help.. i can't install/run antivirus programs - HJL included
- Thread starter drv1022
- Start date
so i'm not sure whether it finished scanning but my pc did reboot.. 
Download and Run DirLook
Please download DirLook by jpshortstuff from here.
Note: Scanning may take longer for large folders
Please download DirLook by jpshortstuff from here.
- Double-click DirLook.exe to run it.
- Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
- Copy the content of the following codebox into the textfield labeled "Directory:":
Code:C:\Qoobox /s - Click the DirLook button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)
Note: Scanning may take longer for large folders
hello.. here it is:
DirLook.exe v2.0 by jpshortstuff
Log created at 21:23 on 30/11/2008
==================================
Contents of "C:\Qoobox"
---FOLDERS---
LastRun (Created on 30/11/2008 at 20:05) d-----
Quarantine (Created on 30/05/2002 at 13:10) d-a---
Test (Created on 30/11/2008 at 20:05) d-----
TestC (Created on 30/11/2008 at 20:05) d-----
---FILES---
Add-Remove Programs.txt (1767 bytes - created on 24/11/2008 at 08:16, modified on 23/11/2008 at 14:04) --a---
BackEnv (10332 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:07) --a---
CF-Submit.htm (1215 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:08) --a---
CFScript_used_2008-11-30@20.08.txt (117 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:02) --a---
ComboFix-quarantined-files.txt (711 bytes - created on 24/11/2008 at 08:16, modified on 23/11/2008 at 14:04) --a---
ComboFix2.txt (15837 bytes - created on 24/11/2008 at 08:16, modified on 23/11/2008 at 14:04) --a---
ComboFix3.txt (14755 bytes - created on 24/11/2008 at 08:16, modified on 24/11/2008 at 08:16) --a---
LogA (552 bytes - created on 30/11/2008 at 20:13, modified on 30/11/2008 at 20:13) --a---
snapshot@2008-11-24_ 8.12.21.85.dat (563606 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
snapshot@2008-11-24_ 8.12.21.85_B.dat (532484 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
---Sub-Directories---
C:\Qoobox\LastRun
CregC.old (0 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:12) --a---
d-del2A.dat (0 bytes - created on 30/11/2008 at 20:10, modified on 30/11/2008 at 20:11) --a---
d-del2AA.dat (0 bytes - created on 30/11/2008 at 20:12, modified on 30/11/2008 at 20:11) --a---
d-del4AV.dat (0 bytes - created on 30/11/2008 at 20:12, modified on 30/11/2008 at 20:12) --a---
drevB.dat (284 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:12) --a---
erunt.dat (10 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:05) --a---
ndis_log.dat (67 bytes - created on 30/11/2008 at 20:12, modified on 30/11/2008 at 20:12) --a---
RenVDel.dat (0 bytes - created on 30/11/2008 at 20:10, modified on 30/11/2008 at 20:11) --a---
SvcTarget.dat (117 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:08) --a---
zhsvc.old (874 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:12) --a---
C:\Qoobox\Quarantine
catchme.log (290 bytes - created on 30/05/2002 at 13:10, modified on 30/11/2008 at 20:05) --a---
[4]-Submit_2008-11-30@20.08.zip (433060 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:08) --a---
C:\Qoobox\Quarantine\C (Created on 24/11/2008 at 08:07) d-----
autorun.inf.vir (643 bytes - created on 29/05/2002 at 11:27, modified on 30/11/2008 at 18:22) --a---
e.cmd.vir (176128 bytes - created on 30/11/2008 at 18:11, modified on 30/11/2008 at 18:10) --a---
i.bat.vir (182272 bytes - created on 29/05/2002 at 11:28, modified on 29/05/2002 at 11:27) --a---
vva0hc0p.cmd.vir (172544 bytes - created on 29/05/2002 at 11:27, modified on 04/10/2008 at 09:25) --a---
C:\Qoobox\Quarantine\C\WINDOWS (Created on 30/11/2008 at 20:09) d-----
explorer.exe.vir (1144832 bytes - created on 13/01/2006 at 01:46, modified on 13/01/2006 at 01:46) --a---
C:\Qoobox\Quarantine\C\WINDOWS\system32 (Created on 30/11/2008 at 20:09) d-----
ckvo.exe.vir (172544 bytes - created on 29/05/2002 at 11:26, modified on 04/10/2008 at 09:25) --a---
ckvo0.dll.vir (85504 bytes - created on 29/05/2002 at 11:27, modified on 29/05/2002 at 11:27) --a---
gasretyw0.dll.vir (85504 bytes - created on 29/05/2002 at 11:27, modified on 30/11/2008 at 18:21) --a---
gasretyw1.dll.vir (85504 bytes - created on 30/11/2008 at 18:11, modified on 30/11/2008 at 18:11) --a---
kamsoft.exe.vir (176128 bytes - created on 29/05/2002 at 11:27, modified on 30/11/2008 at 18:10) --a---
C:\Qoobox\Quarantine\E (Created on 24/11/2008 at 08:12) d-a---
AUTORUN.INF.vir (93 bytes - created on 24/11/2008 at 08:12, modified on 30/05/2002 at 00:32) --a---
C:\Qoobox\Quarantine\Registry_backups (Created on 30/05/2002 at 13:10) d-----
HKLM-Run-BitDefender Antiphishing Helper.reg.dat (182 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
HKLM-Run-CFSServ.exe.reg.dat (0 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
