Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2nd Hand Pc - W3player And Popups With Ie6


  • Please log in to reply
10 replies to this topic

#1 londonliving

londonliving

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 12 October 2007 - 09:34 AM

Hi there

Bought a cheap 2nd Hand PC today (from an computer science student).

Connected it all up and looked through some of the remaining videos and came across a http://www.w3player.com file

Downloaded the player and ever since, have been getting pop-ups from IE6 - which I never use as FireFox is the browser of choice for me.

There also was an error starting/running the anti-virus when I came to post this!

Browser heading starts with "CiD: "

Reading through a few things, and after running all the tests (and more), suggested posting a HiJackThis log file here, so if someone can help it would be appreciated.

-------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33:09, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
P:\WINDOWS\System32\smss.exe
P:\WINDOWS\system32\winlogon.exe
P:\WINDOWS\system32\services.exe
P:\WINDOWS\system32\lsass.exe
P:\WINDOWS\system32\svchost.exe
P:\WINDOWS\System32\svchost.exe
P:\WINDOWS\system32\svchost.exe
P:\WINDOWS\Explorer.EXE
P:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
P:\WINDOWS\system32\spoolsv.exe
P:\Program Files\ProcessGuard\dcsuserprot.exe
P:\Program Files\Kontiki\KService.exe
P:\Program Files\Eset\nod32krn.exe
P:\WINDOWS\system32\oodag.exe
P:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
P:\WINDOWS\system32\rundll32.exe
P:\Program Files\Eset\nod32kui.exe
P:\WINDOWS\system32\devldr32.exe
P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
P:\Program Files\Kontiki\KHost.exe
P:\Program Files\PowerISO\PWRISOVM.EXE
P:\WINDOWS\System32\svchost.exe
P:\Program Files\DU Meter\DUMeter.exe
P:\Program Files\DefenseWall\DefenseWall.exe
P:\Program Files\ProcessGuard\pgaccount.exe
P:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
P:\WINDOWS\system32\ctfmon.exe
P:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
P:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
P:\Program Files\UnHackMe\hackmon.exe
P:\Program Files\ProcessGuard\procguard.exe
P:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
P:\Program Files\MagicDisc\MagicDisc.exe
P:\Program Files\Mozilla Firefox\firefox.exe
P:\WINDOWS\explorer.exe
P:\Program Files\Internet Explorer\iexplore.exe
P:\Program Files\Internet Explorer\iexplore.exe
P:\WINDOWS\system32\taskmgr.exe
P:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "P:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] P:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "P:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "P:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] P:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [DU Meter] P:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DefenseWall] "P:\Program Files\DefenseWall\DefenseWall.exe" regrun
O4 - HKLM\..\Run: [!1_pgaccount] "P:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SocketScanner Monitor] P:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
O4 - HKCU\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "P:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Wma Program] P:\DOCUME~1\WINXPP~1\APPLIC~1\2ONESA~1\Nounlocks.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "P:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [UnHackMe Monitor] P:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "P:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [kdx] P:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = P:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = P:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189076234165
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - P:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - P:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: DefenseWall internal service (defensewall_serv) - SoftSphere Technologies - P:\WINDOWS\system32\defensewall_serv.exe
O23 - Service: KService - Kontiki Inc. - P:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - P:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - P:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - P:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7370 bytes

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:57 AM

Posted 25 October 2007 - 09:17 AM

Hi londonliving,

Apologies for the long delay, this forum is massively busy.

Personally, if I were to buy a computer second hand from an individual, and had any problems with what was on there, I would just reformat and start fresh with what I wanted to install. For several reasons including when troubleshooting it helps tremendously to know the history of the machine and how it was used.

Since it has been so long, please post another log so I can see what has changed. Instead of just a HijackThis log, use the following instructions:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 25 October 2007 - 11:46 PM

Hi Papakid

Thanks for getting back to me - I was almost ready to reformat...

The reason I am interested in cleaning up the infection and not just reformatting (I even have the choice of Vista(!), is that I have a second hard drive from my old machine which has photos, videos, documents etc on it.

One of the first things I do is to re-point Windows to my separate drive where I want my 'My Documents' [Right Click on My Documents > Properties > Move...]

As I already am careful with where I store things, I want to avoid any chance of getting my files corrupted.

One thing I noticed in the logs below is that my default Anti-Virus did not appear as NOD32...

Physically this drive is split as P: (WinXP for work stuff) and D: (WinXP for Games).

Thanks for any help

LL

LOGS FOLLOW:
-----------------

[MAIN.txt]

Deckard's System Scanner v20071014.68
Run by WinXP Pro SP2 on 2007-10-26 05:21:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2007-10-26 04:22:00 UTC - RP49 - Deckard's System Scanner Restore Point
12: 2007-10-23 08:04:56 UTC - RP48 - Installed Google Web Accelerator
11: 2007-10-16 10:14:06 UTC - RP47 - Installed DirectX
10: 2007-10-16 10:11:37 UTC - RP46 - Installed DirectX
9: 2007-10-13 01:06:11 UTC - RP45 - Installed Lizardtech DjVu Control


-- First Restore Point --
1: 2007-10-12 04:33:42 UTC - RP37 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

System Drive P: has 0.85 GiB (less than 15%) free.


