Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, System Doctor Pop-ups & Possibly More


  • Please log in to reply
11 replies to this topic

#1 Freakeh

Freakeh

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 PM

Posted 28 August 2007 - 12:48 AM

Got what seems to be a re-infection of Virtumonde and a stubborn system doctor pop-up problem and after doing the usual mix of Ad-Aware, Spybot, AVG Anti-Virus, its being stubborn and won't be removed. Spybot finds Virtuamonde but informs me that it cannot remove and will start up after a restart, it does this but cannot find anything in its pre-windows loading scan. As I mentioned also, I keep getting random system doctor pop-ups in Firefox and after closing Firefox I get an error of some sort that I assume is connected to this infection.

Anyway here's my HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:57 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
C:\Documents and Settings\Freakeh\Desktop\stinger.exe
C:\Documents and Settings\Freakeh\Desktop\abc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.aapt.com.au/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C8A6A57-2435-4863-810F-2640325F3D39} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\system32\omncwyxl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E6A7D63-0F09-4450-90CE-902AB5CEA02A} - C:\WINDOWS\system32\ddayy.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B3F8A93-933C-4DDA-B24C-AEB0697C132A} - C:\WINDOWS\system32\pmnopom.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9FE8C2F9-DB82-4E82-A928-4C4767BCA05B} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: VersionTracker Pro.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O20 - Winlogon Notify: pmnopom - C:\WINDOWS\SYSTEM32\pmnopom.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: winjws32 - winjws32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 28 August 2007 - 04:53 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Freakeh :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#3 Freakeh

Freakeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 PM

Posted 28 August 2007 - 05:55 AM

Log Of VundoFix
VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:14:01 PM 8/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\sstwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\awtss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\sstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Attached Files


Edited by Freakeh, 28 August 2007 - 06:00 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 28 August 2007 - 06:10 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following blue text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\ihtboxod.dll
C:\WINDOWS\system32\omncwyxl.dll
C:\WINDOWS\system32\tempfn.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\gb123.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\drvlewr.dll
C:\WINDOWS\system32\drvlew.dll
C:\WINDOWS\system32\pmnopom.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
Also post a new Hijackthis log.
Posted Image
Posted Image

#5 Freakeh

Freakeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 PM

Posted 28 August 2007 - 08:00 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fhmhjpma

*******************

Script file located at: \??\C:\lowdxeeq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ihtboxod.dll deleted successfully.
File C:\WINDOWS\system32\omncwyxl.dll deleted successfully.
File C:\WINDOWS\system32\tempfn.dll deleted successfully.
File C:\WINDOWS\system32\ocxloader.exe deleted successfully.
File C:\WINDOWS\system32\ocxapi.dll deleted successfully.
File C:\WINDOWS\system32\gb123.exe deleted successfully.
File C:\WINDOWS\system32\qmopt.dll deleted successfully.
File C:\WINDOWS\system32\drvlewr.dll deleted successfully.
File C:\WINDOWS\system32\drvlew.dll deleted successfully.
File C:\WINDOWS\system32\pmnopom.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:46 AM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.aapt.com.au/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: VersionTracker Pro.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 6439 bytes


Thanks so far.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 29 August 2007 - 04:54 AM

Download Systemscan and save it to your desktop.
Double-click on Systemscan.exe to run the tool.
A warning box will appear. Please read and click Ok.
When SystemScan opens, click the "Unselect all" button.
Important: under "Make your choice and than click..." check the boxes next to:

PC accounts
Recent files (60 days)
Hidden Objects


Everything else should be unchecked.
Click "Scan Now".
Another warning box will appear. Please follow the instructions and click Ok.
Systemscan will scan your computer and create a folder at C:\suspectfile to save the log files. Please be patient while the scan is in progress.
When the scan is complete, Notepad will automatically open a log file named report.txt.
This log file will show a list of all user accounts, all files/folders created in the last 60 days and any Hidden files that were found.
Copy and paste the contents of report.txt in your next reply.
Posted Image
Posted Image

#7 Freakeh

Freakeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 PM

Posted 29 August 2007 - 07:50 PM

SystemScan - www.suspectfile.com - ver. 3.2.0

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS

Date: 8/29/2007
Time: 8:27:15 PM

Output limited to:
-Recent files
-PC accounts
-Hidden objects

===================== Accounts on this PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | Freakeh
| Guest
| HelpAssistant (Disabled)
| SUPPORT_388945a0 (Disabled)

### users folders

16/07/2007 21:18:48 (DIR) 0 byte 44 days old -- All Users
16/07/2007 21:19:30 (DIR) 0 byte 44 days old -- Default User
16/07/2007 22:46:00 (DIR) 0 byte 44 days old -- LocalService
16/07/2007 22:46:00 (DIR) 0 byte 44 days old -- NetworkService
28/08/2007 17:13:29 (DIR) 0 byte 1 days old -- Freakeh

===================== Recent files (60 days old)=====================

----- recent files in C:\
16/07/2007 21:19:23 0 byte 44 days old -- CONFIG.SYS
16/07/2007 21:19:23 0 byte 44 days old -- IO.SYS
16/07/2007 21:19:23 0 byte 44 days old -- MSDOS.SYS
16/07/2007 21:19:23 0 byte 44 days old -- AUTOEXEC.BAT
16/07/2007 21:58:50 (DIR) 0 byte 44 days old -- Documents and Settings
16/07/2007 22:44:58 (DIR) 0 byte 44 days old -- RECYCLER
17/07/2007 19:16:31 (DIR) 0 byte 43 days old -- VTPFiles
30/07/2007 19:17:22 (DIR) 0 byte 30 days old -- MSOCache
25/08/2007 11:56:41 4527 byte 4 days old -- cc_20070816_1109.reg
25/08/2007 14:35:36 (DIR) 0 byte 4 days old -- $VAULT$.AVG
26/08/2007 16:17:51 (DIR) 0 byte 3 days old -- Fraps
27/08/2007 14:21:50 223 byte 2 days old -- boot.ini
28/08/2007 17:01:06 (DIR) 0 byte 1 days old -- VundoFix Backups
28/08/2007 20:08:52 (DIR) 0 byte 1 days old -- Deckard
28/08/2007 20:09:06 (DIR) 0 byte 1 days old -- System Volume Information
28/08/2007 20:11:42 (DIR) 0 byte 1 days old -- Program Files
28/08/2007 20:17:26 695 byte 1 days old -- VundoFix.txt
29/08/2007 10:23:12 2134 byte 0 days old -- avenger.txt
29/08/2007 10:23:30 1048576000 byte 0 days old -- pagefile.sys
29/08/2007 10:23:42 (DIR) 0 byte 0 days old -- avenger
29/08/2007 13:39:33 (DIR) 0 byte 0 days old -- WINDOWS
29/08/2007 18:08:26 (DIR) 0 byte 0 days old -- Config.Msi
29/08/2007 20:27:15 (DIR) 0 byte 0 days old -- suspectfile

