View Full Version : kryptik.ZS trojan
xrookie24
2009-09-11, 16:32
Hi everyone this morning i wake up and eset detected a virus called kryptik.ZS trojan located in \\?\globalroot\systemroot\system32\SKYNETrprxvrxc.dll. It cannot be cleaned nor be deleted, it's slow now whenever i try to switch from one program to another, it doesnt also allow you to shutdown netbeans 6.5.1 unless you restart or shut down the computer.
I ran a HiJackThis Scan and this is the log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:29 PM, on 9/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TipCtrl - Unknown owner - C:\Program Files\uTIPu\TipCtrl.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8714 bytes
Thanks in advance for the help.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Hi xrookie24
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
xrookie24
2009-09-13, 19:49
Hi thanks for the reply, i have scanned using GMER and this is the result. Ohh and another thing i scanned in safe mode. While scanning a pop up appeared and said that some activity involving ROOTKIT, after that the scan has finished and this is the result.
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 01:39:42
Windows 6.0.6001 Service Pack 1
---- System - GMER 1.0.15 ----
Code 8622F2C0 ZwEnumerateKey
Code 8623C518 ZwFlushInstructionCache
Code 8622A065 IofCallDriver
Code 8625532E IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCompleteRequest 82073FE2 5 Bytes JMP 86255333
.text ntkrnlpa.exe!IofCallDriver 820F5F6F 5 Bytes JMP 8622A06A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 821EC30B 5 Bytes JMP 8623C51C
PAGE ntkrnlpa.exe!ZwEnumerateKey 82241BA2 5 Bytes JMP 8622F2C4
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\SKYNETrprxvrxc.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1184] 0x10000000
---- Services - GMER 1.0.15 ----
Service C:\Windows\system32\drivers\SKYNETxemnchfu.sys (*** hidden *** ) [SYSTEM] SKYNETvpebtjif <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e376e2a93
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e376e2a93@00174beb2d27 0x19 0x34 0x45 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e376e2a93@001bee0b08b9 0x94 0x54 0xF0 0xF3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpebtjif\modules@SKYNETwsp8.dll \systemroot\system32\SKYNETrprxvrxc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet005\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet009\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet011\Services\BTHPORT\Parameters\Keys\001e376e2a93 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\BTHPORT\Parameters\Keys\001e376e2a93@00174beb2d27 0x19 0x34 0x45 0x2D ...
Reg HKLM\SYSTEM\ControlSet011\Services\BTHPORT\Parameters\Keys\001e376e2a93@001bee0b08b9 0x94 0x54 0xF0 0xF3 ...
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif@start 1
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif@type 1
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif@group file system
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif@imagepath \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main@aid 10093
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main@sid 0
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main\injector@* SKYNETwsp8.dll
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxemnchfu.sys
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\modules@SKYNETcmd.dll \systemroot\system32\SKYNEThepusfov.dll
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\modules@SKYNETlog.dat \systemroot\system32\SKYNETtomcfxmx.dat
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdagnlkoj.dll
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\modules@SKYNET.dat \systemroot\system32\SKYNETxpbrutti.dat
Reg HKLM\SYSTEM\ControlSet011\Services\SKYNETvpebtjif\modules@SKYNETwsp8.dll \systemroot\system32\SKYNETrprxvrxc.dll
---- EOF - GMER 1.0.15 ----
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
xrookie24
2009-09-13, 21:43
Here is the ComboFix.txt report log
ComboFix 09-09-13.04 - dmolina 09/14/2009 3:03.1.2 - NTFSx86
Microsoft® Windows Vista Home Basic 6.0.6001.1.1252.63.1033.18.2550.1605 [GMT 8:00]
Running from: c:\users\dmolina\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1203008247-962667541-3576721070-500
c:\$recycle.bin\S-1-5-21-3088013630-3781476475-191188015-500
c:\users\dmolina\AppData\Local\Microsoft\Windows\Temporary Internet Files\SF0ED.gif
c:\users\dmolina\AppData\Roaming\EurekaLog
c:\windows\Installer\bcda7.msi
c:\windows\system32\drivers\SKYNETxemnchfu.sys
c:\windows\system32\SKYNETdagnlkoj.dll
c:\windows\system32\SKYNEThepusfov.dll
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETrprxvrxc.dll
c:\windows\system32\SKYNETtomcfxmx.dat
