Help! I'm having some crazy issues.

W

Wildman0420

New member
Hey Forum. I need some help from you guys, I seem to have hit a brick wall.

First off, let me give you some backround on the system I am running. It's a intel core duo 2.6 running windows xp pro service pack 3. For protection I run Spybot s&d, along with avast antivirus, and peerguardian 2. Up until recently I have been safely surfing for almost a year with this configuration. This all changed this morning.
When I logged in this morning, I was greeted by a wonderful fake antivirus program know as windows antivirus pro 2009. It told me that every app on my computer was a know virus and that I needed to give them money to make all the bad things go away. Knowing that something was seriously amis, I attempted to run a scan with spybot. when I tryed to run spybot however, nothing happend. It's still running in my minibar, but I can't run a scan or anything. The same thing with Avast! So I try reinstalling avast, and it gives me the option for a boot scan. I do this, and come back with 10 virus, which I delete all of them. The windows antivirus persists however and I end up having to go into safe mode, and remove all associated files and regedit all associated entries as well. After this was said and done I rebooted and noticed that while the fake AV software was gone, I still couldn't access the higher functions of both spybot or Avast. I then noticed something disturbing. When I try to regedit while logged in normally, it says I haven'y admin privlages. When I try to acess my user accounts in control panel, nothing happens. Same with most of my other control panel actions. Just nothing happens.
I've read a few other forum posts, and know that you guys need the hijack this results, but when I tryed to run it, it got to where the scan should start, and just dissappered!! Now when I click on it again NOTHING HAPPENS!! I'm going insane, please help me!!:banghead:

... and when logged into safe mode, none of the control panel functions are working as well!

I've gotten Gmer to run. I'll post the results when finished.

Here's what I was able to get. It eventually quit the ap, and now I can't get it to run again.

GMER 1.0.15.15011 [ynnbqzmr.exe] - http://www.gmer.net
Rootkit scan 2009-08-07 05:20:56
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB57366B8]
SSDT 8A1FBEE0 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB5736574]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F82A20]
SSDT 89FDC220 ZwCreateThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB5736A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB573614C]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F832A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8E910]
SSDT 8A1B4F00 ZwLoadDriver
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB573664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB573608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB57360F0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F832C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB573676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB573672E]
SSDT 8A036BC0 ZwResumeThread
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8E0B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB57368AE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE8 80504584 4 Bytes JMP BCEEFF81
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMTDI.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\SYMEVENT.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMNDIS.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMFW.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMIDS.SYS The system cannot find the path specified. !
? C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\IDSxpx86.sys The system cannot find the file specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] GDI32.DLL!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
.text C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] GDI32.DLL!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
.text C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
IAT C:\WINDOWS\system32\services.exe[1112] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1112] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5EC880

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Udfs \UdfsCdRom 8A262C50
Device \FileSystem\Udfs \UdfsDisk 8A262C50
Device \Driver\USBSTOR \Device\0000008f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS

Device \Driver\Cdrom \Device\CdRom0 8A0120C8
Device \FileSystem\Rdbss \Device\FsWrap 8A2D7578
Device \Driver\Cdrom \Device\CdRom1 8A0120C8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89F42E68
Device \Driver\atapi \Device\Ide\IdePort0 89F42E68
Device \Driver\atapi \Device\Ide\IdePort1 89F42E68
Device \Driver\atapi \Device\Ide\IdePort2 89F42E68
Device \Driver\atapi \Device\Ide\IdePort3 89F42E68
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 89F42E68
Device \Driver\Cdrom \Device\CdRom2 8A0120C8
Device \Driver\USBSTOR \Device\00000090 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Srv \Device\LanmanServer 89FE62A0

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A2E1EE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A2E1EE0
Device \FileSystem\Npfs \Device\NamedPipe 8A154358
Device \FileSystem\Msfs \Device\Mailslot 8A00BFB0
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target1Lun0 8A04AC70
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 8A04AC70
Device \Driver\d347prt \Device\Scsi\d347prt1 8A04AC70
Device \Driver\USBSTOR \Device\0000008d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A07CE78
Device \FileSystem\Cdfs \Cdfs 889936A8