----- recent files in C:\WINDOWS\
01/08/2007 13:43:55 (DIR) 0 byte 28 days old -- Downloaded Installations
01/08/2007 15:31:45 (DIR) 0 byte 28 days old -- nview
03/07/2007 12:31:48 28672 byte 57 days old -- AutoTuneScript.dll
03/07/2007 12:32:06 1622016 byte 57 days old -- NVBenchMarks.dll
03/07/2007 12:32:58 397312 byte 57 days old -- ntuneoem.dll
03/07/2007 12:33:04 6912 byte 57 days old -- nvoclock.sys
05/08/2007 12:37:05 (DIR) 0 byte 24 days old -- Minidump
06/08/2007 09:36:58 1905 byte 23 days old -- diagerr.xml
06/08/2007 09:36:58 1905 byte 23 days old -- diagwrn.xml
16/07/2007 21:16:48 36 byte 44 days old -- vb.ini
16/07/2007 21:16:48 37 byte 44 days old -- vbaddin.ini
16/07/2007 21:17:14 (DIR) 0 byte 44 days old -- pchealth
16/07/2007 21:18:27 (DIR) 0 byte 44 days old -- srchasst
16/07/2007 21:18:36 749 byte 44 days old -- WindowsShell.Manifest
16/07/2007 21:18:41 (DIR) 0 byte 44 days old -- Offline Web Pages
16/07/2007 21:18:42 (DIR) 0 byte 44 days old -- Web
16/07/2007 21:19:14 (DIR) 0 byte 44 days old -- Registration
16/07/2007 21:19:16 4161 byte 44 days old -- ODBCINST.INI
16/07/2007 21:19:23 0 byte 44 days old -- control.ini
16/07/2007 21:19:31 (DIR) 0 byte 44 days old -- ime
16/07/2007 21:21:54 8192 byte 44 days old -- REGLOCS.OLD
16/07/2007 22:25:23 (DIR) 0 byte 44 days old -- security
16/07/2007 22:40:20 (DIR) 0 byte 44 days old -- $NtUninstallKB888111WXPSP2$
16/07/2007 22:50:48 (DIR) 0 byte 44 days old -- SoftwareDistribution
16/07/2007 22:50:54 4585 byte 44 days old -- Ascd_tmp.ini
16/07/2007 22:51:41 (DIR) 0 byte 44 days old -- $MSI31Uninstall_KB893803v2$
16/07/2007 22:51:48 (DIR) 0 byte 44 days old -- $NtUninstallKB898461$
16/07/2007 23:06:08 (DIR) 0 byte 44 days old -- $NtUninstallWudf01000$
16/07/2007 23:06:30 (DIR) 0 byte 44 days old -- $NtUninstallWMFDist11$
16/07/2007 23:06:47 316640 byte 44 days old -- WMSysPr9.prx
16/07/2007 23:06:54 0 byte 44 days old -- nsreg.dat
16/07/2007 23:07:10 (DIR) 0 byte 44 days old -- $NtUninstallwmp11$
16/07/2007 23:07:22 (DIR) 0 byte 44 days old -- $NtUninstallMSCompPackV1$
16/07/2007 23:07:28 (DIR) 0 byte 44 days old -- $NtUninstallKB926239$
16/07/2007 23:13:21 (DIR) 0 byte 44 days old -- $NtUninstallKB928843$
16/07/2007 23:13:24 (DIR) 0 byte 44 days old -- $NtUninstallKB890859$
16/07/2007 23:13:28 (DIR) 0 byte 44 days old -- $NtUninstallKB914389$
16/07/2007 23:13:31 (DIR) 0 byte 44 days old -- $NtUninstallKB920683$
16/07/2007 23:13:34 (DIR) 0 byte 44 days old -- $NtUninstallKB908519$
16/07/2007 23:13:37 (DIR) 0 byte 44 days old -- $NtUninstallKB894391$
16/07/2007 23:13:39 (DIR) 0 byte 44 days old -- $NtUninstallKB935839$
16/07/2007 23:13:47 (DIR) 0 byte 44 days old -- $NtUninstallKB896428$
16/07/2007 23:13:50 (DIR) 0 byte 44 days old -- $NtUninstallKB913580$
16/07/2007 23:13:52 (DIR) 0 byte 44 days old -- $NtUninstallKB905749$
16/07/2007 23:13:55 (DIR) 0 byte 44 days old -- $NtUninstallKB908531$
16/07/2007 23:14:00 (DIR) 0 byte 44 days old -- $NtUninstallKB904706$
16/07/2007 23:14:03 (DIR) 0 byte 44 days old -- $NtUninstallKB930916$
16/07/2007 23:14:05 (DIR) 0 byte 44 days old -- $NtUninstallKB916595$
16/07/2007 23:14:08 (DIR) 0 byte 44 days old -- $NtUninstallKB886185$
16/07/2007 23:14:10 (DIR) 0 byte 44 days old -- $NtUninstallKB935840$
16/07/2007 23:14:14 (DIR) 0 byte 44 days old -- $NtUninstallKB920213$
16/07/2007 23:14:17 (DIR) 0 byte 44 days old -- $NtUninstallKB900725$
16/07/2007 23:14:19 (DIR) 0 byte 44 days old -- $NtUninstallKB888302$
16/07/2007 23:14:22 (DIR) 0 byte 44 days old -- $NtUninstallKB926255$
16/07/2007 23:14:26 (DIR) 0 byte 44 days old -- $NtUninstallKB918118$
16/07/2007 23:14:30 (DIR) 0 byte 44 days old -- $NtUninstallKB922582$
16/07/2007 23:14:31 (DIR) 0 byte 44 days old -- $NtUninstallKB923191$
16/07/2007 23:14:35 (DIR) 0 byte 44 days old -- $NtUninstallKB901214$
16/07/2007 23:14:38 (DIR) 0 byte 44 days old -- $NtUninstallKB932168$
16/07/2007 23:14:39 (DIR) 0 byte 44 days old -- $NtUninstallKB917953$
16/07/2007 23:14:42 (DIR) 0 byte 44 days old -- $NtUninstallKB905414$
16/07/2007 23:14:45 (DIR) 0 byte 44 days old -- $NtUninstallKB917344$
16/07/2007 23:14:49 (DIR) 0 byte 44 days old -- $NtUninstallKB914388$
16/07/2007 23:14:50 (DIR) 0 byte 44 days old -- $NtUninstallKB919007$
16/07/2007 23:14:53 (DIR) 0 byte 44 days old -- $NtUninstallKB930178$
16/07/2007 23:14:55 (DIR) 0 byte 44 days old -- $NtUninstallKB926436$
16/07/2007 23:14:58 (DIR) 0 byte 44 days old -- $NtUninstallKB890046$
16/07/2007 23:15:03 (DIR) 0 byte 44 days old -- $NtUninstallKB902400$
16/07/2007 23:15:09 (DIR) 0 byte 44 days old -- $NtUninstallKB918439$
16/07/2007 23:15:10 (DIR) 0 byte 44 days old -- $NtUninstallKB891781$
16/07/2007 23:15:13 (DIR) 0 byte 44 days old -- $NtUninstallKB920670$
16/07/2007 23:15:17 (DIR) 0 byte 44 days old -- $NtUninstallKB929123$
16/07/2007 23:15:21 (DIR) 0 byte 44 days old -- $NtUninstallKB925902$
16/07/2007 23:15:27 (DIR) 0 byte 44 days old -- $NtUninstallKB911564$
16/07/2007 23:15:31 (DIR) 0 byte 44 days old -- $NtUninstallKB910437$
16/07/2007 23:15:37 (DIR) 0 byte 44 days old -- $NtUninstallKB933566_0$
16/07/2007 23:15:49 (DIR) 0 byte 44 days old -- $NtUninstallKB925398_WMP64$
16/07/2007 23:15:51 (DIR) 0 byte 44 days old -- $NtUninstallKB896358$
16/07/2007 23:15:53 (DIR) 0 byte 44 days old -- $NtUninstallKB887472$
16/07/2007 23:15:57 (DIR) 0 byte 44 days old -- $NtUninstallKB931836$
16/07/2007 23:16:00 (DIR) 0 byte 44 days old -- $NtUninstallKB924496$
16/07/2007 23:16:02 (DIR) 0 byte 44 days old -- $NtUninstallKB873339$
16/07/2007 23:16:04 (DIR) 0 byte 44 days old -- $NtUninstallKB931261$
16/07/2007 23:16:08 (DIR) 0 byte 44 days old -- $NtUninstallKB924270$
16/07/2007 23:16:11 (DIR) 0 byte 44 days old -- $NtUninstallKB896423$
16/07/2007 23:16:13 (DIR) 0 byte 44 days old -- $NtUninstallKB924667$
16/07/2007 23:16:15 (DIR) 0 byte 44 days old -- $NtUninstallKB911562$
16/07/2007 23:16:18 (DIR) 0 byte 44 days old -- $NtUninstallKB911280$
16/07/2007 23:16:22 (DIR) 0 byte 44 days old -- $NtUninstallKB923980$
16/07/2007 23:16:25 (DIR) 0 byte 44 days old -- $NtUninstallKB893756$
16/07/2007 23:16:28 (DIR) 0 byte 44 days old -- $NtUninstallKB920685$
16/07/2007 23:16:30 (DIR) 0 byte 44 days old -- $NtUninstallKB899591$
16/07/2007 23:16:34 (DIR) 0 byte 44 days old -- $NtUninstallKB901017$
16/07/2007 23:16:36 (DIR) 0 byte 44 days old -- $NtUninstallKB911927$
16/07/2007 23:16:39 (DIR) 0 byte 44 days old -- $NtUninstallKB929969$
16/07/2007 23:16:43 (DIR) 0 byte 44 days old -- $NtUninstallKB931784$
16/07/2007 23:16:50 (DIR) 0 byte 44 days old -- $NtUninstallKB928255$
