Lelldorianx
2010-06-28, 20:31
Hello Lelldorianx,
Please start a new topic providing the DDS log only and turn off word wrap so that the log isn't double spaced. Makes logs easier to read.
->The file was generated as a .txt, I am reading it on a linux box (to prevent spreading viruses ;) ). Had to manually fix the spacing, hopefully it's ok. If it isn't, I attached the txt in case.
I've been battling this issue for about a full week now, luckily installing Norton has helped get me to the point where I can use the computer again. I've already changed all my passwords and stuff, but here are my symptoms:
OS - Win XP Pro SP3
1 - Occasional (down about 50% since installing Norton) pop-ups that are often very similar to search terms I enter. i.e., I searched for a Creative driver and had a search engine redirect to some BS page.
2 - Constant intrusion attempts blocked by Norton. I am assuming this is due to some sort of rootkit. A JPG of this is attached (the attackers vary).
3 - Decreased start-up performance
4 - A background SVCHost which does not belong - ending the process results in a cmd prompt initiated shutdown sequence, something about NT Authority \ DCOM or RPC (or RCP, something like that). Typing shutdown /a stops this.
What I have done:
Run Spybot S&D, Malwarebytes' Anti-Malware, SUPERAntiSpyware, Norton 360 4.0, Avast pre-boot scans.
Spybot removed all issues but one, it finds a cookie of some sort called MediaPlex. When I try to 'fix' this problem using Spybot, the program freezes and must be closed by ending the process.
Norton fixed several trojans and backdoors, but some reason is not removing whatever is attempting to intrude.
Uninstalled all web-browsers as many of the issues were rooted within them (for future information, visiting a gaming website which is normally safe on FireFox proved unsafe on Chrome).
DDS Logs
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 19:17:12.60 on Sun 06/27/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2929 [GMT -4:00]
AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Xfire\xfire.exe
I:\virus\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\4.2.0.12\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SkyTel] SkyTel.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-27 328752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-17 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-17 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R2 HPW5ECP;HPW5ECP;c:\windows\system32\drivers\HPW5ECP.sys [1999-12-17 44032]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\4.2.0.12\ccsvchst.exe [2010-6-27 126392]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-4-21 70912]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100625.001\IDSXpx86.sys [2010-6-27 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100627.003\naveng.sys [2010-6-27 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100627.003\navex15.sys [2010-6-27 1347504]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-8-24 21920]
S0 igsvcngq;igsvcngq;c:\windows\system32\drivers\hxhxrfau.sys --> c:\windows\system32\drivers\hxhxrfau.sys [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0400000.07f\symefa.sys --> c:\windows\system32\drivers\n360\0400000.07f\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100619.001\BHDrvx86.sys [2010-6-19 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys --> c:\windows\system32\drivers\n360\0400000.07f\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-27 116784]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\administrator\desktop\vcdrom.sys --> c:\documents and settings\administrator\desktop\VCdRom.sys [?]
