-07-08 11:56:07 ----D---- C:\WINDOWS\mui
2009-07-08 11:56:07 ----D---- C:\WINDOWS\msapps
2009-07-08 11:56:07 ----D---- C:\WINDOWS\msagent
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Media
2009-07-08 11:56:07 ----D---- C:\WINDOWS\java
2009-07-08 11:56:07 ----D---- C:\WINDOWS\ime
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Help
2009-07-08 11:56:07 ----D---- C:\WINDOWS\ehome
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Driver Cache
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Debug
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Cursors
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Connection Wizard
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Config
2009-07-08 11:56:07 ----D---- C:\WINDOWS\AppPatch
2009-07-08 11:56:07 ----D---- C:\WINDOWS\addins
2009-07-08 11:56:07 ----D---- C:\WINDOWS
2009-07-08 11:56:07 ----AD---- C:\WINDOWS\Temp
======List of files/folders modified in the last 1 months======
2009-07-28 16:50:23 ----A---- C:\WINDOWS\system32\user32.DLL
2009-07-19 18:48:58 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-19 09:18:59 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-09 12:06:54 ----A---- C:\WINDOWS\win.ini
2009-07-09 06:07:31 ----A---- C:\WINDOWS\system.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-12-01 201320]
R1 mfetdik;McAfee Inc. mfetdik; C:\WINDOWS\system32\drivers\mfetdik.sys [2007-12-01 55016]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-20 2317696]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-06-10 8087712]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 ayzvlt49;ayzvlt49; C:\WINDOWS\system32\drivers\ayzvlt49.sys []
S3 MfeAVFK;McAfee Inc. MfeAVFK; C:\WINDOWS\system32\drivers\MfeAVFK.sys [2007-12-01 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK; C:\WINDOWS\system32\drivers\MfeBOPK.sys [2007-12-01 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK; C:\WINDOWS\system32\drivers\MfeRKDK.sys [2007-12-01 33832]
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-12 152984]
R2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-06-10 168004]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-07-17 75064]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-08-02 189672]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 17408]
-----------------EOF-----------------
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3
8/3/2009 5:12:53 PM
mbam-log-2009-08-03 (17-12-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 109693
Time elapsed: 7 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 7
Registry Values Infected: 9
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 22
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\228390.dll (Hijack.LSP) -> Delete on reboot.
C:\WINDOWS\system32\hs7f3uhduhfukde.dll (Trojan.Ertfor) -> Delete on reboot.
C:\WINDOWS\system32\ghaf8jkdfd.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nvrsk.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{94977f5a-3e3d-d5f0-5c01-2bd493e1c27f} (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appibvt_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ydutodhdepmtg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msWindows restore service (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpyware Service (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Chris Diaz\meqsq.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ghaf8jkdfd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\hs7f3uhduhfukde.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\nvrsk.dll (Spyware.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\228390.dll (Hijack.LSP) -> Delete on reboot.
C:\Documents and Settings\Chris Diaz\rrwk.exe (Backdoor.Tofsee) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sgcnowj0ee0a.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qgcjowj0ee0a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fq.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\srrqe4mq6.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\services.exe (Password.Stealer) -> Delete on reboot.
C:\Documents and Settings\Chris Diaz\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\sfjh98w3jkdmfkd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris Diaz\Local Settings\Temp\ke0et.exe (Trojan.Dropper) -> Delete on reboot.
Information
REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
LimeWire 5.1.4
Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
----------------------------------------------------------------------------------------
Step 1
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINDOWS\system32\vxbik.exe
Click Submit/Send File
When the scan has finished, you can copy the URL from the browser address window and paste it in your reply.
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
----------------------------------------------------------------------------------------
Step 2
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)
----------------------------------------------------------------------------------------
Step 3
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Virus Total Results
ComboFix Log
Kaspersky log
How are things running now ?
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, August 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, August 04, 2009 00:15:16
Records in database: 2577736
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics:
Files scanned: 27838
Threat name: 5
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 00:36:25
File name / Threat name / Threats count
C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\vxbik.exe/C:\WINDOWS\system32\vxbik.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\Documents and Settings\Chris Diaz\meqsq.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\Documents and Settings\Chris Diaz\My Documents\Downloads\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\Documents and Settings\Chris Diaz\nukqkt.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsass.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\services.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolsv.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir Infected: Trojan.Win32.Patched.gq 1
C:\WINDOWS\system32\fpu.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\WINDOWS\system32\vxbik.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1
The selected area was scanned.
ComboFix 09-08-03.04 - Chris Diaz 08/03/2009 19:00.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1675 [GMT -4:00]
Running from: c:\documents and settings\Chris Diaz\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spoolsv.exe
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.
2009-08-03 23:02 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-03 22:54 . 2009-08-03 22:54 -------- d-----w- c:\windows\Sun
2009-08-03 21:26 . 2009-08-03 21:26 -------- d-----w- C:\rsit
2009-08-03 21:04 . 2009-08-03 21:04 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 11:24 . 2009-08-02 11:24 32768 ---h--w- c:\documents and settings\Chris Diaz\meqsq.exe
2009-08-02 11:24 . 2009-08-02 11:24 32768 ----a-w- c:\windows\system32\vxbik.exe
2009-08-02 11:22 . 2009-08-02 11:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-01 12:04 . 2009-08-01 12:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-31 10:01 . 2009-07-31 10:01 32768 ---h--w- c:\documents and settings\Chris Diaz\nukqkt.exe
2009-07-31 10:01 . 2009-07-31 10:01 32768 ----a-w- c:\windows\system32\fpu.exe
2009-07-29 21:17 . 2009-07-29 21:17 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\AVG8
2009-07-29 21:01 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:01 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:18 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 21:14 . 2009-07-31 10:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 21:14 . 2009-07-31 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 21:11 . 2009-07-28 21:11 -------- d-----w- c:\program files\Trend Micro
2009-07-28 20:53 . 2009-07-28 20:53 32256 ---h--w- c:\documents and settings\Chris Diaz\wafayoh.exe
2009-07-28 20:53 . 2009-07-28 20:53 32256 ----a-w- c:\windows\system32\aev.exe
2009-07-28 20:50 . 2009-08-03 23:02 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-17 21:14 . 2009-08-02 22:30 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-17 21:13 . 2009-08-02 22:29 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 21:13 . 2009-07-17 21:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 21:13 . 2009-07-17 21:13 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\PunkBuster
2009-07-16 23:15 . 2009-07-29 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 23:13 . 2009-07-16 23:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-16 23:13 . 2009-07-16 23:20 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 22:33 . 2009-07-16 22:33 -------- d-----w- c:\program files\EA GAMES
2009-07-16 22:27 . 2009-07-16 23:27 -------- d-----w- c:\program files\Steam
2009-07-16 20:38 . 2009-07-16 20:38 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\dvdcss
2009-07-16 01:30 . 2009-07-16 01:30 -------- d-----w- c:\program files\VideoLAN
2009-07-13 07:01 . 2009-07-22 12:07 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\LimeWire
2009-07-12 19:36 . 2009-07-16 01:22 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DivX
2009-07-12 17:50 . 2009-07-16 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 17:50 . 2009-07-12 17:50 -------- d-----w- c:\program files\MC2
2009-07-12 17:50 . 2009-07-16 22:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-12 17:44 . 2009-07-12 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-12 14:03 . 2009-08-03 01:23 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 14:01 . 2009-07-12 14:01 -------- d-----w- c:\program files\BitTorrent
2009-07-12 14:00 . 2009-07-12 14:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 14:00 . 2009-07-12 14:00 -------- d-----w- c:\program files\Java
2009-07-12 14:00 . 2009-07-12 14:00 152576 ----a-w- c:\documents and settings\Chris Diaz\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-12 13:59 . 2009-07-12 14:00 -------- d-----w- c:\program files\LimeWire
2009-07-12 02:12 . 2009-06-10 10:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-12 02:12 . 2009-06-21 12:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-12 02:12 . 2009-07-12 02:12 -------- d-----w- C:\NVIDIA
2009-07-11 20:39 . 2006-12-06 01:17 240 ----a-w- c:\windows\myClean.bat
2009-07-11 20:39 . 2009-07-11 20:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-10 03:43 . 2009-07-10 03:43 -------- d-sh--w- c:\documents and settings\Chris Diaz\IECompatCache
2009-07-09 21:36 . 2009-07-09 21:36 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Identities
2009-07-09 20:57 . 2009-07-09 20:57 0 ----a-w- c:\windows\nsreg.dat
2009-07-09 20:57 . 2009-07-09 20:57 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Mozilla
2009-07-09 20:49 . 2009-08-03 21:03 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\mIRC
2009-07-09 20:49 . 2009-08-03 20:45 -------- d-----w- c:\program files\mIRC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 23:02 . 2006-02-28 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2009-07-16 00:15 . 2009-07-09 16:17 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-12 17:45 . 2009-07-12 17:44 -------- d-----w- c:\program files\DivX
2009-07-11 21:00 . 2009-07-09 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 17:16 . 2009-07-09 17:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-09 17:14 . 2009-07-09 17:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-09 16:17 . 2009-07-09 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-09 16:10 . 2009-07-09 16:10 13104 ----a-w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 16:06 . 2009-07-09 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\program files\NOS
2009-07-09 15:48 . 2009-07-09 17:15 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-09 15:45 . 2009-07-09 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-09 15:41 . 2009-07-09 15:41 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-09 14:30 . 2009-07-09 14:30 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-07-09 15:33 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2009-06-10 10:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2009-06-10 10:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2009-06-10 10:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-04-14 00:12 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 21:56 . 2009-07-12 17:45 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-13 21:56 . 2009-07-12 17:45 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-13 21:56 . 2009-07-12 17:45 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-13 21:56 . 2009-07-12 17:45 129784 ------w- c:\windows\system32\pxafs.dll
2009-05-13 21:56 . 2009-07-12 17:45 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-05-13 21:56 . 2009-07-12 17:45 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-05-13 21:54 . 2009-05-13 21:54 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-13 21:54 . 2009-05-13 21:54 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-13 21:54 . 2009-05-13 21:54 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-13 21:54 . 2009-05-13 21:54 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-13 21:54 . 2009-05-13 21:54 685056 ----a-w- c:\windows\system32\DivX.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
.
Infected c:\windows\system32\user32.dll hex repaired
------- Sigcheck -------
[7] 2006-02-28 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 512000 281CCAB31BFBA7930981BE229AE3E222 c:\windows\system32\winlogon.exe
[7] 2006-02-28 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-12 136600]
"vxbik"="c:\windows\system32\vxbik.exe" [2009-08-02 32768]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\WINDOWS\\system32\\aev.exe"=
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=
"c:\\WINDOWS\\system32\\fpu.exe"=
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=
"c:\\WINDOWS\\system32\\vxbik.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 19:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\ACTIVEDS.dll
- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-03 19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 23:05
Pre-Run: 700,581,122,048 bytes free
Post-Run: 700,568,174,592 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
240 --- E O F --- 2009-07-29 21:08
http://www.virustotal.com/analisis/cf3078b10567f6741be6f7f199d80583e1bee6cb60b3e95593201ca3bb7e559a-1249126567
this machine does not have the microsoft windows recovery console installed without it combo fix shall not attempt the fixing of some serious infections
click yes to have combofix donload and install
i hit yes but that was not in the tutorial
So far its faster i have folder options back i have regedit back but it still shows alot of infected files i forgot to take limewire off before i did all this sorry thanks alot for the help i appreciate it.