16/07/2007 23:16:54 (DIR) 0 byte 44 days old -- $NtUninstallKB923414$
16/07/2007 23:16:57 (DIR) 0 byte 44 days old -- $NtUninstallKB885836$
16/07/2007 23:17:00 (DIR) 0 byte 44 days old -- $NtUninstallKB885835$
16/07/2007 23:17:23 (DIR) 0 byte 44 days old -- $NtUninstallKB922819$
16/07/2007 23:17:25 (DIR) 0 byte 44 days old -- $NtUninstallKB924191$
16/07/2007 23:17:28 (DIR) 0 byte 44 days old -- $NtUninstallKB927802$
16/07/2007 23:17:33 (DIR) 0 byte 44 days old -- $NtUninstallKB927779$
16/07/2007 23:17:35 (DIR) 0 byte 44 days old -- $NtUninstallKB899587$
16/07/2007 23:24:09 (DIR) 0 byte 44 days old -- $NtUninstallKB920872$
16/07/2007 23:24:11 (DIR) 0 byte 44 days old -- $NtUninstallKB927891$
16/07/2007 23:24:16 (DIR) 0 byte 44 days old -- $NtUninstallKB900485$
16/07/2007 23:24:19 (DIR) 0 byte 44 days old -- $NtUninstallKB935448$
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- Resources
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- Driver Cache
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- NLDRV
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- repair
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- Provisioning
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- java
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- msapps
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- mui
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- Config
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- Connection Wizard
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- addins
17/07/2007 06:23:30 (DIR) 0 byte 43 days old -- twain_32
17/07/2007 06:24:45 (DIR) 0 byte 43 days old -- PeerNet
17/07/2007 10:14:57 (DIR) 0 byte 43 days old -- AppPatch
17/07/2007 10:14:57 (DIR) 0 byte 43 days old -- msagent
17/07/2007 12:58:34 (DIR) 0 byte 43 days old -- $NtUninstallWIC$
17/07/2007 13:02:33 (DIR) 0 byte 43 days old -- $NtUninstallKB929399$
17/07/2007 13:03:41 (DIR) 0 byte 43 days old -- $NtUninstallKB904942$
17/07/2007 13:03:44 (DIR) 0 byte 43 days old -- $NtUninstallKB914440$
17/07/2007 13:03:46 (DIR) 0 byte 43 days old -- network diagnostic
17/07/2007 13:03:52 (DIR) 0 byte 43 days old -- $NtUninstallKB933566$
17/07/2007 13:04:31 (DIR) 0 byte 43 days old -- $NtUninstallKB915865$
17/07/2007 13:04:41 (DIR) 0 byte 43 days old -- $NtServicePackUninstallNLSDownlevelMapping$
17/07/2007 13:04:50 (DIR) 0 byte 43 days old -- $NtServicePackUninstallIDNMitigationAPIs$
17/07/2007 13:05:05 (DIR) 0 byte 43 days old -- ie7
17/07/2007 13:05:14 (DIR) 0 byte 43 days old -- WBEM
17/07/2007 19:14:13 78942 byte 43 days old -- Icon_1.ico
17/07/2007 19:16:17 (DIR) 0 byte 43 days old -- Media
17/07/2007 19:16:29 (DIR) 0 byte 43 days old -- Cursors
17/07/2007 19:23:33 (DIR) 0 byte 43 days old -- $NtUninstallKB925720$
17/07/2007 19:52:41 0 byte 43 days old -- WB.ini
17/07/2007 20:34:10 (DIR) 0 byte 43 days old -- ie7updates
18/07/2007 11:24:58 (DIR) 0 byte 42 days old -- Microsoft.NET
18/07/2007 18:42:37 (DIR) 0 byte 42 days old -- Tasks
19/07/2007 15:10:23 (DIR) 0 byte 41 days old -- pss
21/07/2007 16:13:29 (DIR) 0 byte 39 days old -- Sun
22/07/2007 18:02:43 (DIR) 0 byte 38 days old -- Performance
22/07/2007 19:40:11 (DIR) 0 byte 38 days old -- system
30/07/2007 19:20:32 (DIR) 0 byte 30 days old -- Fonts
30/07/2007 19:20:53 (DIR) 0 byte 30 days old -- SHELLNEW
15/08/2007 09:49:59 (DIR) 0 byte 14 days old -- SWAT 4
15/08/2007 11:11:48 (DIR) 0 byte 14 days old -- $NtUninstallKB936782_WMP11$
15/08/2007 11:13:24 (DIR) 0 byte 14 days old -- $NtUninstallKB938829$
15/08/2007 11:13:28 (DIR) 0 byte 14 days old -- $NtUninstallKB921503$
15/08/2007 11:13:48 (DIR) 0 byte 14 days old -- $NtUninstallKB938828$
15/08/2007 11:13:51 (DIR) 0 byte 14 days old -- $NtUninstallKB936021$
16/08/2007 11:08:40 (DIR) 0 byte 13 days old -- Debug
17/08/2007 14:25:23 (DIR) 0 byte 12 days old -- Icons
19/08/2007 19:13:24 (DIR) 0 byte 10 days old -- assembly
24/08/2007 16:32:45 (DIR) 0 byte 5 days old -- Help
25/08/2007 15:51:19 4096 byte 4 days old -- d3dx.dat
26/08/2007 16:17:06 69 byte 3 days old -- NeroDigital.ini
27/08/2007 12:25:43 2820 byte 2 days old -- mozver.dat
27/08/2007 12:50:54 422 byte 2 days old -- wininit.ini
27/08/2007 13:35:44 (DIR) 0 byte 2 days old -- WinSxS
27/08/2007 14:21:50 227 byte 2 days old -- system.ini
27/08/2007 14:21:50 507 byte 2 days old -- win.ini
27/08/2007 14:59:24 268 byte 2 days old -- _delis32.ini
27/08/2007 18:10:36 967 byte 2 days old -- ScUnin.pif
27/08/2007 18:10:36 94208 byte 2 days old -- ScUnin.exe
27/08/2007 18:10:37 35382 byte 2 days old -- scunin.dat
28/08/2007 14:58:40 (DIR) 0 byte 1 days old -- PIF
28/08/2007 20:09:11 (DIR) 0 byte 1 days old -- ERDNT
28/08/2007 20:10:19 (DIR) 0 byte 1 days old -- Downloaded Program Files
28/08/2007 20:18:54 0 byte 1 days old -- Sti_Trace.log
29/08/2007 10:21:50 10742 byte 0 days old -- SchedLgU.Txt
29/08/2007 10:23:33 2048 byte 0 days old -- bootstat.dat
29/08/2007 10:23:51 0 byte 0 days old -- 0.log
29/08/2007 12:44:49 1409 byte 0 days old -- QTFont.for
29/08/2007 12:44:49 54156 byte 0 days old -- QTFont.qfn
29/08/2007 12:46:09 39 byte 0 days old -- cookies.ini
29/08/2007 13:38:49 (DIR) 0 byte 0 days old -- LastGood
29/08/2007 13:38:50 (DIR) 0 byte 0 days old -- $hf_mig$
29/08/2007 13:39:14 (DIR) 0 byte 0 days old -- $NtUninstallKB933360$
29/08/2007 13:39:16 0 byte 0 days old -- setuperr.log
29/08/2007 13:39:16 0 byte 0 days old -- setupact.log
29/08/2007 13:39:17 21219 byte 0 days old -- KB933360.log
29/08/2007 13:39:17 1374 byte 0 days old -- imsins.BAK
29/08/2007 13:39:32 (DIR) 0 byte 0 days old -- $NtUninstallKB939683$
29/08/2007 13:39:33 (DIR) 0 byte 0 days old -- inf
29/08/2007 13:39:33 1374 byte 0 days old -- imsins.log
29/08/2007 13:39:33 684 byte 0 days old -- ocmsn.log
29/08/2007 13:39:33 12366 byte 0 days old -- FaxSetup.log
29/08/2007 13:39:33 6212 byte 0 days old -- ocgen.log
29/08/2007 13:39:33 1994 byte 0 days old -- iis6.log
29/08/2007 13:39:33 7528 byte 0 days old -- KB939683.log
29/08/2007 13:39:33 618 byte 0 days old -- msgsocm.log
29/08/2007 13:39:33 4120 byte 0 days old -- comsetup.log
29/08/2007 13:39:33 32256 byte 0 days old -- setupapi.log
29/08/2007 13:39:33 4718 byte 0 days old -- tsoc.log
29/08/2007 13:39:33 2494 byte 0 days old -- ntdtcsetup.log
29/08/2007 13:54:58 (DIR) 0 byte 0 days old -- Temp
29/08/2007 18:08:08 (DIR) 0 byte 0 days old -- Prefetch
29/08/2007 18:08:36 (DIR) 0 byte 0 days old -- Installer
29/08/2007 19:22:55 1169707 byte 0 days old -- WindowsUpdate.log
29/08/2007 20:27:09 (DIR) 0 byte 0 days old -- system32
11/08/2007 10:33:13 (DIR) 0 byte 18 days old -- $NtUninstallKB922120$