c:\windows\system32\SKYNETxpbrutti.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETvpebtjif
-------\Legacy_SKYNETvpebtjif
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-10 08:26 . 2009-09-10 08:26 -------- d-----w- c:\users\dmolina\AppData\Roaming\Big Fish Games
2009-09-10 02:57 . 2009-09-10 02:57 -------- d-----w- c:\program files\Trend Micro
2009-09-09 03:48 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 03:48 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-09 03:48 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-09 03:48 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-09 03:48 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-09 03:48 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-09 03:48 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 03:48 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 03:48 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-09 03:48 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-09 03:47 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 03:47 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 03:47 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 03:47 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 03:47 . 2009-06-10 12:11 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-04 04:12 . 2009-09-04 04:14 -------- d-----w- c:\users\dmolina\AppData\Roaming\SmartDraw
2009-09-03 02:03 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-03 02:03 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 08:13 . 2009-09-02 08:13 -------- d-----w- c:\programdata\InstallShield
2009-09-02 08:12 . 2009-09-02 08:12 -------- d-----w- c:\users\dmolina\AppData\Roaming\Nuance
2009-09-02 08:08 . 2009-09-02 08:08 -------- d-----w- c:\programdata\ScanSoft
2009-09-02 08:08 . 2009-09-02 08:08 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-02 08:08 . 2009-09-02 08:08 -------- d-----w- c:\program files\Common Files\Nuance
2009-09-02 08:08 . 2009-09-02 08:08 -------- d-----w- c:\programdata\Nuance
2009-09-02 08:08 . 2009-09-02 08:08 -------- d-----w- c:\program files\Nuance
2009-08-31 06:41 . 2009-09-07 05:30 -------- d-----w- c:\users\dmolina\AppData\Local\Hewlett-Packard
2009-08-26 19:01 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 17:53 . 2009-08-26 17:53 -------- d-----w- c:\users\dmolina\AppData\Local\Installer2000
2009-08-26 03:53 . 2009-08-26 03:53 -------- d-----w- c:\program files\TechnoRiver
2009-08-26 02:58 . 2009-08-26 02:58 -------- d-----w- c:\program files\Jolly Technologies
2009-08-20 15:23 . 2009-08-27 15:43 -------- d-----w- c:\users\dmolina\AppData\Roaming\HpUpdate
2009-08-20 15:23 . 2009-08-20 15:23 -------- d-----w- c:\windows\Hewlett-Packard
2009-08-19 06:31 . 2009-08-19 06:31 -------- d-----w- c:\users\dmolina\AppData\Local\Installer4576
2009-08-18 11:32 . 2009-08-18 11:32 -------- d-----w- c:\programdata\Sony Online Entertainment
2009-08-18 10:16 . 2009-08-18 10:16 -------- d-----w- c:\program files\JEOPARDY! 2
2009-08-18 10:16 . 2009-08-18 10:16 -------- d-----w- c:\windows\JEOPARDY! 2
2009-08-17 05:19 . 2009-08-17 05:19 -------- d-----w- c:\users\dmolina\AppData\Roaming\GTek
2009-08-15 00:36 . 2009-08-15 00:36 -------- d-----w- c:\program files\MySQL-Front
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 19:21 . 2007-12-05 10:24 4870 ----a-w- c:\windows\bthservsdp.dat
2009-09-13 18:25 . 2009-06-09 02:41 -------- d-----w- c:\users\dmolina\AppData\Roaming\SQLyog
2009-09-13 07:27 . 2009-06-09 16:12 -------- d-----w- c:\users\dmolina\AppData\Roaming\FrostWire
2009-09-10 16:13 . 2009-06-21 07:33 -------- d-----w- c:\program files\Garena
2009-09-09 04:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-09 04:43 . 2007-06-27 06:28 -------- d-----w- c:\programdata\Microsoft Help
2009-09-07 04:52 . 2009-06-09 15:03 -------- d-----w- c:\users\dmolina\AppData\Roaming\uTorrent
2009-09-05 13:15 . 2009-09-02 08:43 2594 ----a-w- c:\users\dmolina\AppData\Roaming\SAS7_000.DAT
2009-09-02 08:08 . 2007-06-27 05:46 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-31 06:26 . 2007-06-27 07:14 -------- d-----w- c:\programdata\Hewlett-Packard
2009-08-29 16:27 . 2007-06-27 07:18 -------- d-----w- c:\program files\Java
2009-08-25 11:34 . 2009-06-09 03:04 -------- d-----w- c:\program files\glassfish-v2.1
2009-08-20 15:24 . 2007-06-27 06:33 -------- d-----w- c:\program files\HP
2009-08-17 05:18 . 2007-06-27 05:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 05:18 . 2007-06-27 05:43 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-15 00:36 . 2009-06-09 15:41 -------- d-----w- c:\users\dmolina\AppData\Roaming\MySQL-Front
2009-08-14 22:18 . 2009-06-09 02:39 -------- d-----w- c:\program files\Yahoo!