HKLM-Run-NDSTray.exe.reg.dat (0 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
HKLM-Run-TFncKy.reg.dat (0 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
tcpip.reg (4865 bytes - created on 24/11/2008 at 08:10, modified on 30/11/2008 at 20:11) --a---
C:\Qoobox\Test
C:\Qoobox\TestC
==================================
=EOF=
DirLook.exe v2.0 by jpshortstuff
Log created at 21:23 on 30/11/2008
==================================
Contents of "C:\Qoobox"
---FOLDERS---
LastRun (Created on 30/11/2008 at 20:05) d-----
Quarantine (Created on 30/05/2002 at 13:10) d-a---
Test (Created on 30/11/2008 at 20:05) d-----
TestC (Created on 30/11/2008 at 20:05) d-----
---FILES---
Add-Remove Programs.txt (1767 bytes - created on 24/11/2008 at 08:16, modified on 23/11/2008 at 14:04) --a---
BackEnv (10332 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:07) --a---
CF-Submit.htm (1215 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:08) --a---
CFScript_used_2008-11-30@20.08.txt (117 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:02) --a---
ComboFix-quarantined-files.txt (711 bytes - created on 24/11/2008 at 08:16, modified on 23/11/2008 at 14:04) --a---
ComboFix2.txt (15837 bytes - created on 24/11/2008 at 08:16, modified on 23/11/2008 at 14:04) --a---
ComboFix3.txt (14755 bytes - created on 24/11/2008 at 08:16, modified on 24/11/2008 at 08:16) --a---
LogA (552 bytes - created on 30/11/2008 at 20:13, modified on 30/11/2008 at 20:13) --a---
snapshot@2008-11-24_ 8.12.21.85.dat (563606 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
snapshot@2008-11-24_ 8.12.21.85_B.dat (532484 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
---Sub-Directories---
C:\Qoobox\LastRun
CregC.old (0 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:12) --a---
d-del2A.dat (0 bytes - created on 30/11/2008 at 20:10, modified on 30/11/2008 at 20:11) --a---
d-del2AA.dat (0 bytes - created on 30/11/2008 at 20:12, modified on 30/11/2008 at 20:11) --a---
d-del4AV.dat (0 bytes - created on 30/11/2008 at 20:12, modified on 30/11/2008 at 20:12) --a---
drevB.dat (284 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:12) --a---
erunt.dat (10 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:05) --a---
ndis_log.dat (67 bytes - created on 30/11/2008 at 20:12, modified on 30/11/2008 at 20:12) --a---
RenVDel.dat (0 bytes - created on 30/11/2008 at 20:10, modified on 30/11/2008 at 20:11) --a---
SvcTarget.dat (117 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:08) --a---
zhsvc.old (874 bytes - created on 30/11/2008 at 20:09, modified on 30/11/2008 at 20:12) --a---
C:\Qoobox\Quarantine
catchme.log (290 bytes - created on 30/05/2002 at 13:10, modified on 30/11/2008 at 20:05) --a---
[4]-Submit_2008-11-30@20.08.zip (433060 bytes - created on 30/11/2008 at 20:08, modified on 30/11/2008 at 20:08) --a---
C:\Qoobox\Quarantine\C (Created on 24/11/2008 at 08:07) d-----
autorun.inf.vir (643 bytes - created on 29/05/2002 at 11:27, modified on 30/11/2008 at 18:22) --a---
e.cmd.vir (176128 bytes - created on 30/11/2008 at 18:11, modified on 30/11/2008 at 18:10) --a---
i.bat.vir (182272 bytes - created on 29/05/2002 at 11:28, modified on 29/05/2002 at 11:27) --a---
vva0hc0p.cmd.vir (172544 bytes - created on 29/05/2002 at 11:27, modified on 04/10/2008 at 09:25) --a---
C:\Qoobox\Quarantine\C\WINDOWS (Created on 30/11/2008 at 20:09) d-----
explorer.exe.vir (1144832 bytes - created on 13/01/2006 at 01:46, modified on 13/01/2006 at 01:46) --a---
C:\Qoobox\Quarantine\C\WINDOWS\system32 (Created on 30/11/2008 at 20:09) d-----
ckvo.exe.vir (172544 bytes - created on 29/05/2002 at 11:26, modified on 04/10/2008 at 09:25) --a---
ckvo0.dll.vir (85504 bytes - created on 29/05/2002 at 11:27, modified on 29/05/2002 at 11:27) --a---
gasretyw0.dll.vir (85504 bytes - created on 29/05/2002 at 11:27, modified on 30/11/2008 at 18:21) --a---
gasretyw1.dll.vir (85504 bytes - created on 30/11/2008 at 18:11, modified on 30/11/2008 at 18:11) --a---
kamsoft.exe.vir (176128 bytes - created on 29/05/2002 at 11:27, modified on 30/11/2008 at 18:10) --a---
C:\Qoobox\Quarantine\E (Created on 24/11/2008 at 08:12) d-a---
AUTORUN.INF.vir (93 bytes - created on 24/11/2008 at 08:12, modified on 30/05/2002 at 00:32) --a---
C:\Qoobox\Quarantine\Registry_backups (Created on 30/05/2002 at 13:10) d-----
HKLM-Run-BitDefender Antiphishing Helper.reg.dat (182 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
HKLM-Run-CFSServ.exe.reg.dat (0 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
HKLM-Run-NDSTray.exe.reg.dat (0 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
HKLM-Run-TFncKy.reg.dat (0 bytes - created on 24/11/2008 at 08:12, modified on 24/11/2008 at 08:12) --a---
tcpip.reg (4865 bytes - created on 24/11/2008 at 08:10, modified on 30/11/2008 at 20:11) --a---