----- recent files in C:\WINDOWS\Downloaded Program Files\
16/07/2007 21:18:41 65 byte 44 days old -- desktop.ini

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
03/08/2007 14:04:10 16789464 byte 26 days old -- MRT.exe
16/07/2007 20:01:10 984576 byte 44 days old -- syssetup.dll
16/07/2007 20:01:25 1580544 byte 44 days old -- sfcfiles.dll
16/07/2007 21:16:46 (DIR) 0 byte 44 days old -- MsDtc
16/07/2007 21:16:49 21640 byte 44 days old -- emptyregdb.dat
16/07/2007 21:17:29 (DIR) 0 byte 44 days old -- Macromed
16/07/2007 21:18:05 (DIR) 0 byte 44 days old -- oobe
16/07/2007 21:18:36 749 byte 44 days old -- sapi.cpl.manifest
16/07/2007 21:18:36 749 byte 44 days old -- nwc.cpl.manifest
16/07/2007 21:18:36 749 byte 44 days old -- cdplayer.exe.manifest
16/07/2007 21:18:36 749 byte 44 days old -- ncpa.cpl.manifest
16/07/2007 21:18:36 749 byte 44 days old -- wuaucpl.cpl.manifest
16/07/2007 21:18:41 488 byte 44 days old -- WindowsLogon.manifest
16/07/2007 21:18:41 488 byte 44 days old -- logonui.exe.manifest
16/07/2007 21:19:07 (DIR) 0 byte 44 days old -- ias
16/07/2007 21:19:23 2577 byte 44 days old -- CONFIG.NT
16/07/2007 21:19:31 (DIR) 0 byte 44 days old -- xircom
16/07/2007 21:19:31 (DIR) 0 byte 44 days old -- wbem
16/07/2007 21:21:05 261 byte 44 days old -- $winnt$.inf
16/07/2007 21:56:32 (DIR) 0 byte 44 days old -- Microsoft
16/07/2007 22:24:16 (DIR) 0 byte 44 days old -- SoftwareDistribution
16/07/2007 22:28:33 13646 byte 44 days old -- wpa.bak
16/07/2007 22:46:17 348160 byte 44 days old -- msvcr71.dll
16/07/2007 22:51:49 (DIR) 0 byte 44 days old -- PreInstall
16/07/2007 22:56:57 (DIR) 0 byte 44 days old -- RTCOM
16/07/2007 22:59:53 (DIR) 0 byte 44 days old -- Lang
16/07/2007 22:59:56 146650 byte 44 days old -- BuzzingBee.wav
16/07/2007 22:59:56 940794 byte 44 days old -- LoopyMusic.wav
16/07/2007 23:06:12 (DIR) 0 byte 44 days old -- LogFiles
16/07/2007 23:07:19 16832 byte 44 days old -- amcompat.tlb
16/07/2007 23:07:19 23392 byte 44 days old -- nscompat.tlb
16/07/2007 23:15:05 (DIR) 0 byte 44 days old -- Com
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 3076
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- ShellExt
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 2052
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- IME
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- inetsrv
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 1025
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 1031
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 1028
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- dhcp
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 3com_dmi
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 1037
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 1054
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- wins
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- export
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 1042
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- 1041
17/07/2007 06:22:56 (DIR) 0 byte 43 days old -- 1033
17/07/2007 06:23:20 (DIR) 0 byte 43 days old -- icsxml
17/07/2007 06:23:24 (DIR) 0 byte 43 days old -- ras
17/07/2007 06:24:29 (DIR) 0 byte 43 days old -- npp
17/07/2007 06:25:02 (DIR) 0 byte 43 days old -- Setup
17/07/2007 06:25:03 (DIR) 0 byte 43 days old -- usmt
17/07/2007 06:43:59 0 byte 43 days old -- h323log.txt
17/07/2007 12:56:43 (DIR) 0 byte 43 days old -- mui
17/07/2007 12:58:41 (DIR) 0 byte 43 days old -- spool
17/07/2007 12:59:26 (DIR) 0 byte 43 days old -- XPSViewer
17/07/2007 16:44:40 108144 byte 43 days old -- CmdLineExt.dll
17/07/2007 18:56:53 10752 byte 43 days old -- BASSMOD.dll
17/07/2007 19:22:31 (DIR) 0 byte 43 days old -- VITrans
17/07/2007 20:34:17 (DIR) 0 byte 43 days old -- en-us
18/07/2007 22:12:22 60416 byte 42 days old -- tzchange.exe
19/07/2007 16:29:59 3583488 byte 41 days old -- mshtml.dll
20/07/2007 16:02:09 3460 byte 40 days old -- jupdate-1.5.0_03-b07.log
20/07/2007 17:43:42 688 byte 40 days old -- mystify1.reg
20/07/2007 20:58:42 19880 byte 40 days old -- BUBBLES.SCR-05525C31.pf
20/07/2007 20:59:00 18172 byte 40 days old -- RIBBONS.SCR-117AF7A7.pf
20/07/2007 20:59:34 17572 byte 40 days old -- MYSTIFY.SCR-27E148C8.pf
20/07/2007 21:04:58 58666 byte 40 days old -- AURORA.SCR-0A2D0D7C.pf
20/07/2007 21:54:52 1679360 byte 40 days old -- aurora.scr
21/07/2007 15:34:15 4937 byte 39 days old -- jupdate-1.6.0_02-b06.log
30/07/2007 19:18:14 20312 byte 30 days old -- wuaueng.dll.mui
30/07/2007 19:18:40 33624 byte 30 days old -- wups.dll
30/07/2007 19:18:44 34136 byte 30 days old -- wucltui.dll.mui
30/07/2007 19:19:02 30072 byte 30 days old -- mucltui.dll.mui
30/07/2007 19:19:02 25944 byte 30 days old -- wuapi.dll.mui
30/07/2007 19:19:04 207736 byte 30 days old -- muweb.dll
30/07/2007 19:19:10 271224 byte 30 days old -- mucltui.dll
30/07/2007 19:19:12 43352 byte 30 days old -- wups2.dll
30/07/2007 19:19:16 53080 byte 30 days old -- wuauclt.exe
30/07/2007 19:19:20 92504 byte 30 days old -- cdm.dll
30/07/2007 19:19:28 216408 byte 30 days old -- wuaucpl.cpl
30/07/2007 19:19:28 203096 byte 30 days old -- wuweb.dll
30/07/2007 19:19:32 325976 byte 30 days old -- wucltui.dll
30/07/2007 19:19:32 25944 byte 30 days old -- wuaucpl.cpl.mui
30/07/2007 19:19:36 549720 byte 30 days old -- wuapi.dll
30/07/2007 19:19:42 1712984 byte 30 days old -- wuaueng.dll
30/07/2007 19:21:59 (DIR) 0 byte 30 days old -- config
31/07/2007 14:57:06 103 byte 29 days old -- TVersityMediaServer.log
19/08/2007 19:13:25 (DIR) 0 byte 10 days old -- DirectX
21/08/2007 13:47:11 (DIR) 0 byte 8 days old -- VIRepair
23/08/2007 15:09:29 127254 byte 6 days old -- nvapps.xml
25/08/2007 10:23:44 5376 byte 4 days old -- lanmandrv.sys
25/08/2007 10:49:50 2158 byte 4 days old -- ssmute.ini
27/08/2007 12:32:34 (DIR) 0 byte 2 days old -- CatRoot
27/08/2007 12:40:38 (DIR) 0 byte 2 days old -- DRVSTORE
27/08/2007 12:40:40 (DIR) 0 byte 2 days old -- ReinstallBackups
27/08/2007 13:46:40 272576 byte 2 days old -- FNTCACHE.DAT
27/08/2007 13:51:31 503200 byte 2 days old -- PerfStringBackup.INI
27/08/2007 13:51:31 66580 byte 2 days old -- perfc009.dat
27/08/2007 13:51:31 427922 byte 2 days old -- perfh009.dat
27/08/2007 14:14:07 24576 byte 2 days old -- VundoFixSVC.exe
28/08/2007 17:00:18 1266016 byte 1 days old -- cdnsqtvo.ini
28/08/2007 20:19:06 1266136 byte 1 days old -- doxobthi.ini
28/08/2007 20:23:59 297568 byte 1 days old -- jkhhf.dll
28/08/2007 20:24:34 1007549 byte 1 days old -- fhhkj.bak1
28/08/2007 20:24:37 74816 byte 1 days old -- lvwfekwh.dll
28/08/2007 22:49:06 15640 byte 1 days old -- qmcemiil.exe
29/08/2007 00:00:19 323 byte 0 days old -- tversity.cookies
29/08/2007 10:23:43 (DIR) 0 byte 0 days old -- drivers
29/08/2007 10:23:46 (DIR) 0 byte 0 days old -- CatRoot2
29/08/2007 10:33:56 15640 byte 0 days old -- qmfhfmeg.exe
29/08/2007 10:34:03 724 byte 0 days old -- qmopt.dll
29/08/2007 10:34:03 15640 byte 0 days old -- lanmanwrk.exe
29/08/2007 10:44:07 95232 byte 0 days old -- gb1.exe
29/08/2007 10:44:09 3072 byte 0 days old -- ocxloader.exe
29/08/2007 10:44:10 89088 byte 0 days old -- ocxapi.dll
29/08/2007 10:44:10 27 byte 0 days old -- tempfn.dll
29/08/2007 13:34:12 (DIR) 0 byte 0 days old -- Restore
29/08/2007 13:37:10 13646 byte 0 days old -- wpa.dbl
29/08/2007 13:39:13 250464 byte 0 days old -- TZLog.log
29/08/2007 13:39:32 (DIR) 0 byte 0 days old -- dllcache
29/08/2007 20:25:10 1266256 byte 0 days old -- hwkefwvl.ini
29/08/2007 20:25:12 1013301 byte 0 days old -- fhhkj.bak2
29/08/2007 20:27:09 1012337 byte 0 days old -- fhhkj.ini
10/07/2007 18:55:44 7680 byte 50 days old -- ff_vfw.dll
12/07/2007 01:22:00 135168 byte 48 days old -- java.exe
12/07/2007 01:22:04 135168 byte 48 days old -- javaw.exe
12/07/2007 02:22:36 69632 byte 48 days old -- javacpl.cpl
12/07/2007 02:22:38 139264 byte 48 days old -- javaws.exe