2009-08-13 16:06 . 2009-08-09 18:38 -------- d-----w- c:\users\dmolina\AppData\Roaming\mIRC
2009-08-13 16:05 . 2009-08-09 18:38 -------- d-----w- c:\program files\mIRC
2009-08-13 13:26 . 2009-07-21 03:54 -------- d-----w- c:\program files\Miranda IM
2009-08-13 13:24 . 2009-08-13 13:21 -------- d-----w- c:\users\dmolina\AppData\Roaming\Miranda
2009-08-12 10:14 . 2009-08-12 10:14 -------- d-----w- c:\users\dmolina\AppData\Roaming\U3
2009-08-09 18:17 . 2009-08-09 17:47 -------- d-----w- c:\users\dmolina\AppData\Roaming\Nokia
2009-08-09 17:51 . 2009-08-09 17:51 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-08-09 17:51 . 2009-08-09 17:47 -------- d-----w- c:\users\dmolina\AppData\Roaming\PC Suite
2009-08-09 17:51 . 2009-08-09 17:47 -------- d-----w- c:\programdata\PC Suite
2009-08-09 17:51 . 2009-08-09 17:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-08-09 17:48 . 2009-08-09 17:46 -------- d-----w- c:\program files\DIFX
2009-08-09 17:47 . 2009-08-09 17:47 -------- d-----w- c:\program files\Common Files\PCSuite
2009-08-09 17:46 . 2009-08-09 17:40 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-09 17:46 . 2009-08-09 17:40 -------- d-----w- c:\program files\Nokia
2009-08-09 17:46 . 2009-08-09 17:45 -------- d-----w- c:\program files\PC Connectivity Solution
2009-08-09 17:45 . 2009-08-09 17:39 -------- d-----w- c:\programdata\Installations
2009-08-09 17:43 . 2009-08-09 17:43 -------- d-----w- c:\programdata\Nokia
2009-08-09 05:38 . 2009-08-09 05:38 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-09 05:37 . 2009-06-09 15:48 -------- d-----w- c:\program files\Common Files\Real
2009-08-09 05:37 . 2009-08-09 05:37 -------- d-----w- c:\program files\Real
2009-08-05 17:50 . 2009-08-03 04:43 -------- d-----w- c:\program files\MagicISO
2009-08-05 17:29 . 2007-06-27 06:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-05 12:50 . 2009-08-05 12:50 -------- d-----w- c:\users\dmolina\AppData\Roaming\Apple Computer
2009-08-05 12:49 . 2009-08-05 12:49 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 12:49 . 2009-08-05 12:49 -------- d-----w- c:\program files\iTunes
2009-08-05 12:49 . 2009-08-05 12:49 -------- d-----w- c:\program files\iPod
2009-08-05 12:49 . 2009-08-05 12:45 -------- d-----w- c:\program files\Common Files\Apple
2009-08-05 12:49 . 2009-08-05 12:47 -------- d-----w- c:\programdata\Apple Computer
2009-08-05 12:48 . 2009-08-04 06:21 -------- d-----w- c:\program files\Bonjour
2009-08-05 12:48 . 2009-08-05 12:48 -------- d-----w- c:\program files\QuickTime
2009-08-05 12:47 . 2009-08-05 12:47 -------- d-----w- c:\program files\Apple Software Update
2009-08-05 12:45 . 2009-08-05 12:45 -------- d-----w- c:\programdata\Apple
2009-08-04 06:58 . 2009-06-09 02:59 -------- d-----w- c:\program files\NetBeans 6.5.1
2009-08-04 06:47 . 2009-08-04 06:47 -------- d-----w- c:\programdata\FLEXnet
2009-08-04 06:14 . 2009-08-04 06:14 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-04 05:02 . 2009-06-09 00:18 94072 ----a-w- c:\users\dmolina\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-03 03:06 . 2009-08-03 03:05 -------- d-----w- c:\users\dmolina\AppData\Roaming\mjusbsp
2009-07-31 21:24 . 2009-06-09 02:41 -------- d-----w- c:\program files\SQLyog Enterprise
2009-07-31 16:41 . 2009-07-31 16:27 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-31 16:27 . 2009-07-31 16:27 -------- d-----w- c:\users\dmolina\AppData\Roaming\SystemRequirementsLab
2009-07-30 13:52 . 2009-07-30 13:51 -------- d-----w- c:\users\dmolina\AppData\Roaming\Go2PCsoft
2009-07-30 13:06 . 2009-07-30 13:06 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-30 13:03 . 2009-06-09 00:13 -------- d-----w- c:\users\dmolina\AppData\Roaming\Hewlett-Packard
2009-07-26 04:28 . 2007-06-27 06:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-25 16:33 . 2009-07-24 10:53 -------- d-----w- c:\program files\Symantec
2009-07-25 16:33 . 2007-06-27 06:06 -------- d-----w- c:\programdata\Symantec