C:\Qoobox\Test
C:\Qoobox\TestC
==================================
=EOF=
Please open LINK >>> THIS PAGE <<<LINK in a new window.
In the box marked Link to topic where this file was requested: please put this text
In the box marked Browse to the file you want to submit: please put this text
In the Largest box please put
Finally click SendFile
In the box marked Link to topic where this file was requested: please put this text
Code:
http://forums.spybot.info/showthread.php?p=260611#post260611In the box marked Browse to the file you want to submit: please put this text
Code:
C:\Qoobox\Quarantine\[4]-Submit_2008-11-30@20.08.zipIn the Largest box please put
Code:
Failed CF SubmitThanks for that.
Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
- Please visit this webpage for instructions on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3
- You must download it to and run it from your Desktop
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click combofix.exe & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
- Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
hello again, this is the log.txt from Combofix:
ComboFix 08-11-30.01 - dianne 2008-12-01 17:24:48.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.148 [GMT 0:00]
Running from: c:\documents and settings\dianne\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\e.cmd
.
---- Previous Run -------
.
C:\autorun.inf
C:\e.cmd
C:\i.bat
C:\vva0hc0p.cmd
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
E:\Autorun.inf
E:\i.bat
E:\vva0hc0p.cmd
.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.
2008-11-30 17:59 . 2002-05-29 02:03 <DIR> d-------- c:\program files\MetaCommander
2008-11-30 10:58 . 2008-11-30 14:15 <DIR> d-------- c:\program files\NOS
2008-11-30 10:58 . 2008-11-30 14:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-11-24 08:25 . 2008-11-23 13:44 <DIR> d-------- c:\program files\AskBarDis
2008-11-24 08:25 . 2008-11-24 08:25 <DIR> d-------- c:\documents and settings\dianne\Application Data\Foxit
2008-11-24 08:24 . 2008-11-24 08:24 <DIR> d-------- c:\program files\Foxit Software
2008-11-23 11:49 . 2008-11-23 11:49 <DIR> d-------- c:\windows\Sun
2008-11-23 09:11 . 2008-11-23 09:11 <DIR> d-------- c:\documents and settings\dianne\Application Data\com.Multiply.AutoUploader.C7DF09F73C2059D294831784007C5F0856677385.1
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-23 09:05 . 2008-11-23 09:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 09:03 . 2008-11-23 09:03 <DIR> d-------- c:\program files\Java
2008-11-23 08:57 . 2008-11-23 08:57 <DIR> d-------- c:\program files\Multiply
2008-11-23 08:46 . 2008-11-23 09:03 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-17 01:01 . 2008-08-14 09:57 2,185,984 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-17 01:01 . 2008-08-14 09:57 2,185,984 --------- c:\windows\system32\DllCache\ntoskrnl.exe
2008-11-17 01:01 . 2008-08-14 09:55 2,142,720 --------- c:\windows\system32\DllCache\ntkrnlmp.exe
2008-11-17 01:01 . 2008-08-14 09:18 2,062,976 --a------ c:\windows\system32\ntkrnlpa.exe
2008-11-17 01:01 . 2008-08-14 09:18 2,062,976 --------- c:\windows\system32\DllCache\ntkrnlpa.exe
2008-11-17 01:01 . 2008-08-14 09:18 2,020,864 --------- c:\windows\system32\DllCache\ntkrpamp.exe
2008-11-17 00:46 . 2008-06-13 13:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-17 00:46 . 2008-06-13 13:10 272,128 --------- c:\windows\system32\DllCache\bthport.sys
2008-11-17 00:34 . 2008-09-04 16:42 1,106,944 --a------ c:\windows\system32\msxml3.dll
2008-11-17 00:34 . 2008-09-04 16:42 1,106,944 --------- c:\windows\system32\DllCache\msxml3.dll
2008-11-17 00:29 . 2008-08-28 10:35 333,056 --a------ c:\windows\system32\drivers\srv.sys
2008-11-17 00:29 . 2008-08-28 10:35 333,056 --------- c:\windows\system32\DllCache\srv.sys
2008-11-17 00:28 . 2008-09-15 12:17 1,846,912 --------- c:\windows\system32\DllCache\win32k.sys
2008-11-16 23:40 . 2008-08-14 09:51 138,368 --a------ c:\windows\system32\drivers\afd.sys
2008-11-16 23:40 . 2008-08-14 09:51 138,368 --------- c:\windows\system32\DllCache\afd.sys
2008-11-16 23:23 . 2008-05-08 12:28 202,752 --a------ c:\windows\system32\drivers\rmcast.sys
2008-11-16 23:23 . 2008-05-08 12:28 202,752 --------- c:\windows\system32\DllCache\rmcast.sys
2008-11-16 23:22 . 2008-10-24 11:25 455,936 --a------ c:\windows\system32\drivers\mrxsmb.sys
2008-11-16 23:22 . 2008-10-24 11:25 455,936 --------- c:\windows\system32\DllCache\mrxsmb.sys
2008-11-16 23:22 . 2008-05-01 14:30 331,776 --------- c:\windows\system32\DllCache\msadce.dll
2008-11-16 20:51 . 2008-11-16 20:51 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-16 20:43 . 2003-07-20 18:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-16 20:43 . 2005-01-04 09:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-16 20:24 . 2008-11-16 20:24 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-16 20:24 . 2008-11-16 20:24 <DIR> d-------- c:\program files\Gravity