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showthread.php?p=326195#post326195
Collect::[4]
C:\Documents and Settings\Chris Diaz\meqsq.exe
C:\Documents and Settings\Chris Diaz\nukqkt.exe
C:\WINDOWS\system32\fpu.exe
C:\WINDOWS\system32\vxbik.exe
c:\documents and settings\Chris Diaz\wafayoh.exe
c:\windows\system32\aev.exe
Folder::
c:\documents and settings\Chris Diaz\Application Data\LimeWire
c:\documents and settings\Chris Diaz\Application Data\BitTorrent
c:\Program Files\BitTorrent
c:\Program Files\LimeWire
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"SunJavaUpdateSched"=-
"vxbik"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
"c:\\WINDOWS\\system32\\aev.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=-
"c:\\WINDOWS\\system32\\fpu.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=-
"c:\\WINDOWS\\system32\\vxbik.exe"=-
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
ComboFix 09-08-03.07 - Chris Diaz 08/04/2009 6:01.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1695 [GMT -4:00]
Running from: c:\documents and settings\Chris Diaz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Diaz\Desktop\CFScript.txt
file zipped: c:\windows\system32\aev.exe
file zipped: c:\windows\system32\fpu.exe
file zipped: c:\windows\system32\vxbik.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\BitTorrent
c:\program files\BitTorrent\bittorrent.exe
c:\program files\BitTorrent\BitTorrentIE.2.dll
c:\program files\BitTorrent\uninst.exe
c:\program files\LimeWire
c:\program files\LimeWire\.NetworkShare\LimeWireWin5.1.4.exe
c:\program files\LimeWire\Buy LimeWire PRO.url
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\additional_resources.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\AppFramework.jar
c:\program files\LimeWire\lib\base64-2.2.2.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-math-1.2.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava-2.0.6.jar
c:\program files\LimeWire\lib\EventBus-1.2b.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\glazedlists-1.7.0_java15.jar
c:\program files\LimeWire\lib\guice-assistedinject-snapshot.jar
c:\program files\LimeWire\lib\guice-snapshot.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-beta1.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\iTunes-0.0.1.jar
c:\program files\LimeWire\lib\jacob-1.14.1-x64.dll
c:\program files\LimeWire\lib\jacob-1.14.1-x86.dll
c:\program files\LimeWire\lib\jacob-1.14.1.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcip-annotations.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jna.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\jxlayer.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\miglayout.jar
c:\program files\LimeWire\lib\mozdom4java.jar
c:\program files\LimeWire\lib\MozillaGlue-1.9.jar
c:\program files\LimeWire\lib\MozillaInterfaces-1.9.jar
c:\program files\LimeWire\lib\mozswing.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\smack.jar
c:\program files\LimeWire\lib\smackx-debug.jar
c:\program files\LimeWire\lib\smackx.jar
c:\program files\LimeWire\lib\swing-worker-1.1.jar
c:\program files\LimeWire\lib\swingx-0.9.4.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\unpack.log
c:\windows\system32\aev.exe
c:\windows\system32\fpu.exe
c:\windows\system32\vxbik.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.
2009-08-03 23:02 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-03 22:54 . 2009-08-03 22:54 -------- d-----w- c:\windows\Sun
2009-08-03 21:26 . 2009-08-03 21:26 -------- d-----w- C:\rsit
2009-08-03 21:04 . 2009-08-03 21:04 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 11:24 . 2009-08-02 11:24 32768 ---h--w- c:\documents and settings\Chris Diaz\meqsq.exe
2009-08-02 11:22 . 2009-08-02 11:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-01 12:04 . 2009-08-01 12:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-31 10:01 . 2009-07-31 10:01 32768 ---h--w- c:\documents and settings\Chris Diaz\nukqkt.exe
2009-07-29 21:17 . 2009-07-29 21:17 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\AVG8
2009-07-29 21:01 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:01 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:18 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 21:14 . 2009-07-31 10:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 21:14 . 2009-07-31 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 21:11 . 2009-07-28 21:11 -------- d-----w- c:\program files\Trend Micro
2009-07-28 20:53 . 2009-07-28 20:53 32256 ---h--w- c:\documents and settings\Chris Diaz\wafayoh.exe
2009-07-28 20:50 . 2009-08-03 23:02 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-17 21:14 . 2009-08-04 09:01 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-17 21:13 . 2009-08-04 09:00 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 21:13 . 2009-07-17 21:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 21:13 . 2009-07-17 21:13 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\PunkBuster
2009-07-16 23:15 . 2009-07-29 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 23:13 . 2009-07-16 23:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-16 23:13 . 2009-07-16 23:20 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 22:33 . 2009-07-16 22:33 -------- d-----w- c:\program files\EA GAMES
2009-07-16 22:27 . 2009-07-16 23:27 -------- d-----w- c:\program files\Steam
2009-07-16 20:38 . 2009-07-16 20:38 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\dvdcss
2009-07-16 01:30 . 2009-07-16 01:30 -------- d-----w- c:\program files\VideoLAN
2009-07-13 07:01 . 2009-07-22 12:07 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\LimeWire
2009-07-12 19:36 . 2009-07-16 01:22 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DivX
2009-07-12 17:50 . 2009-07-16 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 17:50 . 2009-07-12 17:50 -------- d-----w- c:\program files\MC2
2009-07-12 17:50 . 2009-07-16 22:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-12 17:44 . 2009-07-12 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-12 14:03 . 2009-08-03 01:23 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 14:00 . 2009-07-12 14:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 14:00 . 2009-07-12 14:00 -------- d-----w- c:\program files\Java
2009-07-12 14:00 . 2009-07-12 14:00 152576 ----a-w- c:\documents and settings\Chris Diaz\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-12 02:12 . 2009-06-10 10:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-12 02:12 . 2009-06-21 12:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-12 02:12 . 2009-07-12 02:12 -------- d-----w- C:\NVIDIA
2009-07-11 20:39 . 2006-12-06 01:17 240 ----a-w- c:\windows\myClean.bat
2009-07-11 20:39 . 2009-07-11 20:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-10 03:43 . 2009-07-10 03:43 -------- d-sh--w- c:\documents and settings\Chris Diaz\IECompatCache
2009-07-09 21:36 . 2009-07-09 21:36 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Identities
2009-07-09 20:57 . 2009-07-09 20:57 0 ----a-w- c:\windows\nsreg.dat
2009-07-09 20:57 . 2009-07-09 20:57 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Mozilla
2009-07-09 20:49 . 2009-08-04 02:15 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\mIRC
2009-07-09 20:49 . 2009-08-04 01:53 -------- d-----w- c:\program files\mIRC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 23:02 . 2006-02-28 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2009-07-16 00:15 . 2009-07-09 16:17 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-12 17:45 . 2009-07-12 17:44 -------- d-----w- c:\program files\DivX
2009-07-11 21:00 . 2009-07-09 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 17:16 . 2009-07-09 17:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-09 17:14 . 2009-07-09 17:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-09 16:17 . 2009-07-09 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-09 16:10 . 2009-07-09 16:10 13104 ----a-w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 16:06 . 2009-07-09 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\program files\NOS
2009-07-09 15:48 . 2009-07-09 17:15 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-09 15:45 . 2009-07-09 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-09 15:41 . 2009-07-09 15:41 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-09 14:30 . 2009-07-09 14:30 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-07-09 15:33 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2009-06-10 10:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2009-06-10 10:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2009-06-10 10:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-04-14 00:12 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 21:56 . 2009-07-12 17:45 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-13 21:56 . 2009-07-12 17:45 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-13 21:56 . 2009-07-12 17:45 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-13 21:56 . 2009-07-12 17:45 129784 ------w- c:\windows\system32\pxafs.dll
2009-05-13 21:56 . 2009-07-12 17:45 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-05-13 21:56 . 2009-07-12 17:45 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-05-13 21:54 . 2009-05-13 21:54 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-13 21:54 . 2009-05-13 21:54 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-13 21:54 . 2009-05-13 21:54 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-13 21:54 . 2009-05-13 21:54 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-13 21:54 . 2009-05-13 21:54 685056 ----a-w- c:\windows\system32\DivX.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
.
------- Sigcheck -------
[7] 2006-02-28 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 512000 281CCAB31BFBA7930981BE229AE3E222 c:\windows\system32\winlogon.exe
[7] 2006-02-28 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-08-03_23.04.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-04 09:53 . 2009-08-04 09:53 16384 c:\windows\Temp\Perflib_Perfdata_674.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 06:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-08-04 6:04
ComboFix-quarantined-files.txt 2009-08-04 10:04
ComboFix2.txt 2009-08-03 23:05
Pre-Run: 699,980,046,336 bytes free
Post-Run: 699,995,975,680 bytes free
284 --- E O F --- 2009-07-29 21:08
Upload was successful
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showthread.php?p=326277#post326277
Suspect::[4]
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\Documents and Settings\Chris Diaz\wafayoh.exe
File::
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\Documents and Settings\Chris Diaz\wafayoh.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=-
FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe|c:\windows\system32\winlogon.exe
c:\windows\system32\dllcache\beep.sys|C:\WINDOWS\SYSTEM32\DRIVERS\beep.sys
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
ComboFix 09-08-04.02 - Chris Diaz 08/04/2009 17:52.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1718 [GMT -4:00]
Running from: c:\documents and settings\Chris Diaz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Diaz\Desktop\CFScript.txt
FILE ::
"c:\documents and settings\Chris Diaz\meqsq.exe"
"c:\documents and settings\Chris Diaz\nukqkt.exe"
"c:\documents and settings\Chris Diaz\wafayoh.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\windows\system32\dllcache\beep.sys --> c:\windows\SYSTEM32\DRIVERS\beep.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.