2009-07-24 21:23 . 2009-06-22 03:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 10:54 . 2009-07-24 10:54 -------- d-----w- c:\users\dmolina\AppData\Roaming\Symantec
2009-07-22 12:39 . 2009-07-22 11:52 -------- d-----w- c:\program files\TeamViewer
2009-07-22 10:43 . 2009-07-22 10:32 -------- d-----w- c:\users\dmolina\AppData\Roaming\TeamViewer
2009-07-22 10:32 . 2009-07-22 10:32 -------- d-----w- c:\program files\QS
2009-07-22 09:26 . 2009-07-22 09:26 -------- d-----w- c:\programdata\LogMeIn
2009-07-21 21:52 . 2009-07-29 06:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 06:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 06:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 06:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-20 16:40 . 2009-07-20 15:59 -------- d-----w- c:\program files\uTIPu
2009-07-20 05:34 . 2009-07-20 05:33 -------- d-----w- c:\program files\e-Speaking
2009-07-20 04:37 . 2009-07-20 04:14 -------- d-----w- c:\program files\Voice
2009-07-20 04:31 . 2009-07-20 04:13 796672 ----a-w- c:\windows\GPInstall.exe
2009-07-17 14:35 . 2009-08-13 18:34 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-17 13:27 . 2009-07-17 13:27 -------- d-----w- c:\users\dmolina\AppData\Roaming\funkitron
2009-07-14 13:00 . 2009-08-13 18:34 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-13 18:34 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-13 18:34 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-13 18:34 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-09 04:16 . 2009-07-09 04:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 04:16 . 2009-07-09 04:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-07 15:18 . 2009-07-07 15:18 355584 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-06-16 04:00 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-06-16 04:00 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-04 133912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-08 75008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-09 198160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^dmolina^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=c:\users\dmolina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=c:\windows\pss\Dragon NaturallySpeaking.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8B631A8E-7EFA-49E2-AEB1-375F9EB9B752}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{93A15BA0-3E94-4A32-BB92-762B9D352E2F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{7D92C40A-0370-446C-AB07-E5EBEE7E2743}c:\\program files\\java\\jre1.6.0_07\\bin\\java.exe"= UDP:c:\program files\java\jre1.6.0_07\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{02A0025A-31AA-4F4C-B770-9138175E9473}c:\\program files\\java\\jre1.6.0_07\\bin\\java.exe"= TCP:c:\program files\java\jre1.6.0_07\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{D9183952-8689-4138-8C30-A2B1501084D1}c:\\program files\\java\\jdk1.6.0_07\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_07\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{83B569DC-50A8-4244-B72F-FF929C1CF25C}c:\\program files\\java\\jdk1.6.0_07\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_07\bin\java.exe:Java(TM) Platform SE binary
"{85FE6D09-0A96-4A69-942D-1C04C18071F8}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{8261ABA8-5FB1-4A6C-9BAE-35D3ED8ECBB8}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{4C0E4203-AE77-4A22-A438-B958E8BFAEA0}c:\\program files\\ultravnc\\winvnc.exe"= UDP:c:\program files\ultravnc\winvnc.exe:VNC server for Win32
"UDP Query User{7DEEFC9B-3E30-43D4-9136-21C92B27A62B}c:\\program files\\ultravnc\\winvnc.exe"= TCP:c:\program files\ultravnc\winvnc.exe:VNC server for Win32
"{7736F8E5-0A43-4F16-97B2-5F5A400726B6}"= UDP:5800:Sample1
"{F64E8871-36FA-4D27-8001-C7CFCFEF4D5B}"= UDP:5900:Sample2