-- HijackThis (run as WinXP Pro SP2.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:23:50, on 26/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
P:\Program Files\Internet Explorer\iexplore.exe
P:\Program Files\Internet Explorer\iexplore.exe
P:\Documents and Settings\WinXP Pro SP2\Desktop\dss.exe
P:\PROGRA~1\TRENDM~1\HIJACK~1\WinXP Pro SP2.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "P:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] P:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] "P:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [DU Meter] P:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [!1_pgaccount] "P:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" P:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "P:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = P:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189076234165
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - P:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - P:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: DefenseWall internal service (defensewall_serv) - SoftSphere Technologies - P:\WINDOWS\system32\defensewall_serv.exe
O23 - Service: KService - Kontiki Inc. - P:\Program Files\Kontiki\KService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - P:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - P:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - P:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - P:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5307 bytes

-- HijackThis Fixed Entries (P:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071011-095735-262 O4 - HKLM\..\Run: [heart five nurb mix] P:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five\fast balm.exe

-- File Associations -----------------------------------------------------------

.txt - txtfile - shell\open\command - Notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 dwall (DefenseWall driver) - p:\windows\system32\drivers\dwall.sys <Not Verified; SoftSphere Technologies; DefenseWall>
R1 SCDEmu - p:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 procguard - p:\windows\system32\drivers\procguard.sys
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - p:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 pgfilter - p:\program files\peerguardian2\pgfilter.sys

S1 InCDPass - p:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - p:\windows\system32\drivers\incdrm.sys (file missing)
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - p:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 catchme - p:\docume~1\winxpp~1\locals~1\temp\catchme.sys (file missing)
S3 KProcWatch - p:\windows\system32\drivers\kprocwatch.sys
S4 InCDFs (InCD File System) - p:\windows\system32\drivers\incdfs.sys (file missing)


pe386 driver present

msguard driver present

lzx32 driver present

huy32 driver present

xpdt driver present

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DCSPGSRV (DiamondCS ProcessGuard Service v3.200) - "p:\program files\processguard\dcsuserprot.exe" <Not Verified; DiamondCS; DiamondCS Usermode Aspect>

S2 defensewall_serv (DefenseWall internal service) - p:\windows\system32\defensewall_serv.exe <Not Verified; SoftSphere Technologies; DefenseWall>
S2 O&O Defrag - p:\windows\system32\oodag.exe <Not Verified; O&O Software GmbH; O&O Defrag>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_80E21043&REV_10\3&61AAA01&0&28
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_80E21043&REV_10\3&61AAA01&0&28
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Logitech QuickCam VC USB
Device ID: USB\VID_0478&PID_0001\5&307F9075&0&1
Manufacturer: Logitech
Name: Logitech QuickCam VC USB
PNP Device ID: USB\VID_0478&PID_0001\5&307F9075&0&1
Service: CxUSB


-- Scheduled Tasks -------------------------------------------------------------

2007-10-26 05:00:01 284 --ah----- P:\WINDOWS\Tasks\A8E11B3A904693CA.job
2007-10-22 04:23:05 1672 --a------ P:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
2007-10-12 05:01:50 354 --a------ P:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2007-09-26 and 2007-10-26 -----------------------------