---- Modules - GMER 1.0.15 ----

Module _________ B9EE5000-B9EFD000 (98304 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe [304] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [372] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\uTorrent\uTorrent.exe [916] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1376] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1500] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1600] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1664] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1764] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashServ.exe [1956] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\PnkBstrA.exe [2052] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2352] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2392] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3040] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\PnkBstrB.exe [3364] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\DNA\btdna.exe [3788] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETaafvnklv.sys (*** hidden *** ) [SYSTEM] SKYNETvpmypdwy <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????a??? ?????????????a????(a? ?????????? ?????????????????????????????????????????? ???????a???????????a? ????????N??a???????????a?&????(??a???????e??avast! Mail Scanner??????a?????????????????????????????????s?????????a??????s???LegacyDriver??????N??a????????D?????{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? (??a??????????????avast! Mail Scanner??????a?a?a?a?a?a????C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*??S?????????????????????????????????????????9?9??C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\* /s????CurrentControlSet\Services\dmboot\??????????????? ???????e???a???a??HKEY_LOCAL_MACHINE\Software\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SharedDefs\*???????????a???a??????????????CurrentControlSet\Services\NAVEX15\*?CurrentControlSet\Services\NAVENG\*???????????????????????????????a1\???????a???????????????a?????a???????????????????(?)?*?)?+?+?B?-?-?\?????????????(???*?+?,?*?
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x42 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z1 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z2 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z3 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z4 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43@hj34z0 0x16 0xA4 0x05 0xF3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@imagepath \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main@aid 10020
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETcmd.dll \systemroot\system32\SKYNETalnkpkpm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETlog.dat \systemroot\system32\SKYNETbnreabeq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETwsp.dll \systemroot\system32\SKYNEThwymdipu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNET.dat \systemroot\system32\SKYNETqlhmurwu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@imagepath \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main@aid 10020
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETcmd.dll \systemroot\system32\SKYNETalnkpkpm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETlog.dat \systemroot\system32\SKYNETbnreabeq.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETwsp.dll \systemroot\system32\SKYNEThwymdipu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNET.dat \systemroot\system32\SKYNETqlhmurwu.dat
 
Last edited by a moderator:
Hi,

Download DDS and save it to your desktop (while giving the location, save the file as Wildman.scr) from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
nothing

Hey blade, thanks for coming to help me. I downloaded and named the file as you instructed. However, when I run it, it shows in the process list for a few seconds and then vanishes. Nothing else happens.
 
Hi,

Let's see how it handles this.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)
 
Ok, we got somthing. However, I was only left with the one text file. Also I cannot run the program agan. Here's what I got.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Tim at 2009-08-08 05:09:01
Microsoft Windows XP Professional Service Pack 3
System drive C: has 331 GB (54%) free of 610 GB
Total RAM: 2047 MB (80% free)