2009-08-04 21:52 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-08-04 21:52 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-03 23:02 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-03 22:54 . 2009-08-03 22:54 -------- d-----w- c:\windows\Sun
2009-08-03 21:26 . 2009-08-03 21:26 -------- d-----w- C:\rsit
2009-08-03 21:04 . 2009-08-03 21:04 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 11:24 . 2009-08-02 11:24 32768 ---h--w- c:\documents and settings\Chris Diaz\meqsq.exe
2009-08-02 11:22 . 2009-08-02 11:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-01 12:04 . 2009-08-01 12:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-31 10:01 . 2009-07-31 10:01 32768 ---h--w- c:\documents and settings\Chris Diaz\nukqkt.exe
2009-07-29 21:17 . 2009-07-29 21:17 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\AVG8
2009-07-29 21:01 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:01 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:18 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 21:14 . 2009-07-31 10:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 21:14 . 2009-07-31 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 21:11 . 2009-07-28 21:11 -------- d-----w- c:\program files\Trend Micro
2009-07-28 20:53 . 2009-07-28 20:53 32256 ---h--w- c:\documents and settings\Chris Diaz\wafayoh.exe
2009-07-28 20:50 . 2009-08-03 23:02 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-17 21:14 . 2009-08-04 09:01 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-17 21:13 . 2009-08-04 09:00 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 21:13 . 2009-07-17 21:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 21:13 . 2009-07-17 21:13 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\PunkBuster
2009-07-16 23:15 . 2009-07-29 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 23:13 . 2009-07-16 23:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-16 23:13 . 2009-07-16 23:20 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 22:33 . 2009-07-16 22:33 -------- d-----w- c:\program files\EA GAMES
2009-07-16 22:27 . 2009-07-16 23:27 -------- d-----w- c:\program files\Steam
2009-07-16 20:38 . 2009-07-16 20:38 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\dvdcss
2009-07-16 01:30 . 2009-07-16 01:30 -------- d-----w- c:\program files\VideoLAN
2009-07-13 07:01 . 2009-07-22 12:07 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\LimeWire
2009-07-12 19:36 . 2009-07-16 01:22 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DivX
2009-07-12 17:50 . 2009-07-16 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 17:50 . 2009-07-12 17:50 -------- d-----w- c:\program files\MC2
2009-07-12 17:50 . 2009-07-16 22:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-12 17:44 . 2009-07-12 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-12 14:03 . 2009-08-03 01:23 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 14:00 . 2009-07-12 14:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 14:00 . 2009-07-12 14:00 -------- d-----w- c:\program files\Java
2009-07-12 14:00 . 2009-07-12 14:00 152576 ----a-w- c:\documents and settings\Chris Diaz\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-12 02:12 . 2009-06-10 10:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-12 02:12 . 2009-06-21 12:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-12 02:12 . 2009-07-12 02:12 -------- d-----w- C:\NVIDIA
2009-07-11 20:39 . 2006-12-06 01:17 240 ----a-w- c:\windows\myClean.bat
2009-07-11 20:39 . 2009-07-11 20:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-10 03:43 . 2009-07-10 03:43 -------- d-sh--w- c:\documents and settings\Chris Diaz\IECompatCache
2009-07-09 21:36 . 2009-07-09 21:36 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Identities
2009-07-09 20:57 . 2009-07-09 20:57 0 ----a-w- c:\windows\nsreg.dat
2009-07-09 20:57 . 2009-07-09 20:57 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Mozilla
2009-07-09 20:49 . 2009-08-04 02:15 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\mIRC
2009-07-09 20:49 . 2009-08-04 01:53 -------- d-----w- c:\program files\mIRC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 23:02 . 2006-02-28 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2009-07-16 00:15 . 2009-07-09 16:17 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-12 17:45 . 2009-07-12 17:44 -------- d-----w- c:\program files\DivX
2009-07-11 21:00 . 2009-07-09 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 17:16 . 2009-07-09 17:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-09 17:14 . 2009-07-09 17:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-09 16:17 . 2009-07-09 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-09 16:10 . 2009-07-09 16:10 13104 ----a-w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 16:06 . 2009-07-09 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\program files\NOS
2009-07-09 15:48 . 2009-07-09 17:15 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-09 15:45 . 2009-07-09 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-09 15:41 . 2009-07-09 15:41 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-09 14:30 . 2009-07-09 14:30 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-07-09 15:33 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2009-06-10 10:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2009-06-10 10:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2009-06-10 10:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-04-14 00:12 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 21:56 . 2009-07-12 17:45 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-13 21:56 . 2009-07-12 17:45 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-13 21:56 . 2009-07-12 17:45 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-13 21:56 . 2009-07-12 17:45 129784 ------w- c:\windows\system32\pxafs.dll
2009-05-13 21:56 . 2009-07-12 17:45 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-05-13 21:56 . 2009-07-12 17:45 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-05-13 21:54 . 2009-05-13 21:54 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-13 21:54 . 2009-05-13 21:54 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-13 21:54 . 2009-05-13 21:54 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-13 21:54 . 2009-05-13 21:54 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-13 21:54 . 2009-05-13 21:54 685056 ----a-w- c:\windows\system32\DivX.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-03_23.04.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-04 21:44 . 2009-08-04 21:44 16384 c:\windows\Temp\Perflib_Perfdata_1d0.dat
+ 2006-02-28 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 17:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-04 17:55
ComboFix-quarantined-files.txt 2009-08-04 21:55
ComboFix2.txt 2009-08-04 10:05
ComboFix3.txt 2009-08-03 23:05
Pre-Run: 700,007,219,200 bytes free
Post-Run: 699,961,929,728 bytes free
207 --- E O F --- 2009-07-29 21:08
Can you clue me in to what is going on still or what i might still have left in the machine is it safe to use the computer for online banking? Thank you very much for your time and help
Information
Can you clue me in to what is going on still or what i might still have left in the machine is it safe to use the computer for online banking?
I wouldn't do any online banking at the moment.
There are three files that are proving harder to remove than they normally should, and they are related to a password stealer infection.
Do you know why all these are in your trusted zone ?
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
----------------------------------------------------------------------------------------
Step 1
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Rootkit::
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\documents and settings\Chris Diaz\wafayoh.exe
FileLook::
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\documents and settings\Chris Diaz\wafayoh.exe
Folder::
c:\documents and settings\Chris Diaz\Application Data\LimeWire
c:\documents and settings\Chris Diaz\Application Data\BitTorrent
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=-
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------------------------------------
Step 2
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Combofix Log
Active Scan Log
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-04 20:44:05
PROTECTIONS: 0
MALWARE: 5
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip
00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip
01177254 W32/Patchlog.D Virus No 0 No No C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir
01230278 W32/PatchLog.gen Virus No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir
01230278 W32/PatchLog.gen Virus No 0 Yes No C:\System Volume Information\_restore{3C0979F7-8103-4B7A-B79F-6805CD9688B9}\RP1\A0000351.exe
01230278 W32/PatchLog.gen Virus No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolsv.exe.vir
01230278 W32/PatchLog.gen Virus No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\services.exe.vir
01230278 W32/PatchLog.gen Virus No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\lsass.exe.vir
01230278 W32/PatchLog.gen Virus No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{3C0979F7-8103-4B7A-B79F-6805CD9688B9}\RP1\A0000486.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20090801-181030-835.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20090801-080659-936.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20090729-175843-747.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20090729-175809-399.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20090729-175733-126.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20090729-175645-498.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Chris Diaz\nukqkt.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Chris Diaz\meqsq.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Trend Micro\HijackThis\backups\backup-20090729-175824-561.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location `
;===================================================================================================================================================================================
No C:\Documents and Settings\Chris Diaz\wafayoh.exe `
No C:\System Volume Information\_restore{3C0979F7-8103-4B7A-B79F-6805CD9688B9}\RP1\A0000270.exe `
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description `
ComboFix 09-08-04.02 - Chris Diaz 08/04/2009 19:31.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1730 [GMT -4:00]
Running from: c:\documents and settings\Chris Diaz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Diaz\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.
2009-08-04 21:52 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-08-04 21:52 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-03 23:02 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-03 22:54 . 2009-08-03 22:54 -------- d-----w- c:\windows\Sun
2009-08-03 21:26 . 2009-08-03 21:26 -------- d-----w- C:\rsit
2009-08-03 21:04 . 2009-08-03 21:04 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 11:24 . 2009-08-02 11:24 32768 ---h--w- c:\documents and settings\Chris Diaz\meqsq.exe
2009-08-02 11:22 . 2009-08-02 11:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-01 12:04 . 2009-08-01 12:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-31 10:01 . 2009-07-31 10:01 32768 ---h--w- c:\documents and settings\Chris Diaz\nukqkt.exe
2009-07-29 21:17 . 2009-07-29 21:17 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\AVG8
2009-07-29 21:01 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:01 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:18 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 21:14 . 2009-07-31 10:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 21:14 . 2009-07-31 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 21:11 . 2009-07-28 21:11 -------- d-----w- c:\program files\Trend Micro
2009-07-28 20:53 . 2009-07-28 20:53 32256 ---h--w- c:\documents and settings\Chris Diaz\wafayoh.exe
2009-07-28 20:50 . 2009-08-03 23:02 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-17 21:14 . 2009-08-04 09:01 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-17 21:13 . 2009-08-04 09:00 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 21:13 . 2009-07-17 21:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 21:13 . 2009-07-17 21:13 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\PunkBuster
2009-07-16 23:15 . 2009-07-29 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 23:13 . 2009-07-16 23:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-16 23:13 . 2009-07-16 23:20 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 22:33 . 2009-07-16 22:33 -------- d-----w- c:\program files\EA GAMES
2009-07-16 22:27 . 2009-07-16 23:27 -------- d-----w- c:\program files\Steam
2009-07-16 20:38 . 2009-07-16 20:38 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\dvdcss
2009-07-16 01:30 . 2009-07-16 01:30 -------- d-----w- c:\program files\VideoLAN
2009-07-13 07:01 . 2009-07-22 12:07 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\LimeWire
2009-07-12 19:36 . 2009-07-16 01:22 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DivX
2009-07-12 17:50 . 2009-07-16 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 17:50 . 2009-07-12 17:50 -------- d-----w- c:\program files\MC2
2009-07-12 17:50 . 2009-07-16 22:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-12 17:44 . 2009-07-12 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-12 14:03 . 2009-08-03 01:23 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 14:00 . 2009-07-12 14:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 14:00 . 2009-07-12 14:00 -------- d-----w- c:\program files\Java
2009-07-12 14:00 . 2009-07-12 14:00 152576 ----a-w- c:\documents and settings\Chris Diaz\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-12 02:12 . 2009-06-10 10:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-12 02:12 . 2009-06-21 12:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-12 02:12 . 2009-07-12 02:12 -------- d-----w- C:\NVIDIA
2009-07-11 20:39 . 2006-12-06 01:17 240 ----a-w- c:\windows\myClean.bat
2009-07-11 20:39 . 2009-07-11 20:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-10 03:43 . 2009-07-10 03:43 -------- d-sh--w- c:\documents and settings\Chris Diaz\IECompatCache
2009-07-09 21:36 . 2009-07-09 21:36 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Identities
2009-07-09 20:57 . 2009-07-09 20:57 0 ----a-w- c:\windows\nsreg.dat
2009-07-09 20:57 . 2009-07-09 20:57 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Mozilla
2009-07-09 20:49 . 2009-08-04 02:15 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\mIRC
2009-07-09 20:49 . 2009-08-04 01:53 -------- d-----w- c:\program files\mIRC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 23:02 . 2006-02-28 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2009-07-16 00:15 . 2009-07-09 16:17 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-12 17:45 . 2009-07-12 17:44 -------- d-----w- c:\program files\DivX
2009-07-11 21:00 . 2009-07-09 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 17:16 . 2009-07-09 17:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-09 17:14 . 2009-07-09 17:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-09 16:17 . 2009-07-09 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-09 16:10 . 2009-07-09 16:10 13104 ----a-w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 16:06 . 2009-07-09 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\program files\NOS
2009-07-09 15:48 . 2009-07-09 17:15 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-09 15:45 . 2009-07-09 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-09 15:41 . 2009-07-09 15:41 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-09 14:30 . 2009-07-09 14:30 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-07-09 15:33 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2009-06-10 10:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2009-06-10 10:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2009-06-10 10:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-04-14 00:12 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 21:56 . 2009-07-12 17:45 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-13 21:56 . 2009-07-12 17:45 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-13 21:56 . 2009-07-12 17:45 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-13 21:56 . 2009-07-12 17:45 129784 ------w- c:\windows\system32\pxafs.dll
2009-05-13 21:56 . 2009-07-12 17:45 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-05-13 21:56 . 2009-07-12 17:45 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-05-13 21:54 . 2009-05-13 21:54 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-13 21:54 . 2009-05-13 21:54 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-13 21:54 . 2009-05-13 21:54 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-13 21:54 . 2009-05-13 21:54 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-13 21:54 . 2009-05-13 21:54 685056 ----a-w- c:\windows\system32\DivX.dll
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-03_23.04.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-04 23:34 . 2009-08-04 23:34 16384 c:\windows\Temp\Perflib_Perfdata_490.dat
+ 2006-02-28 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2006-02-28 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 19:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-04 19:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 23:35
ComboFix2.txt 2009-08-04 21:55
ComboFix3.txt 2009-08-04 10:05
ComboFix4.txt 2009-08-03 23:05
Pre-Run: 700,003,393,536 bytes free
Post-Run: 699,956,719,616 bytes free
208 --- E O F --- 2009-07-29 21:08
Do you know why all these are in your trusted zone ?