S2 chhrwx;Shell Image;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\games\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-4-2 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-18 38224]
S3 rindar;rindar;c:\windows\system32\rindar.sys [2010-6-23 2304]
S3 SJMTIDWPNL;SJMTIDWPNL;c:\docume~1\admini~1\locals~1\temp\sjmtidwpnl.exe --> c:\docume~1\admini~1\locals~1\temp\SJMTIDWPNL.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-6-15 79360]
S4 gupdate1c98670ad476eee;Google Update Service (gupdate1c98670ad476eee);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-23 24652]
=============== Created Last 30 ================
2010-06-27 22:30:59 38912 -c--a-w- c:\windows\system32\dllcache\sm9aw.dll
2010-06-27 22:29:56 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-06-27 22:26:51 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-06-27 22:26:21 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2010-06-27 22:26:21 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2010-06-27 22:26:21 162304 -c--a-w- c:\windows\system32\dllcache\wuaucpl.cpl
2010-06-27 22:26:21 162304 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-06-27 22:24:49 53248 -c--a-w- c:\windows\system32\dllcache\tsgqec.dll
2010-06-27 22:24:49 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-06-27 22:24:49 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2010-06-27 22:24:49 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2010-06-27 22:24:49 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2010-06-27 22:24:49 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-06-27 22:14:38 4444 ----a-w- c:\windows\system32\pid.PNF
2010-06-27 21:59:44 0 d-----w- c:\program files\common files\ODBC
2010-06-27 21:58:56 1088840 ----a-r- c:\windows\SETE5.tmp
2010-06-27 21:58:50 1296669 ----a-r- c:\windows\SETE4.tmp
2010-06-27 21:27:39 0 d-----w- c:\docume~1\admini~1\applic~1\Tific
2010-06-27 20:25:59 536576 -c--a-w- c:\windows\system32\dllcache\msado15.dll
2010-06-27 20:25:59 331776 -c--a-w- c:\windows\system32\dllcache\msadce.dll
2010-06-27 20:25:59 200704 -c--a-w- c:\windows\system32\dllcache\msadox.dll
2010-06-27 20:25:59 180224 -c--a-w- c:\windows\system32\dllcache\msadomd.dll
2010-06-27 20:25:59 153088 -c--a-w- c:\windows\system32\dllcache\triedit.dll
2010-06-27 20:25:59 143360 -c--a-w- c:\windows\system32\dllcache\msadco.dll
2010-06-27 20:25:59 102400 -c--a-w- c:\windows\system32\dllcache\msjro.dll
2010-06-27 20:25:58 128512 -c--a-w- c:\windows\system32\dllcache\dhtmled.ocx
2010-06-27 20:24:53 0 d--h--w- c:\program files\WindowsUpdate
2010-06-27 20:07:39 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-06-27 19:57:07 13608 ----a-r- c:\windows\SET178.tmp
2010-06-27 19:57:03 1086182 ----a-r- c:\windows\SET163.tmp
2010-06-26 15:51:13 118 ----a-w- C:\norton.bat
2010-06-26 15:34:58 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-26 15:34:58 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-26 15:34:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-26 15:34:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-26 15:34:58 0 d-----w- c:\program files\Symantec
2010-06-26 15:33:04 0 d-----w- c:\windows\system32\drivers\N360
2010-06-26 15:33:02 0 d-----w- c:\program files\Norton 360 Premier Edition
2010-06-26 15:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-06-26 15:19:10 0 d-----w- c:\program files\NortonInstaller
2010-06-26 15:19:10 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-06-26 07:33:08 0 --sh--w- c:\windows\S2A9329DB.tmp
2010-06-25 19:28:07 0 d-----w- c:\program files\CleanUp!
2010-06-25 15:35:22 419451 ----a-w- c:\windows\setupapi.old
2010-06-23 19:26:26 2304 ----a-w- c:\windows\system32\rindar.sys
2010-06-23 01:55:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-23 01:55:39 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-06-23 01:55:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-21 05:47:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-21 05:47:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-20 23:27:09 0 d-sha-r- C:\cmdcons
2010-06-20 17:25:22 98816 ----a-w- c:\windows\sed.exe
2010-06-20 17:25:22 77312 ----a-w- c:\windows\MBR.exe
2010-06-20 17:25:22 256512 ----a-w- c:\windows\PEV.exe
2010-06-20 17:25:22 161792 ----a-w- c:\windows\SWREG.exe
2010-06-20 17:22:11 388608 ----a-w- c:\windows\system32\CF4850.exe
2010-06-20 17:17:12 0 d-----w- c:\program files\Trend Micro
2010-06-19 02:07:11 0 d-----w- c:\documents and settings\administrator\Saved Games