======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BD56A320-23F2-42AD-F4E4-00AAC39CAA53}]
C:\WINDOWS\system32\hs7f3uhduhfukde.dll - C:\WINDOWS\system32\hs7f3uhduhfukde.dll [2009-08-06 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Veoh Web Player Video Finder - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll [2008-12-16 429816]
{3E9D340B-D614-4854-AE06-4218201F6AAE} - LiveInfoPro - C:\Program Files\Internet Explorer\LiveInfoPro\liveinfopro_v1.9.6-1008.dll [2007-12-27 2306048]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-05-16 16862720]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-10-21 143360]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-10-21 172032]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-10-21 143360]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"LGODDFU"=C:\Program Files\lg_fwupdate\fwupdate.exe [2008-11-23 548864]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"nwiz"=nwiz.exe /install []
"H2O"=C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [2005-10-23 385024]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-04-19 198160]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]
"ccleaner"=C:\Program Files\CCleaner\CCleaner.exe [2009-06-25 1578736]
"PeerGuardian"=C:\Program Files\PeerGuardian2\pg2.exe [2007-01-30 1432064]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-07-22 323392]
"Windows System Recover!"=C:\DOCUME~1\Tim\LOCALS~1\Temp\debug.exe [2009-08-08 22532]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Bitmeter2.lnk - C:\Program Files\Codebox\BitMeter\BitMeter2.exe
MFWAKeys.lnk - C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Tim\Start Menu\Programs\Startup
PowerReg Scheduler V3.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-10-21 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
LKMSFOIVAMFOMSFVIOSVJASIUENFJNDJV - {BD56A320-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\hs7f3uhduhfukde.dll [2009-08-06 15000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\Program Files\Freelancer\EXE\Freelancer.exe"="C:\Program Files\Freelancer\EXE\Freelancer.exe:*:Enabled:Freelancer"
"C:\Program Files\SecondLife\SLVoice.exe"="C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice"
"C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe"="C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\Program Files\Zultrax P2P\Zultrax.Exe"="C:\Program Files\Zultrax P2P\Zultrax.Exe:*:Enabled:Zultrax"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\Program Files\Codemasters\Worms 4 Mayhem\WORMS 4 MAYHEM.EXE"="C:\Program Files\Codemasters\Worms 4 Mayhem\WORMS 4 MAYHEM.EXE:*:Disabled:Worms 4 Mayhem"
"C:\Documents and Settings\Tim\My Documents\New Folder\PC_Soldiers.of.Fortune.3 Payback -.modded.-.direct.play.-ToeD\SoF3\SoF-Payback\sof3.exe"="C:\Documents and Settings\Tim\My Documents\New Folder\PC_Soldiers.of.Fortune.3 Payback -.modded.-.direct.play.-ToeD\SoF3\SoF-Payback\sof3.exe:*:Enabled:sof3"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\Program Files\Codemasters\DiRT\DiRT.exe"="C:\Program Files\Codemasters\DiRT\DiRT.exe:*:Disabled:DiRT Executable"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Codemasters\GRID\GRID.exe"="C:\Program Files\Codemasters\GRID\GRID.exe:*:Enabled:GRID"
"C:\Documents and Settings\Rob K\Desktop\utorrent.exe"="C:\Documents and Settings\Rob K\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe"="C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe:*:Enabled:Media Player Classic - Homecinema"
"C:\Program Files\VideoLAN\VLC\vlc.exe"="C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"C:\Program Files\Saints Row 2\SR2_pc.exe"="C:\Program Files\Saints Row 2\SR2_pc.exe:*:Enabled:SR2_pc"
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\Program Files\Activision\EF2\EF2.exe"="C:\Program Files\Activision\EF2\EF2.exe:*:Enabled:Elite Force II"
"C:\Program Files\TVUPlayer\TVUPlayer.exe"="C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"
"C:\Documents and Settings\Tim\My Documents\New Folder\Warhammer_Dawn_of_War_2-WiCKED\DOW2.exe"="C:\Documents and Settings\Tim\My Documents\New Folder\Warhammer_Dawn_of_War_2-WiCKED\DOW2.exe:*:Enabled:DOW2"
"C:\Documents and Settings\Tim\Desktop\Warhammer_Dawn_of_War_2-WiCKED\WiCKED-DOW2\DOW2.exe"="C:\Documents and Settings\Tim\Desktop\Warhammer_Dawn_of_War_2-WiCKED\WiCKED-DOW2\DOW2.exe:*:Enabled:DOW2"
"C:\Documents and Settings\Tim\Desktop\WiCKED-DOW2\DOW2.exe"="C:\Documents and Settings\Tim\Desktop\WiCKED-DOW2\DOW2.exe:*:Disabled:DOW2"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\EA GAMES\Mercenaries 2 World in Flames\Mercenaries2.exe"="C:\Program Files\EA GAMES\Mercenaries 2 World in Flames\Mercenaries2.exe:*:Enabled:Mercenaries 2: World in Flames"
"C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe"="C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater"
"C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe"="C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:*:Enabled:Editor"
"C:\Program Files\Ubisoft\Far Cry 2\bin\FarCry2.exe"="C:\Program Files\Ubisoft\Far Cry 2\bin\FarCry2.exe:*:Enabled:Far Cry 2"
"C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\s2gs.exe"="C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\s2gs.exe:*:Enabled:Sacred 2 Game Server"
"C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\sacred2.exe"="C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\sacred2.exe:*:Enabled:Sacred 2"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\CCP\EVE\bin\ExeFile.exe"="C:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.exe - open - C:\WINDOWS\system32\desot.exe "%1" %*