"TCP Query User{2C5C2A51-65D2-41B4-A748-457AB5A1CBEA}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{7FC2949C-F4DC-4EB0-9243-929BD658BB5E}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{F7E171ED-00CF-489B-A54A-8ED99ED53753}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{5928453E-4F17-42F6-AD57-7947A16FB29A}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{76C1AE09-B34E-4148-A032-BD4735B81DF3}c:\\program files\\garena\\garena.exe"= UDP:c:\program files\garena\garena.exe:Garena
"UDP Query User{D3F93D8A-501E-40FE-9932-0EA06D0CDBC5}c:\\program files\\garena\\garena.exe"= TCP:c:\program files\garena\garena.exe:Garena
"TCP Query User{11AC9257-1DB0-42BD-AAC5-41BA5EA459FC}c:\\program files\\java\\jdk1.6.0_07\\jre\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_07\jre\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{477F2FD4-5A4D-4B8E-B6ED-A73DD29E5530}c:\\program files\\java\\jdk1.6.0_07\\jre\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_07\jre\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{24C4FAE8-B8D7-43E8-AFDD-531AA14C989F}c:\\users\\dmolina\\desktop\\my stash\\program files\\warcraft iii\\war3.exe"= UDP:c:\users\dmolina\desktop\my stash\program files\warcraft iii\war3.exe:war3.exe
"UDP Query User{242454E5-A9AC-40D4-BF9A-E42598639540}c:\\users\\dmolina\\desktop\\my stash\\program files\\warcraft iii\\war3.exe"= TCP:c:\users\dmolina\desktop\my stash\program files\warcraft iii\war3.exe:war3.exe
"{CB5485E9-AC92-4507-BAF5-C3FC10F27676}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{0743C464-FB25-452E-AC03-DA266804C558}c:\\program files\\java\\jdk1.6.0_07\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_07\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{A67C5168-2F11-414F-9085-D8E2FA299870}c:\\program files\\java\\jdk1.6.0_07\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_07\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{B6D4C6E2-E476-4E70-A417-2AB5CCF66EFB}c:\\program files\\garena\\garena.exe"= UDP:c:\program files\garena\garena.exe:Garena
"UDP Query User{43B2B11C-9EFE-44B1-A661-645EBC6421B0}c:\\program files\\garena\\garena.exe"= TCP:c:\program files\garena\garena.exe:Garena
"TCP Query User{9FB15125-FAD2-4EF7-9285-08A4CBC227DC}c:\\users\\dmolina\\desktop\\my stash\\program files\\warcraft iii\\war3.exe"= UDP:c:\users\dmolina\desktop\my stash\program files\warcraft iii\war3.exe:war3.exe
"UDP Query User{593F91EC-AFB1-4CCF-AB67-9A56D056F399}c:\\users\\dmolina\\desktop\\my stash\\program files\\warcraft iii\\war3.exe"= TCP:c:\users\dmolina\desktop\my stash\program files\warcraft iii\war3.exe:war3.exe
"TCP Query User{24296005-4AB4-40C5-9FA0-A95C251ECB69}c:\\users\\dmolina\\temp\\teamviewer\\version4\\teamviewer.exe"= UDP:c:\users\dmolina\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"UDP Query User{4FCA678F-C324-4A18-B7E7-4F5B1EAEAE3B}c:\\users\\dmolina\\temp\\teamviewer\\version4\\teamviewer.exe"= TCP:c:\users\dmolina\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"{D84BF935-4974-4911-9D7A-A176643C293A}"= UDP:c:\program files\Live Desktop\LiveDesktop.exe:Live Desktop
"{333F238E-0492-4548-9084-2F35809933F7}"= TCP:c:\program files\Live Desktop\LiveDesktop.exe:Live Desktop
"{06AB25B1-DBC5-4F1A-B7BB-608C21565159}"= UDP:c:\users\dmolina\AppData\Roaming\mjusbsp\magicJack.exe:magicJack
"{DE560229-82C1-4910-806B-EE2862E5D7E3}"= TCP:c:\users\dmolina\AppData\Roaming\mjusbsp\magicJack.exe:magicJack
"{9E595CCE-48A6-4113-B113-3AB5CFA694FC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1BB25CAC-1BAC-43AB-B85E-B7C44C307A07}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{552DEA92-5B37-42A4-A834-35BE7ECC4CC8}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5B7194C7-D56D-4224-B7CB-478276DF9171}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{12C896DF-DF51-4ED9-9584-5FA8130B227C}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{1DDCB83D-1346-49D1-B488-F1EA6CDC5182}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{24D60648-3980-4A23-AE2E-E527790D1335}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{E4C4D684-7F26-4B95-9E98-57AF06AE8915}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{30F8A269-3E5C-405F-B724-6A29F1736D75}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