2007-10-24 08:18:49 0 d-------- P:\Program Files\PeerGuardian2
2007-10-23 09:04:59 0 d-------- P:\Program Files\Google
2007-10-23 07:36:52 0 d-------- P:\getservices
2007-10-22 15:38:50 0 d-------- P:\Program Files\Alawar
2007-10-16 06:21:24 0 d-------- P:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-16 06:20:58 0 d-------- P:\Program Files\Webroot
2007-10-16 06:20:58 0 d-------- P:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 06:17:23 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Webroot
2007-10-15 10:31:43 0 d-------- P:\WINDOWS\pss
2007-10-13 02:06:12 0 d-------- P:\Program Files\LizardTech
2007-10-12 23:33:43 0 d-------- P:\WINDOWS\nview
2007-10-12 23:29:46 1622016 --a------ P:\WINDOWS\system32\nwiz.exe
2007-10-12 23:29:46 1019904 --a------ P:\WINDOWS\system32\nvwimg.dll
2007-10-12 23:29:46 1662976 --a------ P:\WINDOWS\system32\nvwdmcpl.dll
2007-10-12 23:29:45 466944 --a------ P:\WINDOWS\system32\nvshell.dll
2007-10-12 23:29:44 1470464 --a------ P:\WINDOWS\system32\nview.dll
2007-10-12 23:29:43 1339392 --a------ P:\WINDOWS\system32\nvdspsch.exe
2007-10-12 23:29:40 442368 --a------ P:\WINDOWS\system32\nvappbar.exe
2007-10-12 23:29:39 425984 --a------ P:\WINDOWS\system32\keystone.exe
2007-10-12 16:08:58 23600 --a------ P:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2007-10-12 15:01:55 0 d-------- P:\WINDOWS\system32\ReinstallBackups
2007-10-12 13:29:38 0 d-------- P:\WINDOWS\Prefetch
2007-10-12 12:50:43 0 d-------- P:\Program Files\Yamicsoft
2007-10-12 12:48:25 0 --a------ P:\WINDOWS\system32\sys_dll.dll
2007-10-12 12:47:59 0 d-------- P:\Program Files\Trojan Guarder Gold Version
2007-10-12 12:24:56 0 d-------- P:\Program Files\Mgtweak
2007-10-12 12:16:49 0 d-------- P:\Program Files\LitexMedia
2007-10-12 12:14:22 0 d-------- P:\Program Files\BlazeVideo
2007-10-12 12:14:22 0 d-------- P:\Documents and Settings\All Users\Application Data\BlazeVideo
2007-10-12 06:49:30 171292 --a------ P:\WINDOWS\system32\pguard.dat
2007-10-12 06:49:30 129880 --a------ P:\WINDOWS\system32\pghash.dat
2007-10-12 06:08:59 0 d-------- P:\Program Files\ExPLabs.com
2007-10-12 06:08:55 0 d-------- P:\Documents and Settings\All Users\Application Data\{02B3E9A6-0AD1-434D-ABC5-0480353D086F}
2007-10-12 06:07:05 106496 --a------ P:\WINDOWS\system32\procguard.dll
2007-10-12 06:07:04 27968 --a------ P:\WINDOWS\system32\drivers\procguard.sys
2007-10-12 06:06:49 0 d-------- P:\Program Files\ProcessGuard
2007-10-12 05:34:17 0 d-------- P:\Program Files\MSXML 6.0
2007-10-12 05:27:47 312064 --a------ P:\WINDOWS\system32\rspsc.sys <Not Verified; Resplendence; Principal AntiVirus>
2007-10-12 05:27:44 0 d-------- P:\Program Files\RootKit Hook Analyzer
2007-10-12 05:17:44 8576 --a------ P:\WINDOWS\system32\drivers\KProcWatch.sys
2007-10-12 05:17:43 0 d-------- P:\Program Files\HiddenFinder
2007-10-12 05:13:57 59392 --a------ P:\WINDOWS\system32\dwall_ext.dll <Not Verified; SoftSphere Technologies; DefenseWall HIPS Shell Extension>
2007-10-12 05:13:56 54272 --a------ P:\WINDOWS\system32\dwall_shell.dll
2007-10-12 05:13:56 29184 --a------ P:\WINDOWS\system32\dwall.dll <Not Verified; SoftSphere Technologies; DefenseWall>
2007-10-12 05:13:55 228864 --a------ P:\WINDOWS\system32\drivers\dwall.sys <Not Verified; SoftSphere Technologies; DefenseWall>
2007-10-12 05:13:55 32768 --a------ P:\WINDOWS\system32\defensewall_serv.exe <Not Verified; SoftSphere Technologies; DefenseWall>
2007-10-12 05:13:54 0 d-------- P:\Program Files\DefenseWall
2007-10-12 05:11:47 0 d-------- P:\Program Files\Process Master
2007-10-12 04:59:56 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Uniblue
2007-10-12 04:58:51 0 d-------- P:\Program Files\Uniblue
2007-10-11 16:03:35 0 d-------- P:\WINDOWS\Performance
2007-10-11 16:03:10 0 d-------- P:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-10-11 16:01:14 0 d-------- P:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-10-11 09:31:22 0 d-------- P:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-10 11:53:12 0 d-------- P:\Program Files\Duplicate File Remover
2007-10-09 14:51:12 0 d-------- P:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-10-09 14:34:47 1901 --a------ P:\WINDOWS\panose.bin
2007-10-09 14:33:09 6144 --a------ P:\WINDOWS\system32\W95FIBER.DLL <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-10-09 14:33:09 23184 --a------ P:\WINDOWS\system32\URLCACHE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-10-09 14:33:09 19877 --a------ P:\WINDOWS\SPWHPT.DLL <Not Verified; Eastman Kodak Company; Kodak Digital Science White Point>
2007-10-09 14:33:08 16384 --a------ P:\WINDOWS\PTPICK32.DLL <Not Verified; Eastman Kodak Company; Kodak Precision PT Picker>
2007-10-09 14:33:08 25600 --a------ P:\WINDOWS\pfpick.dll <Not Verified; Eastman Kodak Company; Kodak Digital Science Profile Picker>
2007-10-09 14:33:07 75776 --a------ P:\WINDOWS\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-10-09 14:33:05 94720 --a------ P:\WINDOWS\system32\MSVCRT10.DLL
2007-10-09 14:33:02 9728 --a------ P:\WINDOWS\icccodes.dll <Not Verified; Eastman Kodak Company; KCMS ICCCODES>
2007-10-09 14:33:01 0 d-------- P:\WINDOWS\shellnew
2007-10-09 14:33:01 39095 --a------ P:\WINDOWS\Iccsigs.dat
2007-10-09 14:33:01 42483 --a------ P:\WINDOWS\ICCCODES.DAT
2007-10-09 14:21:31 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Thinstall
2007-10-09 14:04:49 92544 --a------ P:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2007-10-09 14:04:44 0 d-------- P:\Program Files\MagicDisc
2007-10-09 13:21:08 0 d-------- P:\Program Files\MagicISO
2007-10-09 13:20:50 0 d-a------ P:\Documents and Settings\All Users\Application Data\TEMP
2007-10-09 06:53:00 0 d-------- P:\Documents and Settings\All Users\Application Data\Hagel Technologies
2007-10-08 09:46:17 0 d-------- P:\Program Files\2 One Safe
2007-10-07 12:53:54 0 d-------- P:\Program Files\Trend Micro
2007-10-07 05:30:50 0 d-------- P:\Program Files\PowerISO
2007-10-07 05:19:34 0 d-------- P:\Program Files\Lavasoft
2007-10-07 05:19:34 0 d-------- P:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 05:18:35 0 d-------- P:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 19:40:16 0 d-------- P:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five
2007-10-05 19:39:40 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\2 One Safe
2007-10-05 19:39:03 0 d-------- P:\Program Files\3wPlayer
2007-10-05 09:47:18 0 d-------- P:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-05 09:47:08 0 d-------- P:\Program Files\VistaCodecPack
2007-10-05 09:39:42 0 d-------- P:\Program Files\DAMN NFO Viewer
2007-10-04 23:24:09 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Adobe
2007-10-04 23:23:15 0 d-------- P:\Documents and Settings\All Users\Application Data\Adobe
2007-10-04 23:23:04 0 d-------- P:\Program Files\Common Files\Adobe
2007-10-03 13:40:57 0 d-------- P:\Program Files\Kontiki
2007-10-03 13:40:56 0 d-------- P:\Documents and Settings\All Users\Application Data\Kontiki
2007-10-03 13:39:48 0 d-------- P:\Documents and Settings\All Users\Application Data\Channel4
2007-10-03 13:06:59 0 d-------- P:\Program Files\Windows Media Connect 2
2007-10-03 13:02:32 0 d-------- P:\WINDOWS\system32\LogFiles
2007-10-03 13:02:32 0 d-------- P:\WINDOWS\system32\drivers\UMDF
2007-10-03 07:35:00 2232 --a------ P:\WINDOWS\mozver.dat