======List of files/folders created in the last 2 months======

2009-08-08 05:09:06 ----D---- C:\Program Files\trend micro
2009-08-08 05:09:01 ----D---- C:\rsit
2009-08-08 04:21:40 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 01:58:53 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-08-07 01:48:30 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-08-07 01:48:29 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2009-08-07 01:44:22 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-08-07 01:42:56 ----D---- C:\Documents and Settings\Tim\Application Data\GetRightToGo
2009-08-06 17:37:44 ----D---- C:\WINDOWS\CSC
2009-08-06 17:31:48 ----A---- C:\windows-kb890830-v2.12.exe
2009-08-06 17:01:18 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-06 16:33:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-06 16:08:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-06 16:07:54 ----D---- C:\Documents and Settings\Tim\Application Data\PC Tools
2009-08-06 10:05:27 ----A---- C:\WINDOWS\system32\temp.exe
2009-08-06 10:01:34 ----A---- C:\WINDOWS\system32\desot.exe
2009-08-06 10:01:07 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-06 10:00:29 ----A---- C:\nnnivl.exe
2009-08-06 10:00:19 ----A---- C:\shbnoqx.exe
2009-08-06 10:00:06 ----A---- C:\WINDOWS\system32\hs7f3uhduhfukde.dll
2009-08-06 10:00:05 ----A---- C:\hbywcp.exe
2009-08-06 10:00:04 ----A---- C:\WINDOWS\system32\SKYNEThwymdipu.dll
2009-08-06 10:00:03 ----A---- C:\WINDOWS\system32\SKYNETalnkpkpm.dll
2009-08-06 09:59:56 ----A---- C:\WINDOWS\system32\samsvc.exe
2009-08-04 12:56:01 ----D---- C:\Program Files\City Interactive
2009-08-04 04:44:49 ----D---- C:\Program Files\Vendetta Online
2009-08-03 02:58:51 ----D---- C:\Program Files\Driving Simulator 2009
2009-07-28 05:18:51 ----D---- C:\Documents and Settings\Tim\Application Data\LucasArts
2009-07-28 05:15:14 ----D---- C:\Program Files\Secret Of Monkey Island SE
2009-07-27 03:05:08 ----A---- C:\WINDOWS\Runservice.exe
2009-07-27 03:05:08 ----A---- C:\WINDOWS\mmfs.dll
2009-07-27 02:55:36 ----D---- C:\Program Files\Battlefront
2009-07-22 02:39:06 ----D---- C:\Program Files\DNA
2009-07-22 02:39:06 ----D---- C:\Documents and Settings\Tim\Application Data\DNA
2009-07-17 03:24:31 ----D---- C:\Documents and Settings\All Users\Application Data\Ubisoft
2009-07-16 03:01:47 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 03:01:43 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-14 00:13:49 ----D---- C:\Documents and Settings\Tim\Application Data\vlc
2009-07-13 21:39:13 ----D---- C:\Program Files\Virtual Earth 3D
2009-07-10 01:21:17 ----D---- C:\Program Files\Velvet Assassin
2009-07-08 22:31:52 ----D---- C:\Documents and Settings\Tim\Application Data\Ubisoft
2009-07-08 21:13:35 ----D---- C:\WINDOWS\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2009-07-03 18:19:57 ----D---- C:\Program Files\Common Files\DivX Shared
2009-07-03 02:49:44 ----D---- C:\Program Files\Flagship Studios
2009-07-03 01:55:54 ----HD---- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-07-02 04:27:11 ----D---- C:\WINDOWS\Sins of a Solar Empire
2009-07-02 04:27:11 ----D---- C:\Program Files\Sins of a Solar Empire
2009-07-02 03:50:19 ----D---- C:\WINDOWS\E4D153288C89484BB9AAF5BE9EA6D01C.TMP
2009-07-01 23:38:54 ----D---- C:\Program Files\1C Company
2009-07-01 23:19:32 ----D---- C:\Program Files\Nobilis
2009-07-01 23:03:25 ----D---- C:\Program Files\Strategy First
2009-07-01 22:39:55 ----D---- C:\Program Files\Sierra
2009-07-01 04:16:51 ----D---- C:\Program Files\ZenoClash
2009-07-01 03:32:47 ----A---- C:\WINDOWS\unvise32.exe
2009-07-01 03:30:31 ----D---- C:\Program Files\Postal2STP
2009-06-29 03:57:16 ----D---- C:\Program Files\Common Files\DirectX
2009-06-28 02:28:49 ----A---- C:\WINDOWS\system32\d3dx10_41.dll
2009-06-28 02:28:49 ----A---- C:\WINDOWS\system32\D3DCompiler_41.dll
2009-06-28 02:28:48 ----A---- C:\WINDOWS\system32\XAudio2_4.dll
2009-06-28 02:28:48 ----A---- C:\WINDOWS\system32\XAPOFX1_3.dll
2009-06-28 02:28:48 ----A---- C:\WINDOWS\system32\D3DX9_41.dll
2009-06-28 02:28:47 ----A---- C:\WINDOWS\system32\xactengine3_4.dll
2009-06-28 02:28:46 ----A---- C:\WINDOWS\system32\X3DAudio1_6.dll
2009-06-23 03:19:14 ----D---- C:\Program Files\Mad Scientist Productions
2009-06-21 05:02:03 ----D---- C:\Program Files\Hinterland
2009-06-10 03:02:26 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-10 03:02:22 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-06-10 03:00:44 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-10 03:00:16 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$