2010-06-18 14:37:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 14:37:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 14:37:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 14:26:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-06-17 19:41:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-17 19:17:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-15 17:18:31 31056 ----a-w- c:\windows\system32\BMXStateBkp-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 31056 ----a-w- c:\windows\system32\BMXState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 30528 ----a-w- c:\windows\system32\BMXCtrlState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 30528 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 11564 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:15 4931715 ----a-w- c:\windows\{00000003-00000000-00000007-00001102-00000004-20021102}.BAK
2010-06-15 17:17:18 4174814 ------w- c:\windows\system32\CT4MGM.SF2
2010-06-15 17:17:18 0 d-----w- c:\windows\system32\Defaults
2010-06-15 17:12:54 4931715 ----a-w- c:\windows\{00000003-00000000-00000007-00001102-00000004-20021102}.CDF
2010-06-15 17:12:51 7062 ----a-w- c:\windows\system32\audiopid.vxd
2010-06-15 17:12:36 0 d-----w- c:\program files\common files\Creative Labs Shared
2010-06-15 17:10:50 0 d-----w- c:\windows\system32\Data
2010-06-15 15:03:18 0 d-----w- c:\program files\Vizati
2010-06-14 05:57:23 0 d-----w- c:\docume~1\admini~1\applic~1\Titanium
2010-06-14 05:29:03 0 d-----w- c:\program files\Akeeba eXtract Wizard
2010-06-13 20:28:09 2444656 ----a-w- c:\windows\system32\pbsvc_apb.exe
2010-06-12 18:52:49 87 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2010-06-12 18:52:49 0 ----a-w- c:\documents and settings\administrator\jagex__preferences3.dat
2010-06-11 04:49:44 0 d-----w- c:\docume~1\admini~1\applic~1\ICE Game Studios AB
2010-06-10 18:19:19 0 d-----w- c:\docume~1\alluse~1\applic~1\DinsCurse
2010-06-10 18:18:50 0 d-----w- c:\program files\Din's Curse
==================== Find3M ====================
2010-06-27 22:25:19 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-27 17:02:55 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-27 17:02:55 138056 ----a-w- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2010-06-27 17:02:39 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-27 17:02:28 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-19 02:53:53 45 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2010-06-15 17:11:50 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-06-15 17:11:50 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-28 00:09:00 41872 ----a-w- c:\windows\system32\xfcodec.dll
2008-02-05 22:16:40 114349681 ----a-w- c:\program files\Starcraft.rar
2007-12-30 08:55:07 8 --sha-r- c:\windows\system32\3289F22200.sys
============= FINISH: 19:18:11.20 ===============
Please start a new topic providing the DDS log only and turn off word wrap so that the log isn't double spaced. Makes logs easier to read.
->The file was generated as a .txt, I am reading it on a linux box (to prevent spreading viruses ;) ). Had to manually fix the spacing, hopefully it's ok. If it isn't, I attached the txt in case.
I've been battling this issue for about a full week now, luckily installing Norton has helped get me to the point where I can use the computer again. I've already changed all my passwords and stuff, but here are my symptoms:
OS - Win XP Pro SP3
1 - Occasional (down about 50% since installing Norton) pop-ups that are often very similar to search terms I enter. i.e., I searched for a Creative driver and had a search engine redirect to some BS page.
2 - Constant intrusion attempts blocked by Norton. I am assuming this is due to some sort of rootkit. A JPG of this is attached (the attackers vary).
3 - Decreased start-up performance
4 - A background SVCHost which does not belong - ending the process results in a cmd prompt initiated shutdown sequence, something about NT Authority \ DCOM or RPC (or RCP, something like that). Typing shutdown /a stops this.
What I have done:
Run Spybot S&D, Malwarebytes' Anti-Malware, SUPERAntiSpyware, Norton 360 4.0, Avast pre-boot scans.
Spybot removed all issues but one, it finds a cookie of some sort called MediaPlex. When I try to 'fix' this problem using Spybot, the program freezes and must be closed by ending the process.
Norton fixed several trojans and backdoors, but some reason is not removing whatever is attempting to intrude.
Uninstalled all web-browsers as many of the issues were rooted within them (for future information, visiting a gaming website which is normally safe on FireFox proved unsafe on Chrome).