2008-11-16 20:21 . 2008-11-16 20:21 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-11-16 11:20 . 2002-05-30 13:12 <DIR> d-------- c:\windows\system32\DllCache
2008-11-16 11:18 . 2008-11-16 11:18 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-16 09:47 . 2008-11-19 03:11 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-16 09:08 . 2008-11-16 09:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-16 09:08 . 2002-05-30 01:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 06:19 . 2008-11-17 18:27 <DIR> d--h----- c:\windows\$hf_mig$
2008-11-16 03:41 . 2008-10-15 16:53 339,456 --------- c:\windows\system32\DllCache\netapi32.dll
2008-11-15 19:39 . 2008-11-15 19:40 <DIR> d-------- c:\documents and settings\dianne\Application Data\Media Player Classic
2008-11-15 19:38 . 2008-11-15 19:38 <DIR> d-------- c:\program files\Real Alternative
2008-11-15 19:23 . 2008-11-15 19:23 0 --a------ c:\windows\system32\ddnf95.w95
2008-11-15 19:21 . 1998-05-11 16:40 99,248 --a------ c:\windows\system32\MMAIL32.OCX
2008-11-15 19:20 . 2008-11-15 19:21 <DIR> d-------- c:\program files\Decoder
2008-11-15 19:02 . 2008-11-15 19:02 <DIR> d-------- c:\program files\WinAVI Video Converter
2008-11-15 17:33 . 2008-11-15 17:33 <DIR> d-------- c:\program files\VideoLAN
2008-11-15 17:06 . 2008-11-15 17:06 <DIR> d-------- c:\documents and settings\dianne\Application Data\Apple Computer
2008-11-15 16:29 . 2008-11-15 16:29 <DIR> d-------- c:\program files\Apple Software Update
2008-11-15 16:29 . 2008-11-15 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-15 15:24 . 2008-11-15 16:02 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-15 15:24 . 2008-09-24 18:41 839,680 --a------ c:\windows\system32\lameACM.acm
2008-11-15 15:24 . 2004-01-25 16:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2008-11-15 15:24 . 2007-09-04 16:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-15 15:24 . 2007-09-21 00:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2008-11-15 15:24 . 2008-11-02 14:02 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-15 15:24 . 2007-07-10 16:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-15 15:24 . 2008-10-03 12:30 414 --a------ c:\windows\system32\lame_acm.xml
2008-11-15 15:24 . 2008-07-30 19:09 38 --a------ c:\windows\avisplitter.ini
2008-11-15 13:29 . 2008-11-15 13:29 <DIR> d-------- c:\program files\JockerSoft
2008-11-15 12:42 . 2008-11-15 12:42 <DIR> d-------- c:\program files\DirectVobSub
2008-11-15 11:25 . 2008-10-16 13:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-15 11:25 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-11-15 11:25 . 2008-10-16 13:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-15 11:25 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-11-15 11:25 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-15 11:25 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-11-15 11:11 . 2008-11-15 12:32 <DIR> d-------- c:\documents and settings\dianne\Application Data\DivX
2008-11-15 11:04 . 2008-11-15 17:05 <DIR> d-------- c:\program files\DivX
2008-11-15 02:02 . 2008-11-15 02:02 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-15 02:00 . 2008-11-15 02:02 <DIR> d-------- c:\windows\system32\drivers\umdf
2008-11-15 01:54 . 2006-05-09 20:00 22,752 --a------ c:\windows\system32\spupdsvc.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 17:25 --------- d-----w c:\documents and settings\dianne\Application Data\uTorrent
2008-11-30 20:12 1,075,200 ----a-w c:\windows\explorer.exe
2008-11-30 18:04 --------- d-----w c:\program files\QuickTime Alternative
2008-11-30 09:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:09 133,144 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:17 1,846,912 ----a-w c:\windows\system32\win32k.sys
2008-09-05 22:30 241,704 ------w c:\windows\system32\DllCache\wgaLogon.dll
2008-09-05 22:29 917,032 ------w c:\windows\system32\DllCache\WgaTray.exe
2002-05-29 03:23 16,384 --sha-w c:\windows\keybd.dat
2002-05-29 01:22 90,112 --sha-w c:\windows\ldup.exe
2002-05-29 01:22 24,576 --sha-w c:\windows\sy.exe
.