======List of files/folders modified in the last 2 months======

2009-08-08 05:09:08 ----D---- C:\Program Files\PeerGuardian2
2009-08-08 05:09:06 ----RD---- C:\Program Files
2009-08-08 05:08:49 ----D---- C:\Documents and Settings\All Users\Application Data\Bitmeter2
2009-08-08 04:40:59 ----D---- C:\Program Files\Mozilla Firefox
2009-08-08 04:36:28 ----D---- C:\WINDOWS\Prefetch
2009-08-08 04:36:20 ----D---- C:\Program Files\Paint Shop Pro 6
2009-08-08 04:32:41 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-08 04:30:14 ----D---- C:\WINDOWS\Temp
2009-08-08 04:30:12 ----D---- C:\WINDOWS
2009-08-07 14:18:28 ----D---- C:\Documents and Settings\Tim\Application Data\uTorrent
2009-08-07 08:23:59 ----D---- C:\Program Files\WinRAR
2009-08-07 08:23:57 ----SHD---- C:\System Volume Information
2009-08-07 08:22:45 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-07 08:18:48 ----D---- C:\Documents and Settings\Tim\Application Data\WinRAR
2009-08-07 05:27:07 ----D---- C:\Program Files\LimeWire
2009-08-07 04:43:04 ----D---- C:\Program Files\EA GAMES
2009-08-07 04:41:55 ----SHD---- C:\WINDOWS\Installer
2009-08-07 04:40:58 ----D---- C:\Program Files\Ubisoft
2009-08-07 04:40:57 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-07 04:29:17 ----D---- C:\WINDOWS\system32\drivers
2009-08-07 04:28:53 ----D---- C:\WINDOWS\system32
2009-08-07 04:28:53 ----D---- C:\Program Files\Common Files
2009-08-07 04:28:50 ----HD---- C:\WINDOWS\inf
2009-08-07 04:26:17 ----D---- C:\Games
2009-08-07 04:24:10 ----D---- C:\WINDOWS\Debug
2009-08-07 03:57:02 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-08-06 18:12:57 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-06 18:12:16 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-06 17:59:12 ----SD---- C:\WINDOWS\Tasks
2009-08-06 17:58:00 ----D---- C:\WINDOWS\Network Diagnostic
2009-08-06 16:53:29 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-06 16:52:33 ----D---- C:\WINDOWS\system
2009-08-06 14:28:33 ----SHD---- C:\RECYCLER
2009-08-06 14:24:15 ----D---- C:\Documents and Settings
2009-08-06 12:02:58 ----D---- C:\WINDOWS\system32\config
2009-08-06 10:01:21 ----D---- C:\Program Files\lg_fwupdate
2009-08-06 10:01:20 ----A---- C:\WINDOWS\lgfwup.ini
2009-08-06 10:00:21 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-06 10:00:20 ----D---- C:\Program Files\Internet Explorer
2009-08-04 13:04:38 ----D---- C:\WINDOWS\system32\DirectX
2009-08-04 13:04:22 ----RSD---- C:\WINDOWS\assembly
2009-08-04 08:54:32 ----D---- C:\Documents and Settings\Tim\Application Data\dvdcss
2009-08-02 02:07:32 ----D---- C:\Program Files\Microsoft Silverlight
2009-08-01 10:34:30 ----D---- C:\Documents and Settings\Tim\Application Data\LimeWire
2009-07-30 08:52:12 ----D---- C:\Program Files\Telltale Games
2009-07-30 01:21:48 ----HD---- C:\WINDOWS\msdownld.tmp
2009-07-29 03:00:32 ----D---- C:\WINDOWS\system32\en-US
2009-07-29 03:00:23 ----D---- C:\WINDOWS\ie7updates
2009-07-29 03:00:16 ----D---- C:\WINDOWS\WinSxS
2009-07-28 05:51:22 ----D---- C:\Program Files\LucasArts
2009-07-22 05:55:30 ----D---- C:\Movies -n- Stuff
2009-07-19 09:33:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 09:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-13 23:27:09 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-07-13 23:27:07 ----D---- C:\Program Files\Common Files\Adobe
2009-07-13 23:27:05 ----D---- C:\Program Files\Adobe
2009-07-13 21:55:31 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-13 21:39:52 ----SD---- C:\Documents and Settings\Tim\Application Data\Microsoft
2009-07-08 21:13:31 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-08 20:30:21 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-07-07 08:10:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-06 05:40:51 ----D---- C:\Program Files\DivX
2009-07-06 03:13:31 ----D---- C:\Program Files\Codemasters
2009-07-04 17:44:18 ----D---- C:\Documents and Settings\All Users\Application Data\


Thats all I was able to get.
 