----- recent files in C:\WINDOWS\system32\drivers\
01/08/2007 12:08:09 11973 byte 28 days old -- secdrv.sys
02/08/2007 10:29:29 639224 byte 27 days old -- sptd.sys
03/07/2007 19:10:10 11304 byte 57 days old -- imagedrv.sys
03/07/2007 19:10:12 132904 byte 57 days old -- imagesrv.sys
05/07/2007 14:33:54 42496 byte 55 days old -- fetnd5bv.sys
16/07/2007 22:46:11 4224 byte 44 days old -- avg7rsw.sys
16/07/2007 22:46:17 4960 byte 44 days old -- avgtdi.sys
16/07/2007 22:46:17 3968 byte 44 days old -- avgclean.sys
16/07/2007 22:52:59 27776 byte 44 days old -- avg7rsxp.sys
16/07/2007 23:06:41 (DIR) 0 byte 44 days old -- UMDF
17/07/2007 06:22:04 (DIR) 0 byte 43 days old -- disdn
17/07/2007 10:17:53 19904 byte 43 days old -- avgmfx86.sys
17/07/2007 13:35:20 114944 byte 43 days old -- viamraid.sys
18/07/2007 12:34:03 278728 byte 42 days old -- atksgt.sys
18/07/2007 12:34:03 25416 byte 42 days old -- lirsgt.sys
20/07/2007 12:51:00 96256 byte 40 days old -- sptd6141.sys
28/07/2007 20:04:13 (DIR) 0 byte 32 days old -- etc
30/07/2007 19:14:19 223128 byte 30 days old -- dtscsi.sys
22/08/2007 12:04:21 821536 byte 7 days old -- avg7core.sys
25/08/2007 15:14:56 8320 byte 4 days old -- AWRTRD.sys
25/08/2007 15:14:56 9344 byte 4 days old -- NSDriver.sys

----- recent files in C:\WINDOWS\temp\
29/08/2007 13:52:23 16384 byte 0 days old -- Perflib_Perfdata_dd8.dat

----- recent files in C:\Program Files\
01/08/2007 10:04:43 (DIR) 0 byte 28 days old -- Ubisoft
01/08/2007 13:50:19 (DIR) 0 byte 28 days old -- DIFX
01/08/2007 15:42:28 (DIR) 0 byte 28 days old -- NVIDIA Corporation
02/08/2007 11:00:42 (DIR) 0 byte 27 days old -- Rockstar Games
02/08/2007 21:10:45 (DIR) 0 byte 27 days old -- Mozilla Thunderbird
03/08/2007 11:54:27 (DIR) 0 byte 26 days old -- Valve
05/08/2007 12:33:41 (DIR) 0 byte 24 days old -- PowerISO
05/08/2007 12:35:23 (DIR) 0 byte 24 days old -- MagicISO
05/08/2007 12:51:05 (DIR) 0 byte 24 days old -- BitTorrent
05/08/2007 12:54:36 (DIR) 0 byte 24 days old -- BitTornado
16/07/2007 21:15:42 (DIR) 0 byte 44 days old -- MSN
16/07/2007 21:16:13 (DIR) 0 byte 44 days old -- Windows NT
16/07/2007 21:16:24 (DIR) 0 byte 44 days old -- MSN Gaming Zone
16/07/2007 21:16:48 (DIR) 0 byte 44 days old -- ComPlus Applications
16/07/2007 21:17:23 (DIR) 0 byte 44 days old -- Movie Maker
16/07/2007 21:17:41 (DIR) 0 byte 44 days old -- NetMeeting
16/07/2007 21:18:33 (DIR) 0 byte 44 days old -- WindowsUpdate
16/07/2007 21:19:31 (DIR) 0 byte 44 days old -- xerox
16/07/2007 21:19:31 (DIR) 0 byte 44 days old -- microsoft frontpage
16/07/2007 21:58:59 (DIR) 0 byte 44 days old -- Uninstall Information
16/07/2007 22:42:56 (DIR) 0 byte 44 days old -- VIA
16/07/2007 22:43:57 (DIR) 0 byte 44 days old -- WinRAR
16/07/2007 22:45:14 (DIR) 0 byte 44 days old -- CCleaner
16/07/2007 22:46:06 (DIR) 0 byte 44 days old -- Grisoft
16/07/2007 22:51:23 (DIR) 0 byte 44 days old -- Realtek
16/07/2007 23:07:15 (DIR) 0 byte 44 days old -- Windows Media Connect 2
16/07/2007 23:15:54 (DIR) 0 byte 44 days old -- Messenger
17/07/2007 12:19:11 (DIR) 0 byte 43 days old -- Logitech
17/07/2007 12:29:12 (DIR) 0 byte 43 days old -- DVD Decrypter
17/07/2007 12:47:39 (DIR) 0 byte 43 days old -- Online Services
17/07/2007 12:59:02 (DIR) 0 byte 43 days old -- Reference Assemblies
17/07/2007 13:01:57 (DIR) 0 byte 43 days old -- MSBuild
17/07/2007 16:16:27 (DIR) 0 byte 43 days old -- Electronic Arts
17/07/2007 17:23:16 (DIR) 0 byte 43 days old -- K-Lite Codec Pack
17/07/2007 17:25:40 (DIR) 0 byte 43 days old -- VideoLAN
17/07/2007 17:31:45 (DIR) 0 byte 43 days old -- InterVideo
17/07/2007 17:32:09 (DIR) 0 byte 43 days old -- InterVideo Information Service
17/07/2007 17:34:43 (DIR) 0 byte 43 days old -- MSXML 4.0
17/07/2007 17:34:49 (DIR) 0 byte 43 days old -- InterActual
17/07/2007 17:34:58 (DIR) 0 byte 43 days old -- DivX
17/07/2007 18:55:25 (DIR) 0 byte 43 days old -- Stardock
17/07/2007 19:16:29 (DIR) 0 byte 43 days old -- MSN Messenger
17/07/2007 19:17:46 (DIR) 0 byte 43 days old -- Outlook Express
17/07/2007 19:17:46 (DIR) 0 byte 43 days old -- Windows Media Player
18/07/2007 18:42:36 (DIR) 0 byte 42 days old -- Apple Software Update
18/07/2007 18:43:00 (DIR) 0 byte 42 days old -- QuickTime
19/07/2007 10:23:09 (DIR) 0 byte 41 days old -- Nero
20/07/2007 16:02:17 (DIR) 0 byte 40 days old -- LimeWire
20/07/2007 16:07:54 (DIR) 0 byte 40 days old -- Adobe
21/07/2007 15:34:15 (DIR) 0 byte 39 days old -- Java
21/07/2007 16:13:49 (DIR) 0 byte 39 days old -- SystemRequirementsLab
22/07/2007 18:02:13 (DIR) 0 byte 38 days old -- Microsoft Windows Vista Upgrade Advisor
22/07/2007 18:37:18 (DIR) 0 byte 38 days old -- Vista ScreenSavers
22/07/2007 19:28:56 (DIR) 0 byte 38 days old -- Microsoft Games
30/07/2007 19:14:20 (DIR) 0 byte 30 days old -- DAEMON Tools
30/07/2007 19:20:21 (DIR) 0 byte 30 days old -- Microsoft.NET
30/07/2007 19:20:58 (DIR) 0 byte 30 days old -- Microsoft Visual Studio
30/07/2007 19:21:07 (DIR) 0 byte 30 days old -- Microsoft Office
30/07/2007 19:21:26 (DIR) 0 byte 30 days old -- Microsoft Works
31/07/2007 12:32:52 (DIR) 0 byte 29 days old -- Azureus
31/07/2007 14:27:08 (DIR) 0 byte 29 days old -- Winamp
31/07/2007 14:56:51 (DIR) 0 byte 29 days old -- TVersity
14/08/2007 10:38:24 (DIR) 0 byte 15 days old -- THQ
14/08/2007 11:08:48 (DIR) 0 byte 15 days old -- DVD Shrink
14/08/2007 13:58:25 (DIR) 0 byte 15 days old -- Sunflowers
15/08/2007 09:56:18 (DIR) 0 byte 14 days old -- SWAT 4
15/08/2007 11:12:25 (DIR) 0 byte 14 days old -- Internet Explorer
15/08/2007 11:13:21 (DIR) 0 byte 14 days old -- MSXML 6.0
16/08/2007 11:11:05 (DIR) 0 byte 13 days old -- Spybot - Search & Destroy
16/08/2007 14:05:04 (DIR) 0 byte 13 days old -- AMD
19/08/2007 19:06:50 (DIR) 0 byte 10 days old -- Empire Interactive
19/08/2007 20:13:13 (DIR) 0 byte 10 days old -- Techland
22/08/2007 12:02:23 (DIR) 0 byte 7 days old -- InstallShield Installation Information
24/08/2007 19:40:01 (DIR) 0 byte 5 days old -- RocketDock
25/08/2007 10:49:47 (DIR) 0 byte 4 days old -- interMute
25/08/2007 12:28:36 (DIR) 0 byte 4 days old -- Enigma Software Group
25/08/2007 15:10:33 (DIR) 0 byte 4 days old -- Common Files
25/08/2007 15:11:00 (DIR) 0 byte 4 days old -- Lavasoft
27/08/2007 12:25:42 (DIR) 0 byte 2 days old -- Mozilla Firefox 2 Beta 1
27/08/2007 13:02:49 (DIR) 0 byte 2 days old -- TechTracker
27/08/2007 18:57:18 (DIR) 0 byte 2 days old -- Starcraft
28/08/2007 16:59:56 (DIR) 0 byte 1 days old -- Vietcong2
28/08/2007 20:11:42 (DIR) 0 byte 1 days old -- Trend Micro
29/08/2007 13:53:17 (DIR) 0 byte 0 days old -- SpywareBlaster
29/08/2007 18:08:10 (DIR) 0 byte 0 days old -- Google
10/08/2007 13:55:12 (DIR) 0 byte 19 days old -- iPod
10/08/2007 13:55:18 (DIR) 0 byte 19 days old -- iTunes