-- Find3M Report ---------------------------------------------------------------

2007-10-25 09:06:46 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\uTorrent
2007-10-23 10:39:05 0 --a------ P:\Documents and Settings\WinXP Pro SP2\Application Data\.googlewebacchosts
2007-10-14 11:57:22 0 d-------- P:\Program Files\uTorrent
2007-10-13 02:06:11 0 d--h----- P:\Program Files\InstallShield Installation Information
2007-10-13 02:05:52 0 d-------- P:\Program Files\Common Files\InstallShield
2007-10-07 05:18:35 0 d-------- P:\Program Files\Common Files
2007-10-03 06:54:14 0 d-------- P:\Program Files\Java
2007-09-09 04:53:38 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Talkback
2007-09-09 04:53:12 0 --a------ P:\WINDOWS\nsreg.dat
2007-09-09 04:53:03 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Mozilla
2007-09-06 16:09:55 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Sun
2007-09-06 16:05:38 0 d-------- P:\Program Files\Common Files\Java
2007-09-06 15:59:51 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Macromedia
2007-09-06 15:29:01 0 d-------- P:\Program Files\Ahead
2007-09-06 15:28:55 0 d-------- P:\Program Files\GoldEsel
2007-09-06 15:22:12 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Ahead
2007-09-06 15:16:09 0 d-------- P:\Program Files\Common Files\Ahead
2007-09-06 14:44:28 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\vlc
2007-09-06 14:41:37 0 d-------- P:\Program Files\VideoLAN
2007-09-06 13:05:26 0 d-------- P:\Program Files\Alcohol Soft
2007-09-06 12:33:58 0 d-------- P:\Program Files\Messenger
2007-09-06 12:01:05 298104 --a------ P:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-08-18 07:19:47 62 --ahs---- P:\Documents and Settings\WinXP Pro SP2\Application Data\desktop.ini
2007-08-18 07:15:53 21640 --a------ P:\WINDOWS\system32\emptyregdb.dat
2007-08-18 04:34:22 0 -rahs---- P:\MSDOS.SYS
2007-08-18 04:34:22 0 -rahs---- P:\IO.SYS
2007-08-18 04:34:22 0 --a------ P:\CONFIG.SYS
2007-08-18 04:34:22 0 --a------ P:\AUTOEXEC.BAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe" [04/08/2004 13:00 P:\WINDOWS\system32\rundll32.exe]
"nod32kui"="P:\Program Files\Eset\nod32kui.exe" [06/09/2007 12:01]
"NeroFilterCheck"="P:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"PWRISOVM.EXE"="P:\Program Files\PowerISO\PWRISOVM.EXE" [09/04/2007 13:23]
"DU Meter"="P:\Program Files\DU Meter\DUMeter.exe" [27/11/2006 15:18]
"!1_pgaccount"="P:\Program Files\ProcessGuard\pgaccount.exe" [23/12/2005 12:37]
"nwiz"="nwiz.exe" [22/10/2006 12:22 P:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [04/08/2004 13:00 P:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [19/07/2007 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="P:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"PeerGuardian"="P:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 18:40]

P:\Documents and Settings\WinXP Pro SP2\Start Menu\Programs\Startup\
MagicDisc.lnk - P:\Program Files\MagicDisc\MagicDisc.exe [09/10/2007 14:04:45]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\P:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder Gold Version.lnk]
path=P:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan Guarder Gold Version.lnk
backup=P:\WINDOWS\pss\Trojan Guarder Gold Version.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!1_ProcessGuard_Startup]
"P:\Program Files\ProcessGuard\procguard.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"P:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"P:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"P:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefenseWall]
"P:\Program Files\DefenseWall\DefenseWall.exe" regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
P:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE P:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE P:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SocketScanner Monitor]
P:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
P:\Program Files\UnHackMe\hackmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"P:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wma Program]
P:\DOCUME~1\WINXPP~1\APPLIC~1\2ONESA~1\Nounlocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kdx"=P:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

Writing 'netsvcs' with data '6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN' failed.