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
OK, we're getting nowhere fast there. Let's try a different method
OTMoveIt
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop
Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=-
:Files
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\Documents and Settings\Chris Diaz\wafayoh.exe
:Commands
[Purity]
[EmptyTemp]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\\Documents and Settings\\Chris Diaz\\meqsq.exe not found.
========== FILES ==========
File/Folder c:\documents and settings\Chris Diaz\meqsq.exe not found.
File/Folder c:\documents and settings\Chris Diaz\nukqkt.exe not found.
File/Folder c:\Documents and Settings\Chris Diaz\wafayoh.exe not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Chris Diaz
->Temp folder emptied: 99168 bytes
->Temporary Internet Files folder emptied: 1180266 bytes
->Java cache emptied: 127542 bytes
->FireFox cache emptied: 58179612 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 2176856 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 58.97 mb
OTM by OldTimer - Version 3.0.0.5 log created on 08052009_055527
Files moved on Reboot...
Registry entries deleted on Reboot...
Right, something strange is going on here ???
Are you altering the logs in any way ?
Is Chris Diaz your profile name ?
Please do the following ...
----------------------------------------------------------------------------------------
Step 1
Upload a File
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\Documents and Settings\Chris Diaz\wafayoh.exe
Go to spykiller (http://thespykiller.co.uk/index.php?board=1.0)
Please start a new thread Titled File/s for Katana and give the following information
Name:-- Your name
E-mail:-- Your E-mail (this is confidential and will not be displayed)
Subject:-- File for Katana
In the main text window please put the following link
http://forums.spybot.info/showthread.php?p=326454#post326454
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.
Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files
You can now delete SFP (exe and Zip) along with the .cab file that was created
----------------------------------------------------------------------------------------
Step 2
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:dir
c:\documents and settings\Chris Diaz
:file
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\Documents and Settings\Chris Diaz\wafayoh.exe
:filefind
meqsq.exe
nukqkt.exe
wafayoh.exe
:comment
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
----------------------------------------------------------------------------------------
Step 3
Please run RSIT again (Only one log will be produced)
----------------------------------------------------------------------------------------
Step 4
SysProt Antirootkit
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab. In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Link to your SpyKiller topic
System Look Log
RSIT Log.txt
Sysprot Log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 476
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 540
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 564
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 608
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 620
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 768
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 804
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 856
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 920
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 964
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1012
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1280
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 1392
Hidden: No
Window Visible: No
Name: C:\WINDOWS\ALCXMNTR.EXE
PID: 1512
Hidden: No
Window Visible: No
Name: C:\WINDOWS\AGRSMMSG.exe
PID: 1520
Hidden: No
Window Visible: No
Name: C:\Program Files\DAEMON Tools Lite\daemon.exe
PID: 1548
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1556
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 536
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 840
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\PnkBstrA.exe
PID: 944
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\PnkBstrB.exe
PID: 1008
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\alg.exe
PID: 2004
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\wscntfy.exe
PID: 208
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 420
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 396
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1184
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Chris Diaz\Desktop\SysProt\SysProt.exe
PID: 4008
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Chris Diaz\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B259B000
Module End: B25A6000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806CF680
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806D0000
Module End: 806F0300
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: B85A8000
Module End: B85AA000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: B84B8000
Module End: B84BB000
Hidden: No
Module Name: spif.sys
Service Name: ---
Module Base: B7EA6000
Module End: B7FA7000
Hidden: Yes
Module Name: \WINDOWS\System32\Drivers\WMILIB.SYS
Service Name: ---
Module Base: B85AA000
Module End: B85AC000
Hidden: No
Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: B7E8E000
Module End: B7EA6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B7E60000
Module End: B7E8E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B7E4F000
Module End: B7E60000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: B80A8000
Module End: B80B8000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: B80B8000
Module End: B80C6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: B80C8000
Module End: B80D2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: B8670000
Module End: B8671000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: B8328000
Module End: B832F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: B80D8000
Module End: B80E3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B7E30000
Module End: B7E4F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: B8330000
Module End: B8335000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pavboot.sys
Service Name: pavboot
Module Base: B8338000
Module End: B833E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: B80E8000
Module End: B80F5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B7E18000
Module End: B7E30000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: B80F8000
Module End: B8101000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: B8108000
Module End: B8115000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: B7DF8000
Module End: B7E18000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B7DE6000
Module End: B7DF8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: B8118000
Module End: B8121000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B7DCF000
Module End: B7DE6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B7D42000
Module End: B7DCF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B7D15000
Module End: B7D42000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B7CFB000
Module End: B7D15000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\gagp30kx.sys
Service Name: gagp30kx
Module Base: B8128000
Module End: B8134000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\processr.sys
Service Name: Processor
Module Base: B81E8000
Module End: B81F1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: B74E5000
Module End: B7C9C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B74D1000
Module End: B74E5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: B81F8000
Module End: B8203000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: B8208000
Module End: B8218000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: B8218000
Module End: B8227000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B74AE000
Module End: B74D1000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Service Name: ALCXWDM
Module Base: B7278000
Module End: B74AE000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B7254000
Module End: B7278000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: B8228000
Module End: B8237000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: B8398000
Module End: B839D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B7230000
Module End: B7254000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: B83A0000
Module End: B83A8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\sisnic.sys
Service Name: SISNIC
Module Base: B83A8000
Module End: B83B0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: B70FA000
Module End: B7230000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: B83B0000
Module End: B83B8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: B8238000
Module End: B8248000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\a6ym5izf.SYS
Service Name: ---
Module Base: B70C2000
Module End: B70FA000
Hidden: Yes
Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: B8248000
Module End: B8258000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: B8578000
Module End: B857C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: B70AE000
Module End: B70C2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: B8258000
Module End: B8265000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: B8418000
Module End: B841E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: B874E000
Module End: B874F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: B8268000
Module End: B8275000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: B857C000
Module End: B857F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B7097000
Module End: B70AE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: B8278000
Module End: B8283000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: B8288000
Module End: B8294000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: B8420000
Module End: B8425000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B6FE6000
Module End: B6FF7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: B8298000
Module End: B82A1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: B8428000
Module End: B842D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: B8430000
Module End: B8435000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: B82A8000
Module End: B82B2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: B8438000
Module End: B843E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: B85B8000
Module End: B85BA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B6F60000
Module End: B6FBE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: B858C000
Module End: B8590000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: B82C8000
Module End: B82D2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: B82E8000
Module End: B82F7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: B85BE000
Module End: B85C0000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: B85C6000
Module End: B85C8000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: B86BF000
Module End: B86C0000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: B85C8000
Module End: B85CA000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: B8468000
Module End: B846E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: B85CA000
Module End: B85CC000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: B85CC000
Module End: B85CE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: B8470000
Module End: B8475000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: B8478000
Module End: B8480000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B853C000
Module End: B853F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B4185000
Module End: B4198000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B412C000
Module End: B4185000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mfetdik.sys
Service Name: mfetdik
Module Base: B8158000
Module End: B8164000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B4106000
Module End: B412C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B40DE000
Module End: B4106000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: B8550000
Module End: B8553000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B40BC000
Module End: B40DE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: B8168000
Module End: B8171000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B4091000
Module End: B40BC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B3FF9000
Module End: B4069000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: B3FC9000
Module End: B3FF9000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: B8178000
Module End: B8183000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: B8188000
Module End: B8191000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: B8198000
Module End: B81A7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: B81B8000
Module End: B81C8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: usbstor
Module Base: B8480000
Module End: B8487000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: B6FD6000
Module End: B6FD9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: B81C8000
Module End: B81D1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: B8488000
Module End: B848F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B6FD2000
Module End: B6FD5000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B3F11000
Module End: B3F29000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B85E2000
Module End: B85E4000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: B7CD7000
Module End: B7CDA000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: B84A8000
Module End: B84AD000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: B8731000
Module End: B8732000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B3B84000
Module End: B3B88000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B3863000
Module End: B3878000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B38E8000
Module End: B38F7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B36F8000
Module End: B3725000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: B85EA000
Module End: B85EC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B3656000
Module End: B36A8000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B340D000
Module End: B344E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Service Name: TDTCP
Module Base: B8388000
Module End: B838E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Service Name: RDPWD
Module Base: B3238000
Module End: B325B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B26AD000
Module End: B26D8000
Hidden: No
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: B7EA70E0
Driver Base: B7EA6000
Driver End: B7FA7000
Driver Name: spif.sys
Function Name: ZwEnumerateKey
Address: B7EC5CA4
Driver Base: B7EA6000
Driver End: B7FA7000
Driver Name: spif.sys
Function Name: ZwEnumerateValueKey
Address: B7EC6032
Driver Base: B7EA6000
Driver End: B7FA7000
Driver Name: spif.sys
Function Name: ZwOpenKey
Address: B7EA70C0
Driver Base: B7EA6000
Driver End: B7FA7000
Driver Name: spif.sys
Function Name: ZwQueryKey
Address: B7EC610A
Driver Base: B7EA6000
Driver End: B7FA7000
Driver Name: spif.sys
Function Name: ZwQueryValueKey
Address: B7EC5F8A
Driver Base: B7EA6000
Driver End: B7FA7000
Driver Name: spif.sys
Function Name: ZwSetValueKey
Address: B7EC619C
Driver Base: B7EA6000
Driver End: B7FA7000
Driver Name: spif.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 89738500
Hooking Module: _unknown_
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B7EA7000
Hooking Module: spif.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 89B781F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 89B781F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 89B781F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 89B781F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 89B781F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 89B781F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 89DE91F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 89717500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 89717500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 89717500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 89717500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 89717500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 89B931F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 89B561F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 89B561F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 89B561F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 89B561F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 89B561F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 89B561F8
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\a6ym5izf.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 89BA1500
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\a6ym5izf.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 89BA1500
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\a6ym5izf.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 89BA1500
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\a6ym5izf.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 89BA1500
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\a6ym5izf.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 89BA1500
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\a6ym5izf.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 89BA1500
Hooking Module: _unknown_
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_CREATE
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_CLOSE
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_READ
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_WRITE
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_SET_EA
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_POWER
Jump To: B7EAEE30
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B7EC3514
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B7EEAAEA
Hooking Module: spif.sys
Hooked Module: \Driver\PCI_PNP5682
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B7EEAAEA
Hooking Module: spif.sys
******************************************************************************************
******************************************************************************************
Ports:
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1185
Remote Address: 209.17.65.34:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1184
Remote Address: FORUMS.SPYBOT.INFO:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1183
Remote Address: FORUMS.SPYBOT.INFO:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1182
Remote Address: FORUMS.SPYBOT.INFO:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1181
Remote Address: FORUMS.SPYBOT.INFO:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1180
Remote Address: FORUMS.SPYBOT.INFO:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1179
Remote Address: FORUMS.SPYBOT.INFO:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: CHRIS-15BC29F3B:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING
Local Address: CHRIS-15BC29F3B:1028
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: CHRIS-15BC29F3B:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: CHRIS-15BC29F3B:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: CHRIS-15BC29F3B:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: CHRIS-15BC29F3B:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: CHRIS-15BC29F3B.CFL.RR.COM:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CHRIS-15BC29F3B:45301
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\PnkBstrB.exe
State: NA
Local Address: CHRIS-15BC29F3B:44301
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\PnkBstrA.exe
State: NA
Local Address: CHRIS-15BC29F3B:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CHRIS-15BC29F3B:1049
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: CHRIS-15BC29F3B:1033
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CHRIS-15BC29F3B:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: CHRIS-15BC29F3B:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: CHRIS-15BC29F3B:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: CHRIS-15BC29F3B:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
No hidden files/folders found
spy killer link
http://thespykiller.co.uk/index.php/topic,8674.new.html
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, August 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, August 04, 2009 00:15:16
Records in database: 2577736
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics:
Files scanned: 27838
Threat name: 5
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 00:36:25
File name / Threat name / Threats count
C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\vxbik.exe/C:\WINDOWS\system32\vxbik.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\Documents and Settings\Chris Diaz\meqsq.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\Documents and Settings\Chris Diaz\My Documents\Downloads\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\Documents and Settings\Chris Diaz\nukqkt.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsass.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\services.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolsv.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir Infected: Trojan.Win32.Patched.gq 1
C:\WINDOWS\system32\fpu.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\WINDOWS\system32\vxbik.exe Infected: Trojan-PSW.Win32.Agent.nnh 1
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1
The selected area was scanned.