DDS Logs
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 19:17:12.60 on Sun 06/27/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2929 [GMT -4:00]
AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Xfire\xfire.exe
I:\virus\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\4.2.0.12\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SkyTel] SkyTel.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-27 328752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-17 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-17 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R2 HPW5ECP;HPW5ECP;c:\windows\system32\drivers\HPW5ECP.sys [1999-12-17 44032]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\4.2.0.12\ccsvchst.exe [2010-6-27 126392]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-4-21 70912]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100625.001\IDSXpx86.sys [2010-6-27 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100627.003\naveng.sys [2010-6-27 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100627.003\navex15.sys [2010-6-27 1347504]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-8-24 21920]
S0 igsvcngq;igsvcngq;c:\windows\system32\drivers\hxhxrfau.sys --> c:\windows\system32\drivers\hxhxrfau.sys [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0400000.07f\symefa.sys --> c:\windows\system32\drivers\n360\0400000.07f\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100619.001\BHDrvx86.sys [2010-6-19 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys --> c:\windows\system32\drivers\n360\0400000.07f\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-27 116784]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\administrator\desktop\vcdrom.sys --> c:\documents and settings\administrator\desktop\VCdRom.sys [?]
S2 chhrwx;Shell Image;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\games\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-4-2 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-18 38224]
S3 rindar;rindar;c:\windows\system32\rindar.sys [2010-6-23 2304]
S3 SJMTIDWPNL;SJMTIDWPNL;c:\docume~1\admini~1\locals~1\temp\sjmtidwpnl.exe --> c:\docume~1\admini~1\locals~1\temp\SJMTIDWPNL.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-6-15 79360]
S4 gupdate1c98670ad476eee;Google Update Service (gupdate1c98670ad476eee);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-23 24652]
=============== Created Last 30 ================
2010-06-27 22:30:59 38912 -c--a-w- c:\windows\system32\dllcache\sm9aw.dll
2010-06-27 22:29:56 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-06-27 22:26:51 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-06-27 22:26:21 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2010-06-27 22:26:21 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2010-06-27 22:26:21 162304 -c--a-w- c:\windows\system32\dllcache\wuaucpl.cpl
2010-06-27 22:26:21 162304 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-06-27 22:24:49 53248 -c--a-w- c:\windows\system32\dllcache\tsgqec.dll
2010-06-27 22:24:49 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-06-27 22:24:49 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2010-06-27 22:24:49 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2010-06-27 22:24:49 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2010-06-27 22:24:49 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-06-27 22:14:38 4444 ----a-w- c:\windows\system32\pid.PNF
2010-06-27 21:59:44 0 d-----w- c:\program files\common files\ODBC
2010-06-27 21:58:56 1088840 ----a-r- c:\windows\SETE5.tmp
2010-06-27 21:58:50 1296669 ----a-r- c:\windows\SETE4.tmp
2010-06-27 21:27:39 0 d-----w- c:\docume~1\admini~1\applic~1\Tific
2010-06-27 20:25:59 536576 -c--a-w- c:\windows\system32\dllcache\msado15.dll
2010-06-27 20:25:59 331776 -c--a-w- c:\windows\system32\dllcache\msadce.dll
2010-06-27 20:25:59 200704 -c--a-w- c:\windows\system32\dllcache\msadox.dll
2010-06-27 20:25:59 180224 -c--a-w- c:\windows\system32\dllcache\msadomd.dll
2010-06-27 20:25:59 153088 -c--a-w- c:\windows\system32\dllcache\triedit.dll
2010-06-27 20:25:59 143360 -c--a-w- c:\windows\system32\dllcache\msadco.dll
2010-06-27 20:25:59 102400 -c--a-w- c:\windows\system32\dllcache\msjro.dll
2010-06-27 20:25:58 128512 -c--a-w- c:\windows\system32\dllcache\dhtmled.ocx
2010-06-27 20:24:53 0 d--h--w- c:\program files\WindowsUpdate
2010-06-27 20:07:39 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-06-27 19:57:07 13608 ----a-r- c:\windows\SET178.tmp
2010-06-27 19:57:03 1086182 ----a-r- c:\windows\SET163.tmp
2010-06-26 15:51:13 118 ----a-w- C:\norton.bat
2010-06-26 15:34:58 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-26 15:34:58 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-26 15:34:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-26 15:34:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-26 15:34:58 0 d-----w- c:\program files\Symantec
2010-06-26 15:33:04 0 d-----w- c:\windows\system32\drivers\N360
2010-06-26 15:33:02 0 d-----w- c:\program files\Norton 360 Premier Edition
2010-06-26 15:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-06-26 15:19:10 0 d-----w- c:\program files\NortonInstaller
2010-06-26 15:19:10 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-06-26 07:33:08 0 --sh--w- c:\windows\S2A9329DB.tmp
2010-06-25 19:28:07 0 d-----w- c:\program files\CleanUp!