{A22224FB-279D-485B-A261-3DDAB9754E43}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{443603CE-D247-479E-AAAE-B342802280A8}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{30516917-3E74-4285-92D5-A91A95AAC278}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"{7EE52B28-435E-4D3F-8173-FADB0A75BD4F}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CD287951-128E-43A5-BEC8-C4EF8C51CF0F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{EB88D3AE-7D78-41F8-AB3F-280C25E7E8A6}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{3B5E300B-FCF5-4416-A959-70C04E8D7631}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{EAA4EEF9-89DD-4E48-951B-29EA504D4D6D}c:\\users\\dmolina\\temp\\teamviewer\\version4\\teamviewer.exe"= UDP:c:\users\dmolina\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"UDP Query User{F27CBC88-2F0A-48A9-81F0-AD13FBD3C8B2}c:\\users\\dmolina\\temp\\teamviewer\\version4\\teamviewer.exe"= TCP:c:\users\dmolina\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"TCP Query User{947B6C95-5922-4EA5-9B43-213A5B5BCC3A}c:\\users\\dmolina\\desktop\\portable teamviewer 4.1 build 6016\\teamviewer.exe"= UDP:c:\users\dmolina\desktop\portable teamviewer 4.1 build 6016\teamviewer.exe:teamviewer.exe
"UDP Query User{DF653921-EAB0-4436-8702-BAECC7BE1887}c:\\users\\dmolina\\desktop\\portable teamviewer 4.1 build 6016\\teamviewer.exe"= TCP:c:\users\dmolina\desktop\portable teamviewer 4.1 build 6016\teamviewer.exe:teamviewer.exe
R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [12/21/2007 8:21 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [7/22/2009 5:25 PM 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/9/2009 11:21 AM 210216]
R3 dfmirage;dfmirage;c:\windows\System32\drivers\dfmirage.sys [3/27/2008 3:31 AM 34128]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\System32\drivers\lmvac.sys [8/10/2009 12:46 AM 25616]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [3/19/2009 2:48 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [3/19/2009 2:48 PM 8320]
S3 TipCtrl;TipCtrl;"c:\program files\uTIPu\TipCtrl.exe" --> c:\program files\uTIPu\TipCtrl.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [6/16/2009 11:33 AM 16896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-07 c:\windows\Tasks\HPCeeScheduleFordmolina.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-06-27 21:23]
2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{D7F3C5A7-6DFA-43D7-B19B-BC157A793FF5}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local;*.local
FF - ProfilePath - c:\users\dmolina\AppData\Roaming\Mozilla\Firefox\Profiles\8eo8w9lb.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPil86.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 03:23
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\dmolina\AppData\Local\Temp\FSJD088.tmp"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(676)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\System32\hasplms.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\rundll32.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\IoctlSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2009-09-13 3:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 19:31
Pre-Run: 9,118,298,112 bytes free
Post-Run: 8,590,983,168 bytes free
393 --- E O F --- 2009-09-09 04:52
and here is the fresh hijackthis.log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:07 AM, on 9/14/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_PH&c=73&bd=PRESARIO&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TipCtrl - Unknown owner - C:\Program Files\uTIPu\TipCtrl.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7796 bytes
As i was doing the scan with ComboFix it detected some activities then rebooted. After the reboot it continued scanning and produced the log file. After that i cannot open any file or any program as it was saying that it is subject for deletion because of the modification in the registry. Then i restarted my computer and everything's fine again.