*Newly Created Service* - PGFILTER



-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

6723 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-10-26 05:26:03 ------------

[EXTRAS.txt]

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™Processor
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 511.47 MiB / 236.42 MiB
Pagefile Memory (total/avail): 993.16 MiB / 574.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.88 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 11.29 GiB total, 6.13 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 60.53 GiB total, 24.9 GiB free.
G: is Fixed (NTFS) - 20 GiB total, 16.86 GiB free.
H: is CDROM (No Media)
I: is Fixed (NTFS) - 12.8 GiB total, 4.52 GiB free.
J: is CDROM (No Media)
P: is Fixed (NTFS) - 5.93 GiB total, 0.85 GiB free.
R: is Fixed (NTFS) - 185.05 GiB total, 19.56 GiB free.
T: is Fixed (NTFS) - 10.21 GiB total, 1.38 GiB free.
X: is Fixed (FAT) - 0.05 GiB total, 0.03 GiB free.
Y: is Fixed (FAT) - 0.05 GiB total, 0.05 GiB free.

\\.\PHYSICALDRIVE1 - MAXTOR STM3320620A - 298.09 GiB - 7 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB
\PARTITION1 - Extended w/Extended Int 13 - 288.32 GiB - F: - I: - R: - T: - Y:

\\.\PHYSICALDRIVE0 - WDC WD400BB-00CAA1 - 37.27 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 5.93 GiB - P:
\PARTITION1 - Installable File System - 20 GiB - G:
\PARTITION2 - Extended w/Extended Int 13 - 11.34 GiB - C: - X:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"P:\\Program Files\\uTorrent\\uTorrent.exe"="P:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"P:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="P:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"N:\\001Downloads\\Untested\\Portable Cinema 4D\\Portable Cinema 4D\\NET Render Server.exe"="N:\\001Downloads\\Untested\\Portable Cinema 4D\\Portable Cinema 4D\\NET Render Server.exe:*:Enabled:CINEMA 4D ®"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=P:\Documents and Settings\All Users
APPDATA=P:\Documents and Settings\WinXP Pro SP2\Application Data
CLIENTNAME=Console
CommonProgramFiles=P:\Program Files\Common Files
COMPUTERNAME=XPPROSP2
ComSpec=P:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=P:
HOMEPATH=\Documents and Settings\WinXP Pro SP2
LOGONSERVER=\\XPPROSP2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=P:\Program Files\Mozilla Firefox;P:\Program Files\Mozilla Firefox;P:\WINDOWS\system32;P:\WINDOWS;P:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 4 Stepping 4, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0404
ProgramFiles=P:\Program Files
PROMPT=$P$G
SAN_DIR=P:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII
SESSIONNAME=Console
SystemDrive=P:
SystemRoot=P:\WINDOWS
TEMP=P:\DOCUME~1\WINXPP~1\LOCALS~1\Temp
TMP=P:\DOCUME~1\WINXPP~1\LOCALS~1\Temp
USERDOMAIN=XPPROSP2
USERNAME=WinXP Pro SP2
USERPROFILE=P:\Documents and Settings\WinXP Pro SP2
windir=P:\WINDOWS