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
BitLord
BitTorrent
DNA
eMule
LimeWire
Vuze


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Empty Recycle Bin.

After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log (if you're able to run DDS now).

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Ok,. I wasn't even aware of any p2p programs except utorrent. I deleted it, best I could. However I couldn't use add/remove programs. When I clicked on it, nothing happened.

Also, I downloaded combofix, read the intructions and disabled all antivirus, and firewalls. When I ran the progran, I get a small progress bar. It fills up and then it disappears. Attempting to re run it gets the same results.
 
Hi,

Let's try this.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix from any of the links below. You must*rename it before saving it (use Wildman.exe as name). Save it to your desktop.

Link 1
Link 2

CF_download_FF.gif



CF_download_rename.gif

--------------------------------------------------------------------

Double click on Wildman.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt. See if you're able to make DDS run.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 
Hi,

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Go to C:\Documents and Settings\All Users\Application Data folder and move folders that have nothing but digits (e.g. 23812491) in their name to your desktop.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.
 
I am unable to show the hidden files! When I go into my computer, and select tools, I have only three options: Map network drive, disconnect netowrk drive, and synchronize. There is no folder options.

I went ahead and downloaded Malwarebytes' Anti-Malware, installed, and ran. It got to after I selected the drive to scan, hit ok, and then the program closed. Now it is acting as the other programs do, and will not run.
 
Hi,

Download attached zip file and extract it to the root of your c: drive (c:\). When done, go to c:\ and double-click extracted file. When done, try to run renamed ComboFix again.

Note: attached file is meant to be used only in this specific case. Using it in some other system may cause harm on the system.
 
Nothing seemed to happen when I ran the xp fix, and then when I tried to run combofix, still i get a progress bar, that fills then disappears. I'm now getting occasional popups of Internet Explorer. and i'm hearing sound when none should be playing at times as well.
 
Hi,

Trying to figure out something. Do you have your Windows media available?
 
Hi,

I meant if you have Windows OS media available, not Windows Media Player :). Hopefully you have the disc.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
scecli.dll
winnt32.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
I cannot find my windows disc. I know it's around here somewhere!

Here is the results of that scan:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 13:38 on 09/08/2009 by Tim (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 181248 bytes [12:00 14/04/2008] [12:00 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 60928 bytes [12:00 14/04/2008] [12:00 14/04/2008] (Unable to calculate MD5)

Searching for "winnt32.exe"
No files found.

-=End Of File=-
 
Hi,

Upload following files to Virustotal and post back the results or links to the results:
C:\WINDOWS\system32\dllcache\scecli.dll
C:\WINDOWS\system32\scecli.dll

We'll see if media is needed or not.
 
Ok, the first scan came back as such

File scecli.dll received on 2009.04.27 04:21:18 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.27 -
AhnLab-V3 5.0.0.2 2009.04.26 -
AntiVir 7.9.0.156 2009.04.26 -
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 -
AVG 8.5.0.287 2009.04.26 -
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.25 -
ClamAV 0.94.1 2009.04.27 -
Comodo 1135 2009.04.25 -
DrWeb 4.44.0.09170 2009.04.27 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.26 -
F-Secure 8.0.14470.0 2009.04.27 -
Fortinet 3.117.0.0 2009.04.27 -
GData 19 2009.04.27 -
Ikarus T3.1.1.49.0 2009.04.27 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.27 -
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 -
McAfee-GW-Edition 6.7.6 2009.04.27 -
Microsoft 1.4602 2009.04.27 -
NOD32 4035 2009.04.25 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.27 -
Rising 21.27.00.00 2009.04.27 -
Sophos 4.41.0 2009.04.27 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.27 -
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.25 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1709 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.26 -
Additional information
File size: 181248 bytes
MD5 : a86bb5e61bf3e39b62ab4c7e7085a084
SHA1 : 3a3535122da168a549d2007123e9ae06146f2002
SHA256: b88446e007153bb58c5ae867ac3fb4c46618bbaa5a152687201e0e81f881465a
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x13A0
timedatestamp.....: 0x4802A10E (Mon Apr 14 02:10:54 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x24AA3 0x24C00 6.31 75ccde4c944fac9ba31428684259e699
.data 0x26000 0x1004 0x800 3.17 141a34aab3a9b14d8bcdefd0d1f66eba
.rsrc 0x28000 0x4CD8 0x4E00 3.39 d8af3d7fd867f90e31b01c3eeaa3009a
.reloc 0x2D000 0x1C04 0x1E00 6.60 c59f32ba39347a6c464fb77f1c1feb80