2010-06-25 15:35:22 419451 ----a-w- c:\windows\setupapi.old
2010-06-23 19:26:26 2304 ----a-w- c:\windows\system32\rindar.sys
2010-06-23 01:55:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-23 01:55:39 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-06-23 01:55:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-21 05:47:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-21 05:47:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-20 23:27:09 0 d-sha-r- C:\cmdcons
2010-06-20 17:25:22 98816 ----a-w- c:\windows\sed.exe
2010-06-20 17:25:22 77312 ----a-w- c:\windows\MBR.exe
2010-06-20 17:25:22 256512 ----a-w- c:\windows\PEV.exe
2010-06-20 17:25:22 161792 ----a-w- c:\windows\SWREG.exe
2010-06-20 17:22:11 388608 ----a-w- c:\windows\system32\CF4850.exe
2010-06-20 17:17:12 0 d-----w- c:\program files\Trend Micro
2010-06-19 02:07:11 0 d-----w- c:\documents and settings\administrator\Saved Games
2010-06-18 14:37:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 14:37:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 14:37:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 14:26:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-06-17 19:41:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-17 19:17:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-15 17:18:31 31056 ----a-w- c:\windows\system32\BMXStateBkp-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 31056 ----a-w- c:\windows\system32\BMXState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 30528 ----a-w- c:\windows\system32\BMXCtrlState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 30528 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 11564 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:15 4931715 ----a-w- c:\windows\{00000003-00000000-00000007-00001102-00000004-20021102}.BAK
2010-06-15 17:17:18 4174814 ------w- c:\windows\system32\CT4MGM.SF2
2010-06-15 17:17:18 0 d-----w- c:\windows\system32\Defaults
2010-06-15 17:12:54 4931715 ----a-w- c:\windows\{00000003-00000000-00000007-00001102-00000004-20021102}.CDF
2010-06-15 17:12:51 7062 ----a-w- c:\windows\system32\audiopid.vxd
2010-06-15 17:12:36 0 d-----w- c:\program files\common files\Creative Labs Shared
2010-06-15 17:10:50 0 d-----w- c:\windows\system32\Data
2010-06-15 15:03:18 0 d-----w- c:\program files\Vizati
2010-06-14 05:57:23 0 d-----w- c:\docume~1\admini~1\applic~1\Titanium
2010-06-14 05:29:03 0 d-----w- c:\program files\Akeeba eXtract Wizard
2010-06-13 20:28:09 2444656 ----a-w- c:\windows\system32\pbsvc_apb.exe
2010-06-12 18:52:49 87 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2010-06-12 18:52:49 0 ----a-w- c:\documents and settings\administrator\jagex__preferences3.dat
2010-06-11 04:49:44 0 d-----w- c:\docume~1\admini~1\applic~1\ICE Game Studios AB
2010-06-10 18:19:19 0 d-----w- c:\docume~1\alluse~1\applic~1\DinsCurse
2010-06-10 18:18:50 0 d-----w- c:\program files\Din's Curse
==================== Find3M ====================
2010-06-27 22:25:19 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-27 17:02:55 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-27 17:02:55 138056 ----a-w- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2010-06-27 17:02:39 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-27 17:02:28 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-19 02:53:53 45 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2010-06-15 17:11:50 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-06-15 17:11:50 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-28 00:09:00 41872 ----a-w- c:\windows\system32\xfcodec.dll
2008-02-05 22:16:40 114349681 ----a-w- c:\program files\Starcraft.rar
2007-12-30 08:55:07 8 --sha-r- c:\windows\system32\3289F22200.sys
============= FINISH: 19:18:11.20 ===============