-- User Profiles ---------------------------------------------------------------

WinXP Pro SP2 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 P:\WINDOWS\INF\PCHealth.inf
µTorrent --> "P:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> P:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Advanced WMA Workshop version 2.3 --> "P:\Program Files\LitexMedia\Advanced WMA Workshop\unins000.exe"
Ahead Nero Add-on Pack --> R:\Program Files\Nero (other win xp)\Nero\uninstall-addonpack.exe
Ahead Nero Burning Rom PlugIn Pack 2.0.2 by MadHacker2k4 --> RunDll32 P:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "P:\Program Files\InstallShield Installation Information\{2715D1D6-2B81-4DD5-A9DC-6EFF4D5E0993}\setup.exe" -l0x7 -removeonly
AutoStreamer --> MsiExec.exe /X{4218F0E1-CBAF-4D68-B6FE-B3504770829F}
CiD Help --> P:\DOCUME~1\WINXPP~1\APPLIC~1\2ONESA~1\Nounlocks.exe -uninstall
Cole2k Media - Codec Pack (Advanced) --> P:\WINDOWS\system32\C2MP\Uninst.exe
Cole2k Media - Nero Audio Plugin Pack --> P:\Program Files\Common Files\Ahead\AudioPlugins\Uninst.exe
DefenseWall (remove only) --> P:\Program Files\DefenseWall\uninstall.exe
DiamondCS ProcessGuard v3.200 --> "P:\Program Files\ProcessGuard\pg_uinstdrv.exe" c "P:\Program Files\ProcessGuard\unins000.exe"
DU Meter --> "P:\Program Files\DU Meter\unins000.exe"
Duplicate File Remover 1.3 --> P:\Program Files\Duplicate File Remover\uninst.exe
Gogglebox TV 2007 --> rundll32.exe dfshim.dll,ShArpMaintain GoggleboxTV.application, Culture=en-GB, PublicKeyToken=a705a7d916fbd225, processorArchitecture=msil
Google Web Accelerator --> MsiExec.exe /X{6A1975EB-27E6-491D-94BC-6355FA25F40F}
Grand Master Chess OnLine --> P:\Program Files\Alawar\GMChess\uninstal.exe
Hidden Finder 1.3.00 --> "P:\Program Files\HiddenFinder\unins000.exe"
HijackThis 2.0.2 --> "P:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "P:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Lizardtech DjVu Control --> RunDll32 P:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "P:\Program Files\InstallShield Installation Information\{105CFC7C-6992-11D5-BD9D-000102C10FD8}\Setup.exe" -l0x9
Magic ISO Maker v5.4 (build 0251) --> P:\PROGRA~1\MagicISO\UNWISE.EXE P:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.5.79 --> P:\PROGRA~1\MAGICD~1\UNWISE.EXE P:\PROGRA~1\MAGICD~1\INSTALL.LOG
MagicTweak Version 4.00 --> "P:\Program Files\Mgtweak\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "P:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "P:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.7) --> P:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.8) --> P:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Music DVD Creator 2.0 --> "P:\Program Files\BlazeVideo\Music DVD Creator\unins000.exe"
Nero 7 Premium --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
Nero Reloaded PlugIn Pack 2.0.4 by GEAR --> RunDll32 P:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "P:\Program Files\InstallShield Installation Information\{F3D7915D-6B42-49FA-9FC8-5020479A6A57}\setup.exe" -l0x9 -removeonly
NOD32 antivirus system --> P:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "P:\Program Files\Eset\unins000.exe"
NVIDIA Drivers --> P:\WINDOWS\system32\nvudisp.exe UninstallGUI
O&O Defrag Professional Edition --> MsiExec.exe /I{53480370-6CA2-47EC-BC05-02B4B9271C31}
PeerGuardian 2.0 --> "P:\Program Files\PeerGuardian2\unins000.exe"
PowerISO --> "P:\Program Files\PowerISO\uninstall.exe"
Process Master 1.1 --> "P:\Program Files\Process Master\unins000.exe"
RootKit Hook Analyzer --> "P:\Program Files\RootKit Hook Analyzer\unins000.exe"
SiSoftware Sandra Professional Home XII --> "P:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII\unins000.exe"
SocketShield --> "P:\Documents and Settings\All Users\Application Data\{02B3E9A6-0AD1-434D-ABC5-0480353D086F}\SocketShieldSetup_1_0_1_0009.exe" REMOVE=TRUE MODIFY=FALSE
Spy Sweeper --> "P:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "P:\Program Files\Spybot - Search & Destroy\unins000.exe"
Trojan Guarder Gold Version 7.22 --> "P:\Program Files\Trojan Guarder Gold Version\unins000.exe"
UnHackMe 3.0 release --> "P:\Program Files\UnHackMe\unins000.exe"
Uniblue SpyEraser --> "P:\Program Files\Uniblue\SpyEraser\unins000.exe"
VideoLAN VLC media player 0.8.6c --> P:\Program Files\VideoLAN\VLC\uninstall.exe
Vista Codec Package --> MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}
Windows Media Format 11 runtime --> "P:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Vista Upgrade Advisor --> MsiExec.exe /I{7A2B077D-D7AC-4215-B0FB-5EA581E549E6}
WinRAR archiver --> R:\Program Files\WinRAR\uninstall.exe
WinXP Manager --> MsiExec.exe /I{784CFD4D-1BA5-4DB5-9377-84DAF0D19EF1}


-- Application Event Log -------------------------------------------------------

Event Record #/Type328 / Error
Event Submitted/Written: 10/14/2007 00:43:31 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 230629208.

Event Record #/Type327 / Error
Event Submitted/Written: 10/14/2007 00:43:23 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application uTorrent.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type317 / Error
Event Submitted/Written: 10/13/2007 03:15:19 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module imon.dll, version 2.70.31.0, fault address 0x00020d87.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type301 / Error
Event Submitted/Written: 10/12/2007 03:14:49 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type293 / Error
Event Submitted/Written: 10/12/2007 01:34:38 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application HijackThis.exe, version 2.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3899 / Warning
Event Submitted/Written: 10/25/2007 07:08:58 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type3898 / Warning
Event Submitted/Written: 10/25/2007 09:51:40 AM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type3897 / Error
Event Submitted/Written: 10/25/2007 09:51:28 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The StarWind iSCSI Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type3896 / Error
Event Submitted/Written: 10/25/2007 09:29:51 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk2\D, has a bad block.

Event Record #/Type3895 / Error
Event Submitted/Written: 10/25/2007 09:29:50 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk2\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2007-10-26 05:26:03 ------------

#4 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 26 October 2007 - 01:37 AM

A quick investigation also revealed a whole program group I do not recognise.

When IE self launches as I never choose it, two programs will bring it back ( or is that co-incidence!) I can only tell it is there with Task Manager, two instances occur and one guaranteeably hogs 100% of the processor for a while.

The first is Fastba~.exe the other is NOULO~.exe

I found a folder called "2 One Safe" which Google cannot find either. And that has a program called Nounlocks.exe

See attached screengrab [Alt + Print Screen] for unidentified folder. If these files are legitimate, they have the most bizarre names...

aegrbnvh.exe
hjffwdfe.exe
Nounlocks.exe [only other ref google finds is: http://www.castlecops.com/t25367-Log_file.html from 2004]
Poll four aim.exe
tmojfkry.exe

Hope this isn't a red herring, to add to the copious list below!