((((((((((((((((((((((((((((( snapshot@2008-11-24_ 8.12.21.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-20 11:09:41 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-11-23 11:08:23 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-11-20 11:09:41 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-11-23 11:08:23 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-11-20 11:09:41 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-11-23 11:08:23 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-11-20 11:09:41 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-23 11:08:22 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-11-20 11:09:41 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-23 11:08:23 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-11-20 11:09:41 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-11-23 11:08:23 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-11-20 11:09:41 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-11-23 11:08:23 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-11-20 11:09:42 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-11-23 11:08:23 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-11-20 11:09:41 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-11-23 11:08:22 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-11-20 11:09:41 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-11-23 11:08:22 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-11-20 11:09:42 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-11-23 11:08:23 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-11-20 11:09:41 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-23 11:08:22 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-11-20 11:09:41 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-23 11:08:22 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-01-13 01:15:31 956,688 ----a-w c:\windows\system32\calc.exe
+ 2006-01-13 01:15:31 1,026,320 ----a-w c:\windows\system32\calc.exe
- 2006-01-13 01:49:10 491,008 ----a-w c:\windows\system32\cmd.exe
+ 2006-01-13 01:49:10 663,040 ----a-w c:\windows\system32\cmd.exe
+ 2008-11-23 09:03:43 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-23 09:03:43 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-23 09:03:43 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-11-03 15:10:26 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-03 15:10:26 17,396,160 ----a-w c:\windows\system32\MRT.exe
- 2002-05-29 00:07:11 58,800 ----a-w c:\windows\system32\perfc009.dat
+ 2002-05-29 01:05:27 58,800 ----a-w c:\windows\system32\perfc009.dat
- 2002-05-29 00:07:12 392,626 ----a-w c:\windows\system32\perfh009.dat
+ 2002-05-29 01:05:27 392,626 ----a-w c:\windows\system32\perfh009.dat
- 2006-01-13 01:34:15 85,504 ----a-w c:\windows\system32\regsvr32.exe
+ 2006-01-13 01:34:15 187,904 ----a-w c:\windows\system32\regsvr32.exe
+ 2002-05-29 02:31:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_72c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2005-12-14 7275568]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4424944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 434176]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 214424]
"ccPrxy.exe"="ccPrxy.exe" [2002-05-29 c:\windows\system32\ccPrxy.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]
c:\documents and settings\dianne\Start Menu\Programs\Startup\
Multiply AutoUploader.lnk - c:\program files\Multiply\AutoUploader\Multiply AutoUploader\Multiply AutoUploader.exe [2008-11-23 95232]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\dianne\\Templates\\ldup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\ccPrxy.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\BitDefender\\BitDefender 2008\\bdagent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\johogi.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Intelligent Copier - c:\program files\Interdesigner Software\Intelligent Copier\IntelligentCopier.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\dianne\Application Data\Mozilla\Firefox\Profiles\5l0ykisn.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 17:27:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-01 17:32:40
ComboFix-quarantined-files.txt 2008-12-01 17:32:35
ComboFix2.txt 2008-11-23 14:04:46
ComboFix3.txt 2008-11-24 08:16:48
Pre-Run: 4,964,966,400 bytes free
Post-Run: 4,929,835,008 bytes free
297 --- E O F --- 2008-11-23 11:09:00
and, this is the hijackthis.txt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:30 PM, on 12/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ccPrxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Multiply\AutoUploader\Multiply AutoUploader\Multiply AutoUploader.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dianne\Desktop\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll (file missing)
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Multiply AutoUploader.lnk = C:\Program Files\Multiply\AutoUploader\Multiply AutoUploader\Multiply AutoUploader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 3994 bytes
ComboFix 08-11-30.01 - dianne 2008-12-01 17:24:48.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.148 [GMT 0:00]
Running from: c:\documents and settings\dianne\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\e.cmd
.