----- recent files in C:\Program Files\Common Files\
16/07/2007 21:17:35 (DIR) 0 byte 44 days old -- MSSoap
16/07/2007 21:17:40 (DIR) 0 byte 44 days old -- Services
16/07/2007 23:15:17 (DIR) 0 byte 44 days old -- System
17/07/2007 06:29:00 (DIR) 0 byte 43 days old -- SpeechEngines
17/07/2007 06:29:03 (DIR) 0 byte 43 days old -- ODBC
17/07/2007 17:31:36 (DIR) 0 byte 43 days old -- InstallShield
17/07/2007 17:36:09 (DIR) 0 byte 43 days old -- InterVideo
19/07/2007 10:23:43 (DIR) 0 byte 41 days old -- Ahead
20/07/2007 16:00:47 (DIR) 0 byte 40 days old -- Java
20/07/2007 16:09:07 (DIR) 0 byte 40 days old -- Adobe
20/07/2007 16:09:30 (DIR) 0 byte 40 days old -- Adobe Systems Shared
30/07/2007 13:13:12 (DIR) 0 byte 30 days old -- Apple
30/07/2007 19:20:57 (DIR) 0 byte 30 days old -- DESIGNER
30/07/2007 19:21:25 (DIR) 0 byte 30 days old -- Microsoft Shared
14/08/2007 12:57:46 (DIR) 0 byte 15 days old -- Stardock
25/08/2007 15:10:33 (DIR) 0 byte 4 days old -- Wise Installation Wizard
27/08/2007 13:35:07 (DIR) 0 byte 2 days old -- Logitech

----- recent files in C:\Documents and Settings\Freakeh\Application Data\
01/08/2007 13:56:31 (DIR) 0 byte 28 days old -- Adobe
05/08/2007 13:24:23 (DIR) 0 byte 24 days old -- BitTorrent
05/08/2007 18:51:11 (DIR) 0 byte 24 days old -- Azureus
16/07/2007 21:59:00 (DIR) 0 byte 44 days old -- Identities
16/07/2007 23:13:46 (DIR) 0 byte 44 days old -- Macromedia
17/07/2007 06:28:24 62 byte 43 days old -- desktop.ini
17/07/2007 11:49:12 (DIR) 0 byte 43 days old -- Thunderbird
17/07/2007 11:49:13 (DIR) 0 byte 43 days old -- Mozilla
17/07/2007 11:50:20 (DIR) 0 byte 43 days old -- WinRAR
17/07/2007 12:37:16 (DIR) 0 byte 43 days old -- Talkback
17/07/2007 14:48:41 (DIR) 0 byte 43 days old -- Logitech
17/07/2007 16:44:40 (DIR) 0 byte 43 days old -- SecuROM
17/07/2007 16:45:01 (DIR) 0 byte 43 days old -- Command & Conquer 3 Tiberium Wars
17/07/2007 17:24:09 (DIR) 0 byte 43 days old -- Media Player Classic
17/07/2007 17:36:57 (DIR) 0 byte 43 days old -- InterVideo
17/07/2007 19:53:34 (DIR) 0 byte 43 days old -- Lavasoft
21/07/2007 16:13:29 (DIR) 0 byte 39 days old -- Sun
21/07/2007 16:13:42 (DIR) 0 byte 39 days old -- SystemRequirementsLab
30/07/2007 17:40:39 (DIR) 0 byte 30 days old -- vlc
30/07/2007 19:10:56 (DIR) 0 byte 30 days old -- Apple Computer
30/07/2007 19:25:47 (DIR) 0 byte 30 days old -- Microsoft
31/07/2007 11:56:07 (DIR) 0 byte 29 days old -- .BitTornado
13/08/2007 18:42:01 (DIR) 0 byte 16 days old -- Ahead
14/08/2007 10:35:55 (DIR) 0 byte 15 days old -- InstallShield
14/08/2007 15:21:54 (DIR) 0 byte 15 days old -- SpieleEntwicklungsKombinat
17/08/2007 13:29:39 (DIR) 0 byte 12 days old -- Google
23/08/2007 16:05:08 (DIR) 0 byte 6 days old -- LimeWire
25/08/2007 10:49:51 (DIR) 0 byte 4 days old -- InterMute
27/08/2007 12:47:10 (DIR) 0 byte 2 days old -- VersionTracker Pro
28/08/2007 16:00:07 (DIR) 0 byte 1 days old -- dvdcss
29/08/2007 10:24:07 (DIR) 0 byte 0 days old -- AVG7