Logfile of random's system information tool 1.06 (written by random/random)
Run by Chris Diaz at 2009-08-06 16:48:46
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 667 GB (93%) free of 715 GB
Total RAM: 2047 MB (83% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:53 PM, on 8/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris Diaz\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Chris Diaz.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 2469 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-06-29 88363]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-06-10 13758464]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2"
"C:\Documents and Settings\Chris Diaz\wafayoh.exe"="C:\Documents and Settings\Chris Diaz\wafayoh.exe:*:Enabled:ENABLE"
"C:\Documents and Settings\Chris Diaz\nukqkt.exe"="C:\Documents and Settings\Chris Diaz\nukqkt.exe:*:Enabled:ENABLE"
"C:\Documents and Settings\Chris Diaz\meqsq.exe"="C:\Documents and Settings\Chris Diaz\meqsq.exe:*:Enabled:ENABLE"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======List of files/folders created in the last 1 months======
2009-08-05 05:55:30 ----SHD---- C:\RECYCLER
2009-08-05 05:55:27 ----D---- C:\_OTM
2009-08-04 19:39:12 ----D---- C:\Program Files\Panda Security
2009-08-04 19:35:32 ----A---- C:\ComboFix.txt
2009-08-04 06:00:56 ----A---- C:\WINDOWS\zip.exe
2009-08-04 06:00:56 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-04 06:00:56 ----A---- C:\WINDOWS\SWSC.exe
2009-08-04 06:00:56 ----A---- C:\WINDOWS\SWREG.exe
2009-08-04 06:00:56 ----A---- C:\WINDOWS\sed.exe
2009-08-04 06:00:56 ----A---- C:\WINDOWS\PEV.exe
2009-08-04 06:00:56 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-04 06:00:56 ----A---- C:\WINDOWS\grep.exe
2009-08-03 19:02:44 ----A---- C:\WINDOWS\system32\grpconv.exe
2009-08-03 19:00:26 ----A---- C:\Boot.bak
2009-08-03 19:00:24 ----RASHD---- C:\cmdcons
2009-08-03 18:55:19 ----D---- C:\WINDOWS\ERDNT
2009-08-03 18:55:17 ----D---- C:\Qoobox
2009-08-03 18:54:18 ----D---- C:\WINDOWS\Sun
2009-08-03 17:26:45 ----D---- C:\rsit
2009-08-03 17:04:00 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 17:03:56 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-03 17:03:56 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-31 06:16:17 ----A---- C:\WINDOWS\wininit.ini
2009-07-29 17:17:09 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\AVG8
2009-07-28 20:17:43 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2009-07-28 20:17:40 ----D---- C:\Program Files\DAEMON Tools Toolbar
2009-07-28 20:17:38 ----D---- C:\Program Files\DAEMON Tools Lite
2009-07-28 20:17:16 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 17:14:31 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-28 17:14:31 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 17:11:33 ----D---- C:\Program Files\Trend Micro
2009-07-28 16:57:49 ----A---- C:\WINDOWS\system32\BASSMOD.dll
2009-07-17 17:13:24 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-07-17 17:13:17 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-07-16 21:22:50 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\WinRAR
2009-07-16 19:16:44 ----D---- C:\Program Files\WinRAR
2009-07-16 19:15:05 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 19:13:11 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 18:33:22 ----D---- C:\Program Files\EA GAMES
2009-07-16 18:27:14 ----D---- C:\Program Files\Steam
2009-07-16 16:38:36 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\dvdcss
2009-07-15 21:30:25 ----D---- C:\Program Files\VideoLAN
2009-07-15 19:18:33 ----D---- C:\WINDOWS\Minidump
2009-07-15 19:01:48 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-14 23:52:40 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-14 23:52:37 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-14 23:52:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-13 03:01:49 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\LimeWire
2009-07-12 15:36:45 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\DivX
2009-07-12 13:50:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-12 13:50:49 ----D---- C:\Program Files\MC2
2009-07-12 13:50:31 ----D---- C:\Program Files\Common Files\InstallShield
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\vxblock.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxwave.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxsfs.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxmas.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxinsi64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxinsa64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxcpyi64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxcpya64.exe
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\pxafs.dll
2009-07-12 13:45:02 ----N---- C:\WINDOWS\system32\px.dll
2009-07-12 13:44:49 ----D---- C:\Program Files\DivX
2009-07-12 13:44:49 ----D---- C:\Program Files\Common Files\DivX Shared
2009-07-12 10:03:23 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\java.exe
2009-07-12 10:00:25 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-12 10:00:16 ----D---- C:\Program Files\Java
2009-07-12 09:59:58 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Sun
2009-07-11 22:12:42 ----A---- C:\WINDOWS\system32\nvudisp.exe
2009-07-11 22:12:31 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2009-07-11 22:12:24 ----D---- C:\NVIDIA
2009-07-11 16:39:51 ----A---- C:\WINDOWS\myClean.bat
2009-07-09 16:57:15 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Mozilla
2009-07-09 16:49:27 ----D---- C:\Program Files\mIRC
2009-07-09 16:49:27 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\mIRC
2009-07-09 13:19:34 ----D---- C:\WINDOWS\SoftwareDistribution
2009-07-09 13:19:33 ----SD---- C:\WINDOWS\system32\Microsoft
2009-07-09 13:19:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-09 13:16:46 ----D---- C:\WINDOWS\system32\xircom
2009-07-09 13:16:46 ----D---- C:\Program Files\xerox
2009-07-09 13:16:46 ----D---- C:\Program Files\microsoft frontpage
2009-07-09 13:16:41 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-09 13:16:40 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2009-07-09 13:16:31 ----A---- C:\WINDOWS\control.ini
2009-07-09 13:16:31 ----A---- C:\AUTOEXEC.BAT
2009-07-09 13:16:20 ----A---- C:\WINDOWS\OEWABLog.txt
2009-07-09 13:16:17 ----A---- C:\WINDOWS\system32\mapi32.dll
2009-07-09 13:15:44 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-09 13:15:44 ----RD---- C:\WINDOWS\Offline Web Pages
2009-07-09 13:15:44 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-07-09 13:15:40 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-07-09 13:15:36 ----HD---- C:\Program Files\WindowsUpdate
2009-07-09 13:15:22 ----D---- C:\WINDOWS\system32\DirectX
2009-07-09 13:15:07 ----A---- C:\WINDOWS\system32\atrace.dll
2009-07-09 13:15:05 ----A---- C:\WINDOWS\system32\desktop.ini
2009-07-09 13:15:05 ----A---- C:\WINDOWS\desktop.ini
2009-07-09 13:15:00 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2009-07-09 13:14:59 ----D---- C:\Program Files\Common Files\Services
2009-07-09 13:14:59 ----A---- C:\WINDOWS\system32\acctres.dll
2009-07-09 13:14:57 ----SD---- C:\WINDOWS\Tasks
2009-07-09 13:14:57 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2009-07-09 13:14:56 ----D---- C:\Program Files\Common Files\MSSoap
2009-07-09 13:14:53 ----D---- C:\WINDOWS\srchasst
2009-07-09 13:14:52 ----D---- C:\WINDOWS\system32\Macromed
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuweb.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wups.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wucltui.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuauserv.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuaueng.dll
2009-07-09 13:14:50 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\wuauclt.exe
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\wuapi.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\qmgr.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2009-07-09 13:14:49 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2009-07-09 13:14:46 ----D---- C:\Program Files\Movie Maker
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\safrslv.dll
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\safrdm.dll
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2009-07-09 13:14:43 ----A---- C:\WINDOWS\system32\racpldlg.dll
2009-07-09 13:14:40 ----D---- C:\WINDOWS\system32\Restore
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\srsvc.dll
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\srrstr.dll
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\srclient.dll
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\fltmc.exe
2009-07-09 13:14:40 ----A---- C:\WINDOWS\system32\fltlib.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\msconf.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\mnmdd.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2009-07-09 13:14:39 ----A---- C:\WINDOWS\system32\ils.dll
2009-07-09 13:14:37 ----D---- C:\Program Files\NetMeeting
2009-07-09 13:14:37 ----A---- C:\WINDOWS\system32\msoert2.dll
2009-07-09 13:14:37 ----A---- C:\WINDOWS\system32\msoeacct.dll
2009-07-09 13:14:36 ----A---- C:\WINDOWS\system32\inetres.dll
2009-07-09 13:14:36 ----A---- C:\WINDOWS\system32\inetcomm.dll
2009-07-09 13:14:34 ----D---- C:\Program Files\Outlook Express
2009-07-09 13:14:34 ----A---- C:\WINDOWS\system32\schedsvc.dll
2009-07-09 13:14:34 ----A---- C:\WINDOWS\system32\mstinit.exe
2009-07-09 13:14:34 ----A---- C:\WINDOWS\system32\mstask.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\isign32.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\inetcfg.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\icwphbk.dll
2009-07-09 13:14:33 ----A---- C:\WINDOWS\system32\icwdial.dll
2009-07-09 13:14:29 ----D---- C:\Program Files\Common Files\System
2009-07-09 13:14:28 ----D---- C:\Program Files\Internet Explorer
2009-07-09 13:14:19 ----D---- C:\Program Files\ComPlus Applications
2009-07-09 13:14:17 ----A---- C:\WINDOWS\vbaddin.ini
2009-07-09 13:14:17 ----A---- C:\WINDOWS\vb.ini
2009-07-09 13:14:14 ----D---- C:\WINDOWS\Registration
2009-07-09 13:13:54 ----D---- C:\Program Files\Windows Media Player
2009-07-09 13:13:54 ----D---- C:\Program Files\Online Services
2009-07-09 13:13:50 ----D---- C:\Program Files\Messenger
2009-07-09 13:13:47 ----D---- C:\Program Files\MSN Gaming Zone
2009-07-09 13:13:47 ----A---- C:\WINDOWS\system32\write.exe
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\winchat.exe
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\sndvol32.exe
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\hticons.dll
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\avwav.dll
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\avtapi.dll
2009-07-09 13:13:40 ----A---- C:\WINDOWS\system32\avmeter.dll
2009-07-09 13:13:35 ----A---- C:\WINDOWS\system32\getuname.dll
2009-07-09 13:13:35 ----A---- C:\WINDOWS\system32\charmap.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\winmine.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\sol.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\reset.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\mshearts.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\freecell.exe
2009-07-09 13:13:34 ----A---- C:\WINDOWS\system32\calc.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tslabels.ini
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tskill.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\tscon.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\shadow.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\rwinsta.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\regini.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\qwinsta.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\qappsrv.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\msg.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\logoff.exe
2009-07-09 13:13:33 ----A---- C:\WINDOWS\system32\cdmodem.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\mtxex.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\mtxdm.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\comrepl.dll
2009-07-09 13:13:32 ----A---- C:\WINDOWS\system32\comaddin.dll
2009-07-09 13:13:31 ----A---- C:\WINDOWS\system32\stclient.dll
2009-07-09 13:13:31 ----A---- C:\WINDOWS\system32\comsnap.dll
2009-07-09 13:13:28 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2009-07-09 13:13:18 ----D---- C:\Program Files\MSN
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\sndrec32.exe