( 11 imports )

> advapi32.dll: LsaSetDomainInformationPolicy, ImpersonateLoggedOnUser, RevertToSelf, GetNamedSecurityInfoW, SetNamedSecurityInfoW, GetSecurityDescriptorDacl, AllocateAndInitializeSid, LsaRemoveAccountRights, RegDeleteKeyW, ConvertStringSidToSidW, LsaLookupSids, OpenSCManagerW, EnumServicesStatusW, LsaClose, FreeSid, LsaOpenPolicy, LsaLookupNames2, LsaQueryInformationPolicy, LsaQueryDomainInformationPolicy, LsaFreeMemory, OpenServiceW, QueryServiceConfigW, QueryServiceObjectSecurity, CloseServiceHandle, RegOpenCurrentUser, ReportEventW, DeregisterEventSource, RegisterEventSourceW, OpenThreadToken, OpenProcessToken, DuplicateToken, CheckTokenMembership, EqualSid, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSecurityDescriptorToStringSecurityDescriptorW, RegEnumKeyExW
> kernel32.dll: lstrcmpiW, lstrcpyW, lstrcatW, FormatMessageW, LoadLibraryW, GetProcAddress, FreeLibrary, GetEnvironmentStringsW, GetPrivateProfileStringW, Sleep, GetModuleHandleW, ReadFile, WideCharToMultiByte, WritePrivateProfileSectionW, WritePrivateProfileStringW, GetEnvironmentVariableW, GetTickCount, DeleteFileW, CopyFileW, GetFileAttributesW, GetPrivateProfileIntW, lstrlenW, CompareStringW, CreateFileW, LocalReAlloc, GetVolumeInformationW, GetDriveTypeW, GetFileSize, SetFileAttributesW, ExitThread, FreeLibraryAndExitThread, CreateThread, LeaveCriticalSection, WaitForSingleObject, EnterCriticalSection, GetCurrentThreadId, QueueUserWorkItem, InitializeCriticalSection, DeleteCriticalSection, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetCurrentProcessId, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LocalFree, GetLastError, LoadLibraryExA, CloseHandle, GetCurrentProcess, GetCurrentThread, WriteFile, GetTimeFormatW, GetDateFormatW, FileTimeToSystemTime, CreateDirectoryW, GetSystemWindowsDirectoryW, GetComputerNameExW, GetComputerNameW, GetSystemDirectoryW, ExpandEnvironmentStringsW, SetLastError, GetPrivateProfileSectionW, LocalAlloc, SetFilePointer
> msvcrt.dll: wcsncmp, _wcsupr, wcsncat, wcschr, wcscat, swprintf, _vsnwprintf, wcsstr, _except_handler3, _resetstkoflw, wcscpy, _wcsnicmp, wcsncpy, wcslen, _wcsicmp, _wfindfirst, fclose, _wfopen, _adjust_fdiv, malloc, _initterm, free, __2@YAPAXI@Z, __3@YAXPAX@Z, __CxxFrameHandler, _wtol, _itow, _wfindnext, towlower, _findclose, memmove
> netapi32.dll: NetLocalGroupAddMembers
> ntdll.dll: RtlNtStatusToDosError, RtlGetControlSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlFreeSid, RtlAllocateAndInitializeSid, RtlMapGenericMask, RtlGetAce, NtAdjustPrivilegesToken, RtlTimeToTimeFields, RtlSystemTimeToLocalTime, NtQuerySystemTime, RtlCopySid, RtlLengthSid, RtlSubAuthoritySid, RtlSubAuthorityCountSid, RtlIdentifierAuthoritySid, NtQueryInformationToken, RtlGetNtProductType, RtlLengthRequiredSid, RtlFreeUnicodeString, RtlConvertSidToUnicodeString, RtlInitUnicodeString, RtlValidSid, RtlTimeToSecondsSince1980, NtQueryObject, RtlLengthSecurityDescriptor, RtlMakeSelfRelativeSD, RtlRandomEx, RtlImageNtHeader, RtlFreeHeap, RtlAllocateHeap, RtlEqualSid
> ole32.dll: CoCreateGuid, CoInitialize, CoCreateInstance, CoMarshalInterThreadInterfaceInStream, CoInitializeEx, CoGetInterfaceAndReleaseStream, CoUninitialize
> oleaut32.dll: -, -, -, -, -, -
> rpcrt4.dll: RpcBindingSetAuthInfoW, I_RpcExceptionFilter, RpcBindingFree, NdrClientCall2, RpcStringFreeW, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrServerCall2
> setupapi.dll: SetupFindNextLine, SetupGetFieldCount, SetupGetStringFieldW, SetupFindFirstLineW, SetupGetLineCountW, SetupOpenInfFileW, SetupCloseInfFile, SetupGetIntField, SetupGetMultiSzFieldW
> user32.dll: wsprintfW, LoadStringW
> userenv.dll: ProcessGroupPolicyCompletedEx