----- recent files in C:\DOCUME~1\Freakeh\LOCALS~1\Temp\
26/08/2007 17:51:36 119 byte 3 days old -- D653F3EC.TMP
26/08/2007 17:52:19 122 byte 3 days old -- 8A56EAB7.TMP
28/08/2007 20:14:00 32768 byte 1 days old -- ~DF8677.tmp
28/08/2007 20:18:54 21343 byte 1 days old -- Danish.bin
28/08/2007 20:18:54 24173 byte 1 days old -- Dutch.bin
28/08/2007 20:18:54 22809 byte 1 days old -- Japanese.bin
28/08/2007 20:18:54 19048 byte 1 days old -- Korean.bin
28/08/2007 20:18:55 22606 byte 1 days old -- Polish.bin
28/08/2007 20:18:55 23522 byte 1 days old -- Portuguese(Brazil).bin
28/08/2007 20:18:55 20608 byte 1 days old -- Norwegian.bin
28/08/2007 20:18:55 20859 byte 1 days old -- Turkish.bin
28/08/2007 20:18:55 16913 byte 1 days old -- TradChin.bin
28/08/2007 20:18:55 24654 byte 1 days old -- Portuguese.bin
28/08/2007 20:18:55 26062 byte 1 days old -- Spanish.bin
28/08/2007 20:18:55 15534 byte 1 days old -- SimChin.bin
28/08/2007 20:18:55 22684 byte 1 days old -- SWEDISH.bin
28/08/2007 20:18:55 24638 byte 1 days old -- Russian.bin
28/08/2007 20:18:55 20733 byte 1 days old -- Thai.bin
28/08/2007 20:18:55 25824 byte 1 days old -- Italian.bin
28/08/2007 20:18:55 21562 byte 1 days old -- Finnish.bin
28/08/2007 20:18:55 25665 byte 1 days old -- French.bin
28/08/2007 20:18:55 24274 byte 1 days old -- German.bin
28/08/2007 20:18:55 22862 byte 1 days old -- Czech.bin
28/08/2007 20:18:55 21857 byte 1 days old -- English.bin
28/08/2007 20:18:55 19506 byte 1 days old -- Arabic.bin
28/08/2007 20:18:55 23467 byte 1 days old -- Greek.bin
28/08/2007 20:18:55 18436 byte 1 days old -- Hebrew.bin
28/08/2007 20:18:55 24446 byte 1 days old -- Hungarian.bin
28/08/2007 20:24:43 70144 byte 1 days old -- bbwakoas.dll
29/08/2007 10:23:45 (DIR) 0 byte 0 days old -- WPDNSE
29/08/2007 10:28:39 346 byte 0 days old -- jusched.log
29/08/2007 11:23:57 0 byte 0 days old -- sf9E.tmp
29/08/2007 13:09:33 (DIR) 0 byte 0 days old -- plugtmp
29/08/2007 13:49:04 232 byte 0 days old -- 2bc5_appcompat.txt
29/08/2007 18:02:10 0 byte 0 days old -- sxe3F.tmp
29/08/2007 18:02:14 13332625 byte 0 days old -- sxe3F.7z
29/08/2007 18:13:06 133856 byte 0 days old -- curriest_tower.kmz
29/08/2007 18:14:26 109195 byte 0 days old -- lighthouse.kmz
29/08/2007 18:14:51 119824 byte 0 days old -- pulteney.kmz
29/08/2007 18:15:48 18774 byte 0 days old -- airport.kmz
29/08/2007 18:16:26 41582 byte 0 days old -- AMP_20060611.kmz
29/08/2007 18:16:37 38436 byte 0 days old -- Wakefield_House_20060612.kmz
29/08/2007 18:16:50 99184 byte 0 days old -- sa_water.kmz
29/08/2007 18:21:17 358076 byte 0 days old -- Santos_20060606.kmz
29/08/2007 20:24:59 (DIR) 0 byte 0 days old -- plugtmp-1
29/08/2007 20:26:47 16384 byte 0 days old -- ~DFFF48.tmp
29/08/2007 20:27:15 (DIR) 0 byte 0 days old -- nsd5E.tmp

===================== Hidden Objects =====================

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 20:28:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


===================== Checking Rustock rootkit =====================



==========================================
Scan completed in 8.2 minutes
End of report



#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 30 August 2007 - 03:26 AM

You are using the following programs:
BitTorrent
BitTornado
LimeWire
Azureus

Any file swapping/sharing program can slow down system performance,consume large amounts of disk space and possibly create security issues as outsiders are granted access to your pc.
To add to that,they often come bundled with malware.
If after that you're going to continue using the above type programs,i suggest you read the info in the link below.
Clean and infected file swapping programs:
http://www.spywareinfo.com/articles/p2p/

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following blue text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\cdnsqtvo.ini
C:\WINDOWS\system32\doxobthi.ini
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\fhhkj.bak1
C:\WINDOWS\system32\lvwfekwh.dll
C:\WINDOWS\system32\qmcemiil.exe
C:\WINDOWS\system32\qmfhfmeg.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\tempfn.dll
C:\WINDOWS\system32\hwkefwvl.ini
C:\WINDOWS\system32\fhhkj.bak2
C:\WINDOWS\system32\fhhkj.ini

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#9 Freakeh

Freakeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 PM

Posted 30 August 2007 - 05:43 AM

Thanks again logs are attached.

Attached Files



#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 30 August 2007 - 06:14 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\Program Files\nialqbta.txt
C:\Documents and Settings\Freakeh\Local Settings\Temp\nsd5E.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C8A6A57-2435-4863-810F-2640325F3D39}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E6A7D63-0F09-4450-90CE-902AB5CEA02A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CC41C77-438C-42D2-B1A2-E92162FAD757}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FE8C2F9-DB82-4E82-A928-4C4767BCA05B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB8F6B0D-7204-4834-8ABD-0A61E8D90C7C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemRestoreStatus"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnopom]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjws32]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

Let me know how your pc is running now.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#11 Freakeh

Freakeh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 PM

Posted 30 August 2007 - 08:47 PM

ComboFix 07-08-30.3 - "Freakeh" 2007-08-31 11:09:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1448 [GMT 9.5:30]
Command switches used :: C:\Documents and Settings\Freakeh\Desktop\CFScript.txt

FILE::
C:\Program Files\nialqbta.txt
C:\Documents and Settings\Freakeh\Local Settings\Temp\nsd5E.tmp


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\nialqbta.txt


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-31 10:42 <DIR> d-------- C:\83ae8540768b8e9c4f8152b8
2007-08-31 10:35 22,528 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-31 10:35 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-08-31 10:35 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-31 10:35 <DIR> d-------- C:\Program Files\Motorola
2007-08-31 10:35 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-30 20:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 22:59 95,232 --a------ C:\WINDOWS\system32\gb1.exe
2007-08-28 20:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-28 20:08 <DIR> d-------- C:\Deckard
2007-08-28 16:55 <DIR> d-------- C:\VundoFix Backups
2007-08-28 14:58 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-27 18:04 967 --a------ C:\WINDOWS\ScUnin.pif
2007-08-27 18:04 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-08-27 18:04 35,382 --a------ C:\WINDOWS\scunin.dat
2007-08-27 18:02 <DIR> d-------- C:\Program Files\Starcraft
2007-08-27 14:14 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-27 13:44 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
2007-08-27 13:44 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2007-08-27 13:44 11,392 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2007-08-27 13:35 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2007-08-27 13:35 3,712 --a------ C:\WINDOWS\system32\drivers\LBeepKE.sys
2007-08-27 13:35 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2007-08-27 13:35 131,072 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-08-27 13:35 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-08-27 13:02 <DIR> d-------- C:\Program Files\TechTracker
2007-08-27 12:45 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\VersionTracker Pro
2007-08-27 12:40 69,632 --a------ C:\WINDOWS\system32\vuins32.dll
2007-08-27 12:40 42,496 --a------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
2007-08-27 12:30 337,320 --------- C:\WINDOWS\system32\difxapi.dll
2007-08-27 12:29 9,216 --a------ C:\WINDOWS\system32\drivers\videX32.sys
2007-08-27 12:25 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-08-25 15:51 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-08-25 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-25 15:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-25 12:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-25 10:49 <DIR> d-------- C:\Program Files\interMute
2007-08-25 10:49 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\InterMute
2007-08-25 10:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-25 10:30 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-08-25 10:29 <DIR> d-------- C:\DOCUME~1\Freakeh\WINDOWS
2007-08-23 14:30 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-23 14:30 <DIR> d-------- C:\Fraps
2007-08-22 16:55 <DIR> d-------- C:\Program Files\Vietcong2
2007-08-19 19:06 <DIR> d-------- C:\Program Files\Empire Interactive
2007-08-17 13:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-17 13:43 <DIR> d-------- C:\WINDOWS\Icons
2007-08-17 13:29 <DIR> d-------- C:\Program Files\Google
2007-08-17 13:29 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\Google
2007-08-16 14:05 33,280 --a------ C:\WINDOWS\system32\drivers\AmdLLD.sys
2007-08-16 11:09 4,527 --a------ C:\cc_20070816_1109.reg
2007-08-15 19:32 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\dvdcss
2007-08-15 11:13 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-15 11:11 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-15 09:49 <DIR> d-------- C:\WINDOWS\SWAT 4
2007-08-15 09:49 <DIR> d-------- C:\Program Files\SWAT 4
2007-08-14 14:34 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\SpieleEntwicklungsKombinat
2007-08-14 14:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpieleEntwicklungsKombinat
2007-08-14 13:58 <DIR> d-------- C:\Program Files\Sunflowers
2007-08-14 12:57 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-08-14 11:08 <DIR> d-------- C:\Program Files\DVD Shrink
2007-08-14 10:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Media Center Programs
2007-08-14 10:39 <DIR> d-------- C:\Program Files\RocketDock
2007-08-14 10:35 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\InstallShield
2007-08-11 10:33 62,336 --------- C:\WINDOWS\system32\drivers\rspndr.sys
2007-08-11 10:33 10,752 --------- C:\WINDOWS\system32\rspndr.exe
2007-08-10 13:55 <DIR> d-------- C:\Program Files\iTunes
2007-08-10 13:55 <DIR> d-------- C:\Program Files\iPod
2007-08-05 12:51 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\BitTorrent
2007-08-05 12:50 <DIR> d-------- C:\Program Files\BitTorrent
2007-08-05 12:35 <DIR> d-------- C:\Program Files\MagicISO
2007-08-05 12:33 <DIR> d-------- C:\Program Files\PowerISO
2007-08-03 11:54 <DIR> d-------- C:\Program Files\Valve
2007-08-01 15:42 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2007-08-01 15:30 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-01 15:29 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-01 13:50 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2007-08-01 13:50 <DIR> d-------- C:\Program Files\DIFX
2007-08-01 10:04 <DIR> d-------- C:\Program Files\Ubisoft
2007-07-31 14:56 <DIR> d-------- C:\Program Files\TVersity
2007-07-31 14:10 <DIR> d-------- C:\Program Files\Winamp
2007-07-31 12:32 <DIR> d-------- C:\Program Files\Azureus
2007-07-30 19:26 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:26 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:21 <DIR> d-------- C:\Program Files\Microsoft Works
2007-07-30 19:20 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-30 19:18 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-30 19:17 <DIR> dr-h----- C:\MSOCache
2007-07-30 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-07-30 19:14 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-07-30 19:14 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-07-30 17:40 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\vlc
2007-07-30 14:34 <DIR> d-------- C:\DOCUME~1\Freakeh\Incomplete
2007-07-30 14:32 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\LimeWire
2007-07-30 13:14 <DIR> d-------- C:\DOCUME~1\Freakeh\APPLIC~1\Apple Computer
2007-07-30 13:13 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-22 19:40 266,293 --a------ C:\WINDOWS\system\MSVCRT.DLL
2007-07-22 18:37 688 --a------ C:\WINDOWS\system32\mystify1.reg
2007-07-22 18:37 68,496 --a------ C:\WINDOWS\UnDeploy.exe
2007-07-22 18:37 529,408 --a------ C:\WINDOWS\system32\ribbons.scr