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\mplay32.exe
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\hypertrm.dll
2009-07-09 13:13:17 ----A---- C:\WINDOWS\system32\accwiz.exe
2009-07-09 13:13:16 ----D---- C:\Program Files\Windows NT
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\spider.exe
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\mspaint.exe
2009-07-09 13:13:16 ----A---- C:\WINDOWS\system32\clipbrd.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\termsrv.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\sessmgr.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\remotepg.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdshost.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdpclip.exe
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\rdchost.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-07-09 13:13:15 ----A---- C:\WINDOWS\system32\mstsc.exe
2009-07-09 13:13:14 ----D---- C:\WINDOWS\system32\MsDtc
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\xolehlp.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\qprocess.exe
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\mtxoci.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\msdtctm.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\icaapi.dll
2009-07-09 13:13:14 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2009-07-09 13:13:13 ----D---- C:\WINDOWS\system32\Com
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\msdtclog.dll
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\msdtc.exe
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\colbact.dll
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\clbcatex.dll
2009-07-09 13:13:13 ----A---- C:\WINDOWS\system32\catsrvps.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\comuid.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\comsvcs.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\clbcatq.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\catsrvut.dll
2009-07-09 13:13:12 ----A---- C:\WINDOWS\system32\catsrv.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\servdeps.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\mmfutil.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\licwmi.dll
2009-07-09 13:13:08 ----A---- C:\WINDOWS\system32\cmprops.dll
2009-07-09 12:28:13 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-07-09 12:28:09 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-07-09 12:28:05 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-07-09 12:28:02 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2009-07-09 12:27:59 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2009-07-09 12:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2009-07-09 12:27:43 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-07-09 12:27:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-07-09 12:27:26 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2009-07-09 12:19:06 ----A---- C:\WINDOWS\system32\D3DX9_41.dll
2009-07-09 12:19:06 ----A---- C:\WINDOWS\system32\d3dx10_41.dll
2009-07-09 12:19:06 ----A---- C:\WINDOWS\system32\D3DCompiler_41.dll
2009-07-09 12:19:05 ----A---- C:\WINDOWS\system32\XAudio2_4.dll
2009-07-09 12:19:05 ----A---- C:\WINDOWS\system32\XAPOFX1_3.dll
2009-07-09 12:19:04 ----A---- C:\WINDOWS\system32\xactengine3_4.dll
2009-07-09 12:19:04 ----A---- C:\WINDOWS\system32\X3DAudio1_6.dll
2009-07-09 12:19:03 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2009-07-09 12:19:03 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2009-07-09 12:19:03 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2009-07-09 12:19:02 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2009-07-09 12:19:02 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2009-07-09 12:19:01 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2009-07-09 12:19:01 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2009-07-09 12:19:00 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2009-07-09 12:19:00 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2009-07-09 12:18:59 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2009-07-09 12:18:59 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2009-07-09 12:18:59 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2009-07-09 12:18:58 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2009-07-09 12:18:57 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2009-07-09 12:18:57 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2009-07-09 12:18:57 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2009-07-09 12:18:56 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2009-07-09 12:18:56 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2009-07-09 12:18:56 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2009-07-09 12:18:55 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2009-07-09 12:18:54 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2009-07-09 12:18:54 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2009-07-09 12:18:53 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2009-07-09 12:18:53 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2009-07-09 12:18:53 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2009-07-09 12:18:52 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2009-07-09 12:18:52 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2009-07-09 12:18:50 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2009-07-09 12:18:50 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2009-07-09 12:18:50 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2009-07-09 12:18:49 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2009-07-09 12:18:48 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2009-07-09 12:18:48 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2009-07-09 12:18:48 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2009-07-09 12:18:47 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2009-07-09 12:18:47 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2009-07-09 12:18:46 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2009-07-09 12:18:46 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2009-07-09 12:18:46 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2009-07-09 12:18:45 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2009-07-09 12:18:45 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2009-07-09 12:18:44 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2009-07-09 12:18:44 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2009-07-09 12:18:42 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2009-07-09 12:18:42 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2009-07-09 12:18:41 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2009-07-09 12:18:41 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-07-09 12:18:40 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2009-07-09 12:18:40 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2009-07-09 12:18:40 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-07-09 12:18:39 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2009-07-09 12:18:39 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2009-07-09 12:18:38 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2009-07-09 12:18:38 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2009-07-09 12:18:37 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2009-07-09 12:18:37 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2009-07-09 12:18:36 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2009-07-09 12:18:36 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2009-07-09 12:18:36 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2009-07-09 12:18:35 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2009-07-09 12:18:35 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2009-07-09 12:18:34 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2009-07-09 12:18:34 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2009-07-09 12:18:33 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2009-07-09 12:18:32 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2009-07-09 12:17:33 ----D---- C:\Program Files\SystemRequirementsLab
2009-07-09 12:07:06 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-07-09 12:07:00 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2009-07-09 12:06:50 ----D---- C:\Program Files\Windows Media Connect 2
2009-07-09 12:06:42 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2009-07-09 12:06:16 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-07-09 12:06:03 ----D---- C:\WINDOWS\system32\LogFiles
2009-07-09 12:05:53 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2009-07-09 12:05:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-07-09 12:05:17 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-07-09 12:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-09 12:05:08 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-07-09 12:05:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-09 12:04:58 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-07-09 12:04:54 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-07-09 12:04:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-07-09 12:04:43 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-07-09 12:04:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-09 12:04:22 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-09 12:04:13 ----HDC---- C:\WINDOWS\$NtUninstallKB969897$
2009-07-09 12:04:08 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-07-09 12:04:03 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-09 12:03:59 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-07-09 12:03:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-07-09 12:03:50 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-07-09 12:03:45 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-07-09 12:03:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-07-09 12:03:08 ----A---- C:\WINDOWS\system32\ksuser.dll
2009-07-09 12:02:59 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-07-09 12:02:55 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2009-07-09 12:02:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-07-09 12:02:34 ----D---- C:\WINDOWS\ie8updates
2009-07-09 12:02:24 ----D---- C:\WINDOWS\WBEM
2009-07-09 12:01:39 ----HDC---- C:\WINDOWS\ie8
2009-07-09 11:59:22 ----D---- C:\WINDOWS\Logs
2009-07-09 11:56:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-07-09 11:55:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-09 11:55:04 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-09 11:54:59 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-09 11:54:55 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-09 11:54:49 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-07-09 11:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-07-09 11:54:38 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-07-09 11:54:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-07-09 11:54:25 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-09 11:51:51 ----D---- C:\WINDOWS\Prefetch
2009-07-09 11:47:33 ----D---- C:\WINDOWS\system32\en-us
2009-07-09 11:47:32 ----D---- C:\WINDOWS\system32\scripting
2009-07-09 11:47:32 ----D---- C:\WINDOWS\l2schemas
2009-07-09 11:47:31 ----D---- C:\WINDOWS\system32\en
2009-07-09 11:47:31 ----D---- C:\WINDOWS\system32\bits
2009-07-09 11:45:50 ----D---- C:\Program Files\Common Files\Adobe
2009-07-09 11:44:56 ----D---- C:\WINDOWS\ServicePackFiles
2009-07-09 11:43:43 ----D---- C:\Program Files\Adobe
2009-07-09 11:43:35 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-07-09 11:43:32 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-07-09 11:42:23 ----D---- C:\WINDOWS\network diagnostic
2009-07-09 11:40:46 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-07-09 11:40:45 ----D---- C:\Program Files\NOS
2009-07-09 11:40:04 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-07-09 11:39:39 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Macromedia
2009-07-09 11:39:39 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Adobe
2009-07-09 11:37:10 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-09 11:36:31 ----D---- C:\Program Files\Mozilla Firefox
2009-07-09 11:31:30 ----A---- C:\WINDOWS\system32\wpa.bak
2009-07-09 11:30:25 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-07-09 11:09:08 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-07-09 10:54:45 ----D---- C:\WINDOWS\system32\PreInstall