( 1 exports )

> DeltaNotify, DllRegisterServer, DllUnregisterServer, InitializeChangeNotify, SceAddToNameList, SceAddToNameStatusList, SceAddToObjectList, SceAnalyzeSystem, SceAppendSecurityProfileInfo, SceBrowseDatabaseTable, SceCloseProfile, SceCommitTransaction, SceCompareNameList, SceCompareSecurityDescriptors, SceConfigureConvertedFileSecurity, SceConfigureSystem, SceCopyBaseProfile, SceCreateDirectory, SceDcPromoCreateGPOsInSysvol, SceDcPromoCreateGPOsInSysvolEx, SceDcPromoteSecurity, SceDcPromoteSecurityEx, SceEnforceSecurityPolicyPropagation, SceEnumerateServices, SceFreeMemory, SceFreeProfileMemory, SceGenerateGroupPolicy, SceGenerateRollback, SceGetAnalysisAreaSummary, SceGetAreas, SceGetDatabaseSetting, SceGetDbTime, SceGetObjectChildren, SceGetObjectSecurity, SceGetScpProfileDescription, SceGetSecurityProfileInfo, SceGetServerProductType, SceGetTimeStamp, SceIsSystemDatabase, SceLookupPrivRightName, SceNotifyPolicyDelta, SceOpenPolicy, SceOpenProfile, SceProcessEFSRecoveryGPO, SceProcessSecurityPolicyGPO, SceProcessSecurityPolicyGPOEx, SceRegisterRegValues, SceRollbackTransaction, SceSetDatabaseSetting, SceSetupBackupSecurity, SceSetupConfigureServices, SceSetupGenerateTemplate, SceSetupMoveSecurityFile, SceSetupRootSecurity, SceSetupSystemByInfName, SceSetupUnwindSecurityFile, SceSetupUpdateSecurityFile, SceSetupUpdateSecurityKey, SceSetupUpdateSecurityService, SceStartTransaction, SceSvcConvertSDToText, SceSvcConvertTextToSD, SceSvcFree, SceSvcGetInformationTemplate, SceSvcQueryInfo, SceSvcSetInfo, SceSvcSetInformationTemplate, SceSvcUpdateInfo, SceSysPrep, SceUpdateObjectInfo, SceUpdateSecurityProfile, SceWriteSecurityProfileInfo
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 3072:nfIJ7eaZiV7kZ1zgdzbjn3pRl44O2Wi1qqBi/B5tetnFwT8nS:nfuwV7Ezgtn37q4Dcr/AnFwTv
PEiD : -
RDS : NSRL Reference Data Set
-


Then the second scan came back only with this,

0 bytes size received / Se ha recibido un archivo vacio
 
Hi,

Next, I'll need you to make some preparations since I'm going to ask you to disconnect system from network (= to pull network cable off). I recommend you print/save these instructions so that you can access them while disconnected from network (or you may read instructions thru your other system if you have more than this we're currently cleaning).


Before disconnecting, do the following two (2) steps:
1. Make sure you have Malwarebytes' Anti-Malware setup file ready. If it isn't on your machine anymore, download it again.
2. Download combofix from any of these links and save it renamed to Desktop:
Link 1
Link 2

When you have Malwarebytes' Anti-Malware setup file and renamed ComboFix file on your desktop, disconnect the machine from network.

========To be done offline begins==========

1. The next steps to follow will need to be done in safe mode with command prompt (print/save these since you won't be able to access them while in safe mode):

Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands carefully (if anything turns up with these, please stop and note the error down and let me know):
  • c:
  • cd\
  • ren C:\WINDOWS\system32\scecli.dll scecli.dll.vir
  • copy C:\WINDOWS\system32\dllcache\scecli.dll C:\WINDOWS\system32\scecli.dll

While still being disconnected from network, reboot back into normal mode.

Do next two things only if safe mode with command prompt -part went without issues, otherwise report what problem you had:
a) Run Malwarebytes' Anti-Malware (MBAM) with full scan and let it delete its findings.
b) Run ComboFix.

========To be done offline ends==========

When done, post back MBAM & ComboFix logs.
 
You must log in or register to reply here.
Back
Top