---- Previous Run -------
.
C:\autorun.inf
C:\e.cmd
C:\i.bat
C:\vva0hc0p.cmd
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
E:\Autorun.inf
E:\i.bat
E:\vva0hc0p.cmd
.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.
2008-11-30 17:59 . 2002-05-29 02:03 <DIR> d-------- c:\program files\MetaCommander
2008-11-30 10:58 . 2008-11-30 14:15 <DIR> d-------- c:\program files\NOS
2008-11-30 10:58 . 2008-11-30 14:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-11-24 08:25 . 2008-11-23 13:44 <DIR> d-------- c:\program files\AskBarDis
2008-11-24 08:25 . 2008-11-24 08:25 <DIR> d-------- c:\documents and settings\dianne\Application Data\Foxit
2008-11-24 08:24 . 2008-11-24 08:24 <DIR> d-------- c:\program files\Foxit Software
2008-11-23 11:49 . 2008-11-23 11:49 <DIR> d-------- c:\windows\Sun
2008-11-23 09:11 . 2008-11-23 09:11 <DIR> d-------- c:\documents and settings\dianne\Application Data\com.Multiply.AutoUploader.C7DF09F73C2059D294831784007C5F0856677385.1
2008-11-23 09:10 . 2008-11-23 09:10 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-23 09:05 . 2008-11-23 09:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 09:03 . 2008-11-23 09:03 <DIR> d-------- c:\program files\Java
2008-11-23 08:57 . 2008-11-23 08:57 <DIR> d-------- c:\program files\Multiply
2008-11-23 08:46 . 2008-11-23 09:03 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-17 01:01 . 2008-08-14 09:57 2,185,984 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-17 01:01 . 2008-08-14 09:57 2,185,984 --------- c:\windows\system32\DllCache\ntoskrnl.exe
2008-11-17 01:01 . 2008-08-14 09:55 2,142,720 --------- c:\windows\system32\DllCache\ntkrnlmp.exe
2008-11-17 01:01 . 2008-08-14 09:18 2,062,976 --a------ c:\windows\system32\ntkrnlpa.exe
2008-11-17 01:01 . 2008-08-14 09:18 2,062,976 --------- c:\windows\system32\DllCache\ntkrnlpa.exe
2008-11-17 01:01 . 2008-08-14 09:18 2,020,864 --------- c:\windows\system32\DllCache\ntkrpamp.exe
2008-11-17 00:46 . 2008-06-13 13:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-17 00:46 . 2008-06-13 13:10 272,128 --------- c:\windows\system32\DllCache\bthport.sys
2008-11-17 00:34 . 2008-09-04 16:42 1,106,944 --a------ c:\windows\system32\msxml3.dll
2008-11-17 00:34 . 2008-09-04 16:42 1,106,944 --------- c:\windows\system32\DllCache\msxml3.dll
2008-11-17 00:29 . 2008-08-28 10:35 333,056 --a------ c:\windows\system32\drivers\srv.sys
2008-11-17 00:29 . 2008-08-28 10:35 333,056 --------- c:\windows\system32\DllCache\srv.sys
2008-11-17 00:28 . 2008-09-15 12:17 1,846,912 --------- c:\windows\system32\DllCache\win32k.sys
2008-11-16 23:40 . 2008-08-14 09:51 138,368 --a------ c:\windows\system32\drivers\afd.sys
2008-11-16 23:40 . 2008-08-14 09:51 138,368 --------- c:\windows\system32\DllCache\afd.sys
2008-11-16 23:23 . 2008-05-08 12:28 202,752 --a------ c:\windows\system32\drivers\rmcast.sys
2008-11-16 23:23 . 2008-05-08 12:28 202,752 --------- c:\windows\system32\DllCache\rmcast.sys
2008-11-16 23:22 . 2008-10-24 11:25 455,936 --a------ c:\windows\system32\drivers\mrxsmb.sys
2008-11-16 23:22 . 2008-10-24 11:25 455,936 --------- c:\windows\system32\DllCache\mrxsmb.sys
2008-11-16 23:22 . 2008-05-01 14:30 331,776 --------- c:\windows\system32\DllCache\msadce.dll
2008-11-16 20:51 . 2008-11-16 20:51 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-16 20:43 . 2003-07-20 18:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-16 20:43 . 2005-01-04 09:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-16 20:24 . 2008-11-16 20:24 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-16 20:24 . 2008-11-16 20:24 <DIR> d-------- c:\program files\Gravity
2008-11-16 20:21 . 2008-11-16 20:21 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-11-16 11:20 . 2002-05-30 13:12 <DIR> d-------- c:\windows\system32\DllCache