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 10:42 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-31 10:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-25 15:14 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-25 15:14 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-01 12:08 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-31 11:56 --------- d-------- C:\DOCUME~1\Freakeh\APPLIC~1\.BitTornado
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-26 15:38 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-19 23:01 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 19:53 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((( snapshot_2007-08-30_200653.37 )))))))))))))))))))))))))))))))))))))))))

-c----w 51,680 2006-11-01 21:52:52 C:\WINDOWS\$NtUninstallWdf01005$\spuninst\Kmdfcustom.dll
-c----w 221,488 2006-10-08 12:21:14 C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe
-c----w 379,184 2006-10-08 12:21:14 C:\WINDOWS\$NtUninstallWdf01005$\spuninst\updspapi.dll
----a-r 22,486 2007-08-31 01:05:36 C:\WINDOWS\Installer\{DD0D4E07-064F-4979-9062-4D7B586A3365}\_5F5AEC35B16C87628B6405.exe
----a-r 22,486 2007-08-31 01:05:36 C:\WINDOWS\Installer\{DD0D4E07-064F-4979-9062-4D7B586A3365}\_6FEFF9B68218417F98F549.exe
----a-r 22,486 2007-08-31 01:05:36 C:\WINDOWS\Installer\{DD0D4E07-064F-4979-9062-4D7B586A3365}\_D192112EDF973BF3C176BD.exe
----a-w 6,144 2006-07-27 22:40:08 C:\WINDOWS\system32\mot_ci.dll
------w 14,640 2006-10-08 12:21:14 C:\WINDOWS\system32\spmsg.dll
----a-w 23,856 2006-10-08 12:21:14 C:\WINDOWS\system32\spupdsvc.exe
----a-w 36,480 2005-07-20 05:05:00 C:\WINDOWS\system32\drivers\P2k.sys
------w 492,000 2006-11-01 21:52:54 C:\WINDOWS\system32\drivers\wdf01000.sys
------w 32,224 2006-11-01 21:52:52 C:\WINDOWS\system32\drivers\wdfldr.sys
-c--a-w 17,920 2007-04-05 05:34:16 C:\WINDOWS\system32\DRVSTORE\motccgp_AAA6EBF99A29B32284FBE77DCBA5A978B418DB78\motccgp.sys
-c--a-w 7,680 2007-01-23 09:33:44 C:\WINDOWS\system32\DRVSTORE\motccgp_AAA6EBF99A29B32284FBE77DCBA5A978B418DB78\motccgpfl.sys
-c--a-w 6,400 2006-12-06 08:03:54 C:\WINDOWS\system32\DRVSTORE\motccgp_AAA6EBF99A29B32284FBE77DCBA5A978B418DB78\motswch.sys
-c--a-w 1,419,232 2006-11-13 05:06:28 C:\WINDOWS\system32\DRVSTORE\motccgp_AAA6EBF99A29B32284FBE77DCBA5A978B418DB78\wdfcoinstaller01005.dll
-c--a-w 22,528 2007-05-04 07:24:08 C:\WINDOWS\system32\DRVSTORE\motmodem_73B0B439953C130D8EB59CD7FCAE8E6CAAE33C7B\motmodem.sys
-c--a-w 1,419,232 2006-11-13 05:06:28 C:\WINDOWS\system32\DRVSTORE\motmodem_73B0B439953C130D8EB59CD7FCAE8E6CAAE33C7B\wdfcoinstaller01005.dll
-c--a-w 42,112 2007-05-04 07:34:04 C:\WINDOWS\system32\DRVSTORE\motodrv_33FDC8751D718FF9BCD2F345588D4E10B502D569\motodrv.sys
-c--a-w 6,144 2006-07-27 22:40:08 C:\WINDOWS\system32\DRVSTORE\motodrv_33FDC8751D718FF9BCD2F345588D4E10B502D569\mot_ci.dll
-c--a-w 6,016 2007-01-23 12:06:20 C:\WINDOWS\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\motfilt.sys
-c--a-w 22,016 2007-01-23 12:06:28 C:\WINDOWS\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\Motousbnet.sys
-c--a-w 6,400 2006-12-06 08:03:54 C:\WINDOWS\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\motswch.sys
-c--a-w 1,419,232 2006-11-13 05:06:28 C:\WINDOWS\system32\DRVSTORE\motousbnet_ABB6512ACA55A7A4E2FA3DE425ED10A6DA3518DB\wdfcoinstaller01005.dll
-c--a-w 22,528 2007-05-04 07:24:08 C:\WINDOWS\system32\DRVSTORE\motport_6F4CC69E1DFD455E7B0E2326811BDD44A181D021\motport.sys
-c--a-w 1,419,232 2006-11-13 05:06:28 C:\WINDOWS\system32\DRVSTORE\motport_6F4CC69E1DFD455E7B0E2326811BDD44A181D021\wdfcoinstaller01005.dll

------w 14,640 2006-10-16 06:40:58 C:\WINDOWS\system32\spmsg.dll
----a-w 23,856 2006-10-16 06:40:58 C:\WINDOWS\system32\spupdsvc.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-22 12:04]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 18:18 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 19:34 C:\WINDOWS\SkyTel.exe]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 12:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 C:\WINDOWS\KHALMNPR.Exe]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-29 13:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:26]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-07-17 18:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Error Nuker]
C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nTuneService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
R3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys
S3 NVR0Dev;NVR0Dev;\??\C:\WINDOWS\nvoclock.sys
S3 pwalker;Process Walker Driver;\??\C:\DOCUME~1\Freakeh\LOCALS~1\Temp\nsd5E.tmp\pwalker.sys

*Newly Created Service* - WDF01000

Contents of the 'Scheduled Tasks' folder
2007-08-30 12:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-31 11:11:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-31 11:12:22
C:\ComboFix-quarantined-files.txt ... 2007-08-31 11:12
C:\ComboFix2.txt ... 2007-08-30 20:07

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:53 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.aapt.com.au/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: VersionTracker Pro.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{0076FF2A-7900-4776-8E03-2A55EA139D42}: NameServer = 192.168.1.1,192.168.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7438 bytes


Everything seems to be fine, Firefox is not displaying an error after exit and so far I've had no pop-ups. I'll see how things go though so thanks again.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 31 August 2007 - 04:33 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Avenger.exe
VundoFix.exe
ComboFix.exe
Systemscan.exe
dss.exe
main.txt
extra.txt


C:\Deckard
C:\VundoFix Backups
C:\suspectfile
C:\Qoobox
C:\Avenger

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Edited by RichieUK, 31 August 2007 - 04:34 AM.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users