Deckard's System Scanner is certainly thorough - I hope we can crack it with this.

Cheers

LL

Attached Files



#5 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 26 October 2007 - 02:57 AM

Also had previously been through forums and followed instructions with the HJT and ComboFix BEFORE posting here.

Discovered the CiD browser issue is vintage malware, courtesy of microsoft messenger.

Removed it via the instructions here: http://forums.computeractive.co.uk/thread....=0&tstart=0

-------------------

As for the w3player, all I could find from a Whois search was:

Registrant:
MetaPredict
87 East Green Street
Suite 305
Pasadena, California 91105
United States

Domain Name: w3player.com
Created on: 2007-05-17 13:05:12
Expires on: 2008-05-17 13:05:12

Administrative Contact:
Administrator, Domain domain@anondns.org
MetaPredict
87 East Green Street
Suite 305
Pasadena, California 91105
United States
(626) 796-1004 Fax -- (626) 744-7749

Technical Contact:
Administrator, Domain domain@anondns.org
MetaPredict
87 East Green Street
Suite 305
Pasadena, California 91105
United States
(626) 796-1004 Fax -- (626) 744-7749

Domain servers in listed order:
NS1.ANONDNS.ORG
NS2.ANONDNS.ORG

----------------------------

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:57 AM

Posted 26 October 2007 - 12:08 PM

Hi LL,

The 3wplayer appears to be the main source of your issues.
http://en.wikipedia.org/wiki/3wplayer
http://www.symantec.com/security_response/...-99&tabid=2

It has downloaded LOP, which is what that folder you have a screenshot is associated with which is fairly easy to fix. You have some much more serious infections which it may have downloaded as well, altho it is still unclear if it is related or even still active.

Thank you for letting me know you've run ComboFix previously. I understand a desire to try to get things fixed up on your own but as a word of warning, CF is a very powerful tool and so is meant to only be used under supervision of a malware removal specialist. It should have had some effect on the hidden drivers, but I believe some of the many protection programs you have installed may have locked them down and are interfering with proper removal.

These programs are very good protection, altho a few of them I am not familiar with, but you've gone a little overboard. Before you begin following any of my removal instructions, you should disable most of your protection programs, except for your antivirus and firewall. Programs you have installed that are known to interfere with malware removal are AdWatch and SpySweeper. ProcessGuard may interfere as well and the others may or may not. There have been times when the only way to disable Adwatch is to uninstall Ad-Aware. I suggest you do that now until you have been cleaned up. A couple of other programs I would treat the same way, you can reinstall them later, but to be perfectly honest, SpySweeper, PG, Ad-Aware and Spybot, along with Nod32 and your HIPS program should be more than adequate.

Open Add/Remove programs via Control Panel and uninstall the following:

1. Ad-Aware 2007
2. Trojan Guarder Gold
3. Uniblue SpyEraser

I would also like for you to remove Kontiki at least until we are finished as well--this may have led to your infections. It's not the most trustworthy of P2P apps as you can see by how it's listed in Add/ Remove.

4. 4oD

These two are just a little extra cleanup of your Add/Remove list, altho old versions of Java are a security risk and should be removed.

5. Java™ 6 Update 2
6. Mozilla Firefox (2.0.0.7)

Finally, uninstall LOP

7. CiD Help

Reboot when finished.

If you have any trouble uninstalling LOP, boot into Safe Mode (do not use the msconfig method), and do the following--copy these instructions to Notepad so you will have them while in safe mode:

START> Run, copy the following bold text, paste it into the Run box then hit Enter:

P:\DOCUME~1\WINXPP~1\APPLIC~1\2ONESA~1\Nounlocks.exe -uninstall


If you have successfully uninstalled LOP, delete the following folders:

P:\Program Files\2 One Safe
P:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five
P:\Documents and Settings\WinXP Pro SP2\Application Data\2 One Safe
P:\Program Files\3wPlayer


Now I want you to run DSS and ComboFix again, but in specific ways. So preliminarily do the following--and I suggest you uplug from the internet while unprotected:

1. Disable SpySweeper
2. Disable ProcessGuard

It may also be a good idea to disable Defense Wall as well, but this method of running CF may take care of that and the others that may interfere.

Run DSS again, using these instructions:

Click START> Run - then copy the following bold blue text and paste it into the Run box & click OK

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.

Click on Scan.

Place a checkmark next to the entries displayed when the scan is finished then Click on Fix.

Repeat the scan; you should get a message "All Associations OK!"

Next, click Save Log, and post this log in your next reply.


Now please delete your copy of ComboFix and download the newest version according to these intructions:

Please download Combofix and save it to your desktop. If any of your security apps attempt to block the download, please allow it--CombFix IS NOT malicious.

Now disconnect/physically unplug from the internet!

Click on START, then Run. Copy the bold text below and paste it into the Run box and click OK:

"%userprofile%\desktop\ComboFix.exe" /KillAll

Allow ComboFix to run to completion.
Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done. After you have saved the log, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

Reconnect to the internet

Post the following logs/Reports:

DSS
ComboFix.txt
Fresh HijackThis log

There is more cleanup to do and some other items I'm looking into, but will go over them next time around.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 30 October 2007 - 09:21 AM

Hi there did as requested, but hit a couple of snags:

When DSS ran, it did not give the 'All Associations OK' message - :thumbsup: .txt files
were still needing association to notepad.exe

When running ComboFix

it had an error 1252 when opening user ntdata.