2008-11-16 11:18 . 2008-11-16 11:18 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-16 09:47 . 2008-11-19 03:11 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-16 09:08 . 2008-11-16 09:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-16 09:08 . 2002-05-30 01:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 06:19 . 2008-11-17 18:27 <DIR> d--h----- c:\windows\$hf_mig$
2008-11-16 03:41 . 2008-10-15 16:53 339,456 --------- c:\windows\system32\DllCache\netapi32.dll
2008-11-15 19:39 . 2008-11-15 19:40 <DIR> d-------- c:\documents and settings\dianne\Application Data\Media Player Classic
2008-11-15 19:38 . 2008-11-15 19:38 <DIR> d-------- c:\program files\Real Alternative
2008-11-15 19:23 . 2008-11-15 19:23 0 --a------ c:\windows\system32\ddnf95.w95
2008-11-15 19:21 . 1998-05-11 16:40 99,248 --a------ c:\windows\system32\MMAIL32.OCX
2008-11-15 19:20 . 2008-11-15 19:21 <DIR> d-------- c:\program files\Decoder
2008-11-15 19:02 . 2008-11-15 19:02 <DIR> d-------- c:\program files\WinAVI Video Converter
2008-11-15 17:33 . 2008-11-15 17:33 <DIR> d-------- c:\program files\VideoLAN
2008-11-15 17:06 . 2008-11-15 17:06 <DIR> d-------- c:\documents and settings\dianne\Application Data\Apple Computer
2008-11-15 16:29 . 2008-11-15 16:29 <DIR> d-------- c:\program files\Apple Software Update
2008-11-15 16:29 . 2008-11-15 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-15 15:24 . 2008-11-15 16:02 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-15 15:24 . 2008-09-24 18:41 839,680 --a------ c:\windows\system32\lameACM.acm
2008-11-15 15:24 . 2004-01-25 16:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2008-11-15 15:24 . 2007-09-04 16:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-15 15:24 . 2007-09-21 00:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2008-11-15 15:24 . 2008-11-02 14:02 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-15 15:24 . 2007-07-10 16:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-15 15:24 . 2008-10-03 12:30 414 --a------ c:\windows\system32\lame_acm.xml
2008-11-15 15:24 . 2008-07-30 19:09 38 --a------ c:\windows\avisplitter.ini
2008-11-15 13:29 . 2008-11-15 13:29 <DIR> d-------- c:\program files\JockerSoft
2008-11-15 12:42 . 2008-11-15 12:42 <DIR> d-------- c:\program files\DirectVobSub
2008-11-15 11:25 . 2008-10-16 13:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-15 11:25 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-11-15 11:25 . 2008-10-16 13:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-15 11:25 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-11-15 11:25 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-15 11:25 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-11-15 11:11 . 2008-11-15 12:32 <DIR> d-------- c:\documents and settings\dianne\Application Data\DivX
2008-11-15 11:04 . 2008-11-15 17:05 <DIR> d-------- c:\program files\DivX
2008-11-15 02:02 . 2008-11-15 02:02 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-15 02:00 . 2008-11-15 02:02 <DIR> d-------- c:\windows\system32\drivers\umdf
2008-11-15 01:54 . 2006-05-09 20:00 22,752 --a------ c:\windows\system32\spupdsvc.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 17:25 --------- d-----w c:\documents and settings\dianne\Application Data\uTorrent
2008-11-30 20:12 1,075,200 ----a-w c:\windows\explorer.exe
2008-11-30 18:04 --------- d-----w c:\program files\QuickTime Alternative
2008-11-30 09:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:09 133,144 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:17 1,846,912 ----a-w c:\windows\system32\win32k.sys
2008-09-05 22:30 241,704 ------w c:\windows\system32\DllCache\wgaLogon.dll
2008-09-05 22:29 917,032 ------w c:\windows\system32\DllCache\WgaTray.exe
2002-05-29 03:23 16,384 --sha-w c:\windows\keybd.dat
2002-05-29 01:22 90,112 --sha-w c:\windows\ldup.exe
2002-05-29 01:22 24,576 --sha-w c:\windows\sy.exe
.