I still don't know if the virus is still in my computer because nod32 randomly shows the prompt.
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
xrookie24
2009-09-14, 06:31
ActiveCheck component for HP Active Support Library
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.6
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
Bejeweled 2 Deluxe
Bonjour
Chikka Messenger V4
Chuzzle
Conexant HD Audio
Dragon NaturallySpeaking 10
Dynasty
ESET NOD32 Antivirus
ESU for Microsoft Vista
Final Fantasy VII - Ultima Edition
Four Houses
FrostWire 4.18.0
Garena
GlassFish V2.1
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.2
HP Easy Setup - Frontend
HP Help and Support
HP Integrated Module with Bluetooth wireless technology
HP Photosmart Essential 2.0
HP Quick Launch Buttons 6.20 B1
HP Update
HP User Guides 0060
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
Intel Matrix Storage Manager
Intel(R) Graphics Media Accelerator Driver
iTunes
Java DB 10.3.1.4
Java(TM) 6 Update 15
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 7
Java(TM) SE Runtime Environment 6
JEOPARDY! 2
Jewel Quest
K-Lite Codec Pack 4.1.7 (Full)
Magic Match
Magic Video Converter Trial Version (English) 8.0.2.18
Mah Jong Quest
Mahjong Escape Ancient China
Mahjong Match
Marvell Miniport Driver
McAfee SiteAdvisor
MediaRing Talk
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
mIRC
Mozilla Firefox (3.5.3)
MSCU for Microsoft Vista
MSVC80_x86
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
MySQL Server 5.0
MySQL-Front 4.2
Nero 8
neroxml
NetBeans IDE 6.5.1
NetWaiting
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
Notepad++
PC Connectivity Solution
PDF Settings
Poker Superstars 2
QuickTime
Rainbow Web
RealPlayer
Roxio Activation Module
Scrubbles
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Skype 4.0
SQLyog Enterprise 7.15
System Requirements Lab
Teddy Factory
Touch Pad Driver
Treasures of the Deep
TuneUp Utilities 2008
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb973514)
Virtual Villagers
Visual C++ Runtime for Dragon NaturallySpeaking
Voice and Speech Recognition Software
Windows Driver Package - Nokia Modem (06/01/2009 4.1)
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger
Zuma Deluxe
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
uTorrent
FrostWire 4.18.0
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please run a new uninstall list scan when finished and post the log back here.
xrookie24
2009-09-14, 16:55
About the P2P programs listed above, i actually use them with caution, before i download a torrent i check the comments and i select the type of files i download. About the frostwire, i have been using frostwire for a long time now, i know what to download and not to download. I also scan every file that's been finished downloading. They are my source of files and sorry but i don't think I'm going to stop using them. I really appreciate your concern regarding the dangers of using P2P software, but is it still possible for me to delete the virus without uninstalling the software?
No it unfortunately isn't as having P2P programs is against forum rules to which I linked to.
You don't have to remove them but then help will be stopped, your choice :)
xrookie24
2009-09-14, 19:13
Thanks for all the help then, maybe if i have time i will reformat my laptop. Thanks again for the help.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.