2009-07-09 10:54:44 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2009-07-09 10:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2009-07-09 10:54:25 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2009-07-09 10:30:05 ----D---- C:\Program Files\McAfee
2009-07-09 10:28:35 ----D---- C:\Documents and Settings\Chris Diaz\Application Data\Identities
2009-07-09 10:28:34 ----HD---- C:\Program Files\Uninstall Information
2009-07-09 10:28:31 ----SD---- C:\Documents and Settings\Chris Diaz\Application Data\Microsoft
2009-07-09 10:28:31 ----ASH---- C:\Documents and Settings\Chris Diaz\Application Data\desktop.ini
2009-07-09 10:22:09 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-07-09 06:12:04 ----A---- C:\WINDOWS\system32\h323log.txt
2009-07-09 06:08:25 ----A---- C:\WINDOWS\system32\usbui.dll
2009-07-09 06:07:37 ----A---- C:\WINDOWS\imsins.BAK
2009-07-09 06:07:35 ----SHD---- C:\WINDOWS\Installer
2009-07-09 06:07:35 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-09 06:07:34 ----D---- C:\Program Files\Common Files\ODBC
2009-07-09 06:07:34 ----A---- C:\WINDOWS\ODBCINST.INI
2009-07-09 06:07:32 ----RD---- C:\Program Files
2009-07-09 06:07:32 ----D---- C:\Program Files\Common Files\SpeechEngines
2009-07-09 06:07:32 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-07-09 06:07:32 ----D---- C:\Program Files\Common Files
2009-07-09 06:07:30 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2009-07-09 06:07:30 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2009-07-09 06:07:30 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdur.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdru.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2009-07-09 06:07:28 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2009-07-09 06:07:27 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2009-07-09 06:07:26 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2009-07-09 06:07:25 ----RA---- C:\WINDOWS\system32\kbdest.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdro.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2009-07-09 06:07:24 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\irclass.dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\dgsetup.dll
2009-07-09 06:07:22 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2009-07-09 06:07:20 ----A---- C:\WINDOWS\TASKMAN.EXE
2009-07-09 06:07:20 ----A---- C:\WINDOWS\system32\batt.dll
2009-07-09 06:07:19 ----A---- C:\WINDOWS\system32\storprop.dll
2009-07-09 06:07:19 ----A---- C:\WINDOWS\notepad.exe
2009-07-09 06:07:13 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2009-07-09 06:07:02 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-09 06:07:02 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-09 06:06:56 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-07-09 06:06:36 ----A---- C:\WINDOWS\setuplog.txt
2009-07-09 06:06:33 ----SHD---- C:\System Volume Information
2009-07-09 06:06:33 ----D---- C:\Documents and Settings
2009-07-09 06:05:50 ----RASH---- C:\boot.ini
2009-07-08 11:56:07 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-08 11:56:07 ----RSD---- C:\WINDOWS\Fonts
2009-07-08 11:56:07 ----RD---- C:\WINDOWS\Web
2009-07-08 11:56:07 ----HD---- C:\WINDOWS\inf
2009-07-08 11:56:07 ----D---- C:\WINDOWS\WinSxS
2009-07-08 11:56:07 ----D---- C:\WINDOWS\twain_32
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\wins
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\wbem
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\usmt
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\spool
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\ShellExt
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\Setup
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\ras
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\oobe
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\npp
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\mui
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\inetsrv
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\IME
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\icsxml
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\ias
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\export
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\drivers
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\dhcp
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\config
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\3com_dmi
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\3076
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\2052
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1054
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1042
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1041
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1037
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1033
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1031
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1028
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32\1025
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system32
2009-07-08 11:56:07 ----D---- C:\WINDOWS\system
2009-07-08 11:56:07 ----D---- C:\WINDOWS\security
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Resources
2009-07-08 11:56:07 ----D---- C:\WINDOWS\repair
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Provisioning
2009-07-08 11:56:07 ----D---- C:\WINDOWS\PeerNet
2009-07-08 11:56:07 ----D---- C:\WINDOWS\pchealth
2009-07-08 11:56:07 ----D---- C:\WINDOWS\mui
2009-07-08 11:56:07 ----D---- C:\WINDOWS\msapps
2009-07-08 11:56:07 ----D---- C:\WINDOWS\msagent
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Media
2009-07-08 11:56:07 ----D---- C:\WINDOWS\java
2009-07-08 11:56:07 ----D---- C:\WINDOWS\ime
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Help
2009-07-08 11:56:07 ----D---- C:\WINDOWS\ehome
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Driver Cache
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Debug
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Cursors
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Connection Wizard
2009-07-08 11:56:07 ----D---- C:\WINDOWS\Config
2009-07-08 11:56:07 ----D---- C:\WINDOWS\AppPatch
2009-07-08 11:56:07 ----D---- C:\WINDOWS\addins
2009-07-08 11:56:07 ----D---- C:\WINDOWS
2009-07-08 11:56:07 ----AD---- C:\WINDOWS\Temp
======List of files/folders modified in the last 1 months======
2009-08-04 19:34:12 ----A---- C:\WINDOWS\system.ini
2009-08-03 19:02:11 ----A---- C:\WINDOWS\system32\user32.dll
2009-07-19 18:48:58 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-19 09:18:59 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-09 12:06:54 ----A---- C:\WINDOWS\win.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-12-01 201320]
R1 mfetdik;McAfee Inc. mfetdik; C:\WINDOWS\system32\drivers\mfetdik.sys [2007-12-01 55016]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-20 2317696]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-06-10 8087712]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 a6ym5izf;a6ym5izf; C:\WINDOWS\system32\drivers\a6ym5izf.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 MfeAVFK;McAfee Inc. MfeAVFK; C:\WINDOWS\system32\drivers\MfeAVFK.sys [2007-12-01 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK; C:\WINDOWS\system32\drivers\MfeBOPK.sys [2007-12-01 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK; C:\WINDOWS\system32\drivers\MfeRKDK.sys [2007-12-01 33832]
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-12 152984]
R2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-06-10 168004]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-07-17 75064]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-08-05 189672]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
-----------------EOF-----------------
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 16:47 on 06/08/2009 by Chris Diaz (Administrator - Elevation successful)
========== dir ==========
c:\documents and settings\Chris Diaz - Unable to find folder.
========== file ==========
c:\documents and settings\Chris Diaz\meqsq.exe - Unable to find/read file.
c:\documents and settings\Chris Diaz\nukqkt.exe - Unable to find/read file.
c:\Documents and Settings\Chris Diaz\wafayoh.exe - Unable to find/read file.
========== filefind ==========
Searching for "meqsq.exe"
C:\Documents and Settings\Chris Diaz\meqsq.exe ---h-- 32768 bytes [11:24 02/08/2009] [11:24 02/08/2009] 46C2A57AB3D45987B5B5F52808255F7D
Searching for "nukqkt.exe"
C:\Documents and Settings\Chris Diaz\nukqkt.exe ---h-- 32768 bytes [10:01 31/07/2009] [10:01 31/07/2009] 46C2A57AB3D45987B5B5F52808255F7D
Searching for "wafayoh.exe"
C:\Documents and Settings\Chris Diaz\wafayoh.exe ---h-- 32256 bytes [20:53 28/07/2009] [20:53 28/07/2009] DB6E8B9803C374E50BBE3E243D04F022
-=End Of File=-
I hope i got all 4 you asked for i have so many log files in notepad i am starting to forget which is which. Please let me know if they are wrong and i will get the right ones. Thanks for the help
c:\documents and settings\Chris Diaz\meqsq.exe - Unable to find/read file.
========== filefind ==========
Searching for "meqsq.exe"
C:\Documents and Settings\Chris Diaz\meqsq.exe ---h-- 32768 bytes
The first part of this log says that the file doesn't exist, the second says it does.
Are you altering these logs in any way, ie changing the user name ?
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.
@Echo Off
MD "C:\Katana"
Set "Log=C:\Katana\Klog.txt"
Set "Log2=C:\Katana\Klog2.txt"
CD "%UserProfile%"
For %%G IN (
meqsq.exe
nukqkt.exe
wafayoh.exe
) do (
If not exist %%G Echo %%G Not Found >> "%Log2%"
If exist %%G Echo %%G found >> "%Log%"
If exist %%G copy %%G "C:\Katana\%%G.vir"
Del /q %%G
If exist %%G Echo %%G Still Present !! >> "%Log2%"
Echo ---------------------------- >> "%Log%"
)
Dir /L /A /B /S C:\Katana >> "%Log%"
If exist "%Log2%" Type "%Log2%" >> "%Log%"
Type "%Log%" >>"%UserProfile%\Desktop\Kresults.txt"
Echo %~dp0 >> "%Log%"
Echo %CD% >> "%Log%"
Notepad "%UserProfile%\Desktop\Kresults.txt"
Del /q %0
exit
Double click on look.bat
This should only take a moment
Notepad will open, please copy/paste the results here.
meqsq.exe found
----------------------------
nukqkt.exe found
----------------------------
wafayoh.exe found
----------------------------
c:\katana\klog.txt
c:\katana\klog2.txt
meqsq.exe Still Present !!
nukqkt.exe Still Present !!
wafayoh.exe Still Present !!
----------------------------------------------------------------------------------------
Step 1
Please Submit a file
Please open LINK >>> THIS PAGE (http://www.bleepingcomputer.com/submit-malware.php?channel=4) <<<LINK in a new window.
In the box marked Link to topic where this file was requested: please put this text
http://forums.spybot.info/showthread.php?p=326896#post326896
Click the Browse button and navigate to C:\Katana\Klog.txt
Select this file and click Open
In the Largest box please put
File Requested By Katana
Finally click SendFile
----------------------------------------------------------------------------------------
Step 2
OTMoveIt
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop
Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Files
%UserProfile%/meqsq.exe
%UserProfile%/nukqkt.exe
%UserProfile%/wafayoh.exe
:Commands
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
step 1 done
step 2
got a message that says
Invalid time flag! [meqsq.exe] must be numerical
Do you know why all these are in your trusted zone ?
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\Documents and Settings\Chris Diaz\meqsq.exe
C:\Documents and Settings\Chris Diaz\nukqkt.exe
c:\documents and settings\Chris Diaz\wafayoh.exe
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Chris Diaz\\wafayoh.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\nukqkt.exe"=-
"c:\\Documents and Settings\\Chris Diaz\\meqsq.exe"=-
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
dont know why most of that in in my trusted zones but on my internet options it shows i have no trusted sites.
ComboFix 09-08-07.09 - Chris Diaz 08/08/2009 14:58.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1710 [GMT -4:00]
Running from: c:\documents and settings\Chris Diaz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Diaz\Desktop\CFScript.txt
* Created a new restore point
FILE ::
"c:\documents and settings\Chris Diaz\meqsq.exe"
"c:\documents and settings\Chris Diaz\nukqkt.exe"
"c:\documents and settings\Chris Diaz\wafayoh.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Chris Diaz\meqsq.exe
c:\documents and settings\Chris Diaz\nukqkt.exe
c:\documents and settings\Chris Diaz\wafayoh.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.