((((((((((((((((((((((((((((( snapshot@2008-11-24_ 8.12.21.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-20 11:09:41 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-11-23 11:08:23 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-11-20 11:09:41 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-11-23 11:08:23 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-11-20 11:09:41 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-11-23 11:08:23 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-11-20 11:09:41 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-23 11:08:22 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-11-20 11:09:41 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-23 11:08:23 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-11-20 11:09:41 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-11-23 11:08:23 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-11-20 11:09:41 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-11-23 11:08:23 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-11-20 11:09:42 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-11-23 11:08:23 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-11-20 11:09:41 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-11-23 11:08:22 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-11-20 11:09:41 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-11-23 11:08:22 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-11-20 11:09:42 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-11-23 11:08:23 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-11-20 11:09:41 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-23 11:08:22 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-11-20 11:09:41 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-23 11:08:22 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-01-13 01:15:31 956,688 ----a-w c:\windows\system32\calc.exe
+ 2006-01-13 01:15:31 1,026,320 ----a-w c:\windows\system32\calc.exe
- 2006-01-13 01:49:10 491,008 ----a-w c:\windows\system32\cmd.exe
+ 2006-01-13 01:49:10 663,040 ----a-w c:\windows\system32\cmd.exe
+ 2008-11-23 09:03:43 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-23 09:03:43 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-23 09:03:43 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-11-03 15:10:26 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-03 15:10:26 17,396,160 ----a-w c:\windows\system32\MRT.exe
- 2002-05-29 00:07:11 58,800 ----a-w c:\windows\system32\perfc009.dat
+ 2002-05-29 01:05:27 58,800 ----a-w c:\windows\system32\perfc009.dat
- 2002-05-29 00:07:12 392,626 ----a-w c:\windows\system32\perfh009.dat
+ 2002-05-29 01:05:27 392,626 ----a-w c:\windows\system32\perfh009.dat
- 2006-01-13 01:34:15 85,504 ----a-w c:\windows\system32\regsvr32.exe
+ 2006-01-13 01:34:15 187,904 ----a-w c:\windows\system32\regsvr32.exe
+ 2002-05-29 02:31:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_72c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2005-12-14 7275568]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4424944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 434176]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 214424]
"ccPrxy.exe"="ccPrxy.exe" [2002-05-29 c:\windows\system32\ccPrxy.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]
c:\documents and settings\dianne\Start Menu\Programs\Startup\
Multiply AutoUploader.lnk - c:\program files\Multiply\AutoUploader\Multiply AutoUploader\Multiply AutoUploader.exe [2008-11-23 95232]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\dianne\\Templates\\ldup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\ccPrxy.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\BitDefender\\BitDefender 2008\\bdagent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\johogi.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Intelligent Copier - c:\program files\Interdesigner Software\Intelligent Copier\IntelligentCopier.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\dianne\Application Data\Mozilla\Firefox\Profiles\5l0ykisn.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF -: plugin - c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 17:27:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-01 17:32:40
ComboFix-quarantined-files.txt 2008-12-01 17:32:35
ComboFix2.txt 2008-11-23 14:04:46
ComboFix3.txt 2008-11-24 08:16:48
Pre-Run: 4,964,966,400 bytes free
Post-Run: 4,929,835,008 bytes free
297 --- E O F --- 2008-11-23 11:09:00
and, this is the hijackthis.txt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:30 PM, on 12/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ccPrxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Multiply\AutoUploader\Multiply AutoUploader\Multiply AutoUploader.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dianne\Desktop\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll (file missing)
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [ccPrxy.exe] ccPrxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Multiply AutoUploader.lnk = C:\Program Files\Multiply\AutoUploader\Multiply AutoUploader\Multiply AutoUploader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 3994 bytes
I started exactly like you, I received help on the forums and got interested in helpinguhmm.. sir, i'm just curious.. how did you learn all this =D i'm thinking that i want to learn too.. but maybe i'm too dumb or young for this
There are several "schools" on the net that teach you how to do this.
Have a look HERE for more info on them
Step 1
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal
Copy/paste the the following file path into the window
c:\windows\system32\ddnf95.w95
Click Submit/Send File
Please post back, to let me know the results.
If Virustotal is too busy please try Jotti
----------------------------------------------------------- -----------------------------------------------------------
Step 2
Flash Disinfector by sUBs
Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
- Double-click Flash_Disinfector.exe to run it.
- Follow any prompts that may appear.
- Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
----------------------------------------------------------- -----------------------------------------------------------
Step 3
Custom CFScript
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:File:: c:\windows\system32\ccPrxy.exe c:\windows\keybd.dat c:\windows\ldup.exe c:\windows\sy.exe c:\windows\system32\drivers\johogi.sys Driver:: abp470n5 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=- [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"=- "ccPrxy.exe"=- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"=- "tscuninstall"=- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"=- "c:\\WINDOWS\\system32\\ccPrxy.exe"=- ADS:: - Save this as CFScript.txt and place it on your desktop.
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------- -----------------------------------------------------------
Step 4
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review:
- Close any open programs.
- Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
----------------------------------------------------------- -----------------------------------------------------------
Step 5
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
- Virus Total Log
- Combofix Log
- Kaspersky Log
- How are things running now ?