2009-08-06 22:55 . 2009-08-06 22:55 -------- d-----w- C:\Katana
2009-08-05 09:55 . 2009-08-05 09:55 -------- d-----w- C:\_OTM
2009-08-04 23:39 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-04 23:39 . 2009-08-04 23:39 -------- d-----w- c:\program files\Panda Security
2009-08-04 21:52 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-08-04 21:52 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-03 23:02 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-03 22:54 . 2009-08-03 22:54 -------- d-----w- c:\windows\Sun
2009-08-03 21:26 . 2009-08-03 21:26 -------- d-----w- C:\rsit
2009-08-03 21:04 . 2009-08-03 21:04 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 11:22 . 2009-08-02 11:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-01 12:04 . 2009-08-01 12:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-29 21:17 . 2009-07-29 21:17 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\AVG8
2009-07-29 21:01 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:01 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:18 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 21:14 . 2009-07-31 10:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 21:14 . 2009-07-31 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 21:11 . 2009-07-28 21:11 -------- d-----w- c:\program files\Trend Micro
2009-07-28 20:50 . 2009-08-03 23:02 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-17 21:14 . 2009-08-08 00:10 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-17 21:13 . 2009-08-08 00:10 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 21:13 . 2009-07-17 21:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 21:13 . 2009-07-17 21:13 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\PunkBuster
2009-07-16 23:15 . 2009-07-29 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 23:13 . 2009-07-16 23:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-16 23:13 . 2009-07-16 23:20 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 22:33 . 2009-07-16 22:33 -------- d-----w- c:\program files\EA GAMES
2009-07-16 22:27 . 2009-07-16 23:27 -------- d-----w- c:\program files\Steam
2009-07-16 20:38 . 2009-07-16 20:38 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\dvdcss
2009-07-16 01:30 . 2009-07-16 01:30 -------- d-----w- c:\program files\VideoLAN
2009-07-13 07:01 . 2009-07-22 12:07 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\LimeWire
2009-07-12 19:36 . 2009-07-16 01:22 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DivX
2009-07-12 17:50 . 2009-07-16 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 17:50 . 2009-07-12 17:50 -------- d-----w- c:\program files\MC2
2009-07-12 17:50 . 2009-07-16 22:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-12 17:44 . 2009-07-12 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-12 14:03 . 2009-08-03 01:23 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 14:00 . 2009-07-12 14:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 14:00 . 2009-07-12 14:00 -------- d-----w- c:\program files\Java
2009-07-12 14:00 . 2009-07-12 14:00 152576 ----a-w- c:\documents and settings\Chris Diaz\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-12 02:12 . 2009-06-10 10:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-12 02:12 . 2009-06-21 12:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-12 02:12 . 2009-07-12 02:12 -------- d-----w- C:\NVIDIA
2009-07-11 20:39 . 2006-12-06 01:17 240 ----a-w- c:\windows\myClean.bat
2009-07-11 20:39 . 2009-07-11 20:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-10 03:43 . 2009-07-10 03:43 -------- d-sh--w- c:\documents and settings\Chris Diaz\IECompatCache
2009-07-09 21:36 . 2009-07-09 21:36 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Identities
2009-07-09 20:57 . 2009-07-09 20:57 0 ----a-w- c:\windows\nsreg.dat
2009-07-09 20:57 . 2009-07-09 20:57 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\Mozilla
2009-07-09 20:49 . 2009-08-08 18:57 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\mIRC
2009-07-09 20:49 . 2009-08-08 18:34 -------- d-----w- c:\program files\mIRC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 23:02 . 2006-02-28 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2009-07-16 00:15 . 2009-07-09 16:17 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-12 17:45 . 2009-07-12 17:44 -------- d-----w- c:\program files\DivX
2009-07-11 21:00 . 2009-07-09 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 17:16 . 2009-07-09 17:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-09 17:14 . 2009-07-09 17:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-09 16:17 . 2009-07-09 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-09 16:10 . 2009-07-09 16:10 13104 ----a-w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 16:06 . 2009-07-09 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\program files\NOS
2009-07-09 15:48 . 2009-07-09 17:15 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-09 15:45 . 2009-07-09 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-09 15:41 . 2009-07-09 15:41 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-09 14:30 . 2009-07-09 14:30 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-07-09 15:33 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2009-06-10 10:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2009-06-10 10:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2009-06-10 10:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-04-14 00:12 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 21:56 . 2009-07-12 17:45 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-13 21:56 . 2009-07-12 17:45 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-13 21:56 . 2009-07-12 17:45 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-13 21:56 . 2009-07-12 17:45 129784 ------w- c:\windows\system32\pxafs.dll
2009-05-13 21:56 . 2009-07-12 17:45 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-05-13 21:56 . 2009-07-12 17:45 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-05-13 21:54 . 2009-05-13 21:54 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-13 21:54 . 2009-05-13 21:54 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-13 21:54 . 2009-05-13 21:54 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-13 21:54 . 2009-05-13 21:54 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-13 21:54 . 2009-05-13 21:54 685056 ----a-w- c:\windows\system32\DivX.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-03_23.04.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-08 18:32 . 2009-08-08 18:32 16384 c:\windows\Temp\Perflib_Perfdata_118.dat
+ 2006-02-28 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2006-02-28 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2009-04-17 12:59 . 2009-04-17 12:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/4/2009 7:39 PM 28544]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 15:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-08-08 15:01
ComboFix-quarantined-files.txt 2009-08-08 19:01
ComboFix2.txt 2009-08-04 23:35
ComboFix3.txt 2009-08-04 21:55
ComboFix4.txt 2009-08-04 10:05
ComboFix5.txt 2009-08-08 18:36
Pre-Run: 699,420,491,776 bytes free
Post-Run: 699,373,404,160 bytes free
200 --- E O F --- 2009-07-29 21:08
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
DDS::
Trusted Zone: //about.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Update.htm/
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please post a fresh RSIT log along with the Combofix log
ComboFix 09-08-08.02 - Chris Diaz 08/09/2009 0:35.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1719 [GMT -4:00]
Running from: c:\documents and settings\Chris Diaz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris Diaz\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.
2009-08-06 22:55 . 2009-08-06 22:55 -------- d-----w- C:\Katana
2009-08-05 09:55 . 2009-08-05 09:55 -------- d-----w- C:\_OTM
2009-08-04 23:39 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-04 23:39 . 2009-08-04 23:39 -------- d-----w- c:\program files\Panda Security
2009-08-04 21:52 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-08-04 21:52 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-03 23:02 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-03 22:54 . 2009-08-03 22:54 -------- d-----w- c:\windows\Sun
2009-08-03 21:26 . 2009-08-03 21:26 -------- d-----w- C:\rsit
2009-08-03 21:04 . 2009-08-03 21:04 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 21:03 . 2009-08-03 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 21:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 11:22 . 2009-08-02 11:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-01 12:04 . 2009-08-01 12:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-29 21:17 . 2009-07-29 21:17 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\AVG8
2009-07-29 21:01 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 21:01 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-29 00:17 . 2009-07-29 00:18 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Lite
2009-07-28 21:14 . 2009-07-31 10:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 21:14 . 2009-07-31 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 21:11 . 2009-07-28 21:11 -------- d-----w- c:\program files\Trend Micro
2009-07-28 20:50 . 2009-08-03 23:02 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-17 21:14 . 2009-08-08 19:07 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-17 21:13 . 2009-08-08 19:06 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-17 21:13 . 2009-07-17 21:13 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-17 21:13 . 2009-07-17 21:13 -------- d-----w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\PunkBuster
2009-07-16 23:15 . 2009-07-29 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-07-16 23:13 . 2009-07-16 23:13 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-16 23:13 . 2009-07-16 23:20 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DAEMON Tools Pro
2009-07-16 22:33 . 2009-07-16 22:33 -------- d-----w- c:\program files\EA GAMES
2009-07-16 22:27 . 2009-07-16 23:27 -------- d-----w- c:\program files\Steam
2009-07-16 20:38 . 2009-07-16 20:38 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\dvdcss
2009-07-16 01:30 . 2009-07-16 01:30 -------- d-----w- c:\program files\VideoLAN
2009-07-13 07:01 . 2009-07-22 12:07 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\LimeWire
2009-07-12 19:36 . 2009-07-16 01:22 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\DivX
2009-07-12 17:50 . 2009-07-16 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 17:50 . 2009-07-12 17:50 -------- d-----w- c:\program files\MC2
2009-07-12 17:50 . 2009-07-16 22:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-12 17:44 . 2009-07-12 17:44 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-12 14:03 . 2009-08-03 01:23 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\BitTorrent
2009-07-12 14:00 . 2009-07-12 14:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-12 14:00 . 2009-07-12 14:00 -------- d-----w- c:\program files\Java
2009-07-12 14:00 . 2009-07-12 14:00 152576 ----a-w- c:\documents and settings\Chris Diaz\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-12 02:12 . 2009-06-10 10:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-12 02:12 . 2009-06-21 12:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-12 02:12 . 2009-07-12 02:12 -------- d-----w- C:\NVIDIA
2009-07-11 20:39 . 2006-12-06 01:17 240 ----a-w- c:\windows\myClean.bat
2009-07-11 20:39 . 2009-07-11 20:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 18:57 . 2009-07-09 20:49 -------- d-----w- c:\documents and settings\Chris Diaz\Application Data\mIRC
2009-08-08 18:34 . 2009-07-09 20:49 -------- d-----w- c:\program files\mIRC
2009-08-03 23:02 . 2006-02-28 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2009-07-16 00:15 . 2009-07-09 16:17 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-12 17:45 . 2009-07-12 17:44 -------- d-----w- c:\program files\DivX
2009-07-11 21:00 . 2009-07-09 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 20:57 . 2009-07-09 20:57 0 ----a-w- c:\windows\nsreg.dat
2009-07-09 17:16 . 2009-07-09 17:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-09 17:14 . 2009-07-09 17:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-09 16:17 . 2009-07-09 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-09 16:10 . 2009-07-09 16:10 13104 ----a-w- c:\documents and settings\Chris Diaz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 16:06 . 2009-07-09 16:06 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-09 15:51 . 2009-07-09 15:40 -------- d-----w- c:\program files\NOS
2009-07-09 15:48 . 2009-07-09 17:15 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-09 15:45 . 2009-07-09 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 15:43 . 2009-07-09 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-09 15:41 . 2009-07-09 15:41 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-09 14:30 . 2009-07-09 14:30 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-07-09 15:33 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2009-06-10 10:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2009-06-10 10:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2009-06-10 10:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2008-04-14 00:12 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 21:56 . 2009-07-12 17:45 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-13 21:56 . 2009-07-12 17:45 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-13 21:56 . 2009-07-12 17:45 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-13 21:56 . 2009-07-12 17:45 129784 ------w- c:\windows\system32\pxafs.dll
2009-05-13 21:56 . 2009-07-12 17:45 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-05-13 21:56 . 2009-07-12 17:45 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-05-13 21:54 . 2009-05-13 21:54 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-13 21:54 . 2009-05-13 21:54 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-13 21:54 . 2009-05-13 21:54 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-13 21:54 . 2009-05-13 21:54 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-13 21:54 . 2009-05-13 21:54 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-13 21:54 . 2009-05-13 21:54 685056 ----a-w- c:\windows\system32\DivX.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-03_23.04.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-09 04:29 . 2009-08-09 04:29 16384 c:\windows\Temp\Perflib_Perfdata_1f4.dat
+ 2006-02-28 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2006-02-28 12:00 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2009-04-17 12:59 . 2009-04-17 12:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/4/2009 7:39 PM 28544]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 00:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-09 0:37
ComboFix-quarantined-files.txt 2009-08-09 04:37
ComboFix2.txt 2009-08-08 19:01
ComboFix3.txt 2009-08-04 23:35
ComboFix4.txt 2009-08-04 21:55
ComboFix5.txt 2009-08-09 04:34
Pre-Run: 699,437,182,976 bytes free
Post-Run: 699,393,445,888 bytes free
183 --- E O F --- 2009-07-29 21:08
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Uninstall OTMoveIt (OTM.exe)
Open OTMoveIt Click Cleanup,
When a box pops up click YES.
You can also delete any logs we have produced, and empty your Recycle bin.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'