I also ran SpySweeper again and found trojan.gen and
pws-banker.gen.bb even after removing them...

:blink:


Thanks for all your help on this.
-----------------------------

Here are the logs:


DSS Main.txt

Deckard's System Scanner v20071014.68
Run by WinXP Pro SP2 on 2007-10-30 07:47:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as WinXP Pro SP2.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:48:18, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
P:\Documents and Settings\WinXP Pro SP2\Desktop\dss.exe
P:\PROGRA~1\TRENDM~1\HIJACK~1\WinXP Pro SP2.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "P:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] P:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] "P:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [DU Meter] P:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [!1_pgaccount] "P:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" P:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "P:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = P:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189076234165
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - P:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - P:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: DefenseWall internal service (defensewall_serv) - SoftSphere Technologies - P:\WINDOWS\system32\defensewall_serv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - P:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - P:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - P:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - P:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5237 bytes

-- Files created between 2007-09-30 and 2007-10-30 -----------------------------

2007-10-30 07:19:20 0 d-------- P:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-30 07:15:25 0 d-------- P:\WINDOWS\system32\appmgmt
2007-10-26 12:11:24 0 d-------- P:\Program Files\WinPcap
2007-10-26 12:06:58 1045007 --a------ P:\H.exe
2007-10-26 12:03:52 52736 -r-hs---- P:\WINDOWS\service.exe
2007-10-26 12:03:07 0 d-------- P:\Program Files\FlvRecorder
2007-10-26 11:32:13 20480 --a------ P:\WINDOWS\yhl.dll
2007-10-26 11:32:13 468480 --a------ P:\WINDOWS\system32\NMDll.dll
2007-10-26 11:32:13 7168 --a------ P:\WINDOWS\lq.dll
2007-10-26 11:32:08 208896 --a------ P:\WINDOWS\system32\HDBHO.dll
2007-10-26 11:31:46 0 d-------- P:\Program Files\HiDownload
2007-10-26 09:54:17 0 d-------- P:\URLHelper
2007-10-26 09:44:46 0 d-------- P:\Program Files\URLHelper
2007-10-26 09:33:21 52736 --a------ P:\service.exe
2007-10-26 09:32:41 0 d-------- P:\flvrecorder
2007-10-26 07:42:05 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Prevx
2007-10-26 07:11:41 0 d-------- P:\Documents and Settings\All Users\Application Data\Prevx
2007-10-24 07:18:49 0 d-------- P:\Program Files\PeerGuardian2
2007-10-23 08:04:59 0 d-------- P:\Program Files\Google
2007-10-23 06:36:52 0 d-------- P:\getservices
2007-10-22 14:38:50 0 d-------- P:\Program Files\Alawar
2007-10-16 05:21:24 0 d-------- P:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-16 05:20:58 0 d-------- P:\Program Files\Webroot
2007-10-16 05:20:58 0 d-------- P:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 05:17:23 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Webroot
2007-10-15 09:31:43 0 d-------- P:\WINDOWS\pss
2007-10-13 01:06:12 0 d-------- P:\Program Files\LizardTech
2007-10-12 22:33:43 0 d-------- P:\WINDOWS\nview
2007-10-12 22:29:46 1622016 --a------ P:\WINDOWS\system32\nwiz.exe
2007-10-12 22:29:46 1019904 --a------ P:\WINDOWS\system32\nvwimg.dll
2007-10-12 22:29:46 1662976 --a------ P:\WINDOWS\system32\nvwdmcpl.dll
2007-10-12 22:29:45 466944 --a------ P:\WINDOWS\system32\nvshell.dll
2007-10-12 22:29:44 1470464 --a------ P:\WINDOWS\system32\nview.dll
2007-10-12 22:29:43 1339392 --a------ P:\WINDOWS\system32\nvdspsch.exe
2007-10-12 22:29:40 442368 --a------ P:\WINDOWS\system32\nvappbar.exe
2007-10-12 22:29:39 425984 --a------ P:\WINDOWS\system32\keystone.exe
2007-10-12 15:08:58 23600 --a------ P:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2007-10-12 14:01:55 0 d-------- P:\WINDOWS\system32\ReinstallBackups
2007-10-12 12:29:38 0 d-------- P:\WINDOWS\Prefetch
2007-10-12 11:50:43 0 d-------- P:\Program Files\Yamicsoft
2007-10-12 11:48:25 0 --a------ P:\WINDOWS\system32\sys_dll.dll
2007-10-12 11:24:56 0 d-------- P:\Program Files\Mgtweak
2007-10-12 11:16:49 0 d-------- P:\Program Files\LitexMedia
2007-10-12 11:14:22 0 d-------- P:\Program Files\BlazeVideo
2007-10-12 11:14:22 0 d-------- P:\Documents and Settings\All Users\Application Data\BlazeVideo
2007-10-12 05:49:30 171292 --a------ P:\WINDOWS\system32\pguard.dat
2007-10-12 05:49:30 174956 --a------ P:\WINDOWS\system32\pghash.dat
2007-10-12 05:08:59 0 d-------- P:\Program Files\ExPLabs.com
2007-10-12 05:08:55 0 d-------- P:\Documents and Settings\All Users\Application Data\{02B3E9A6-0AD1-434D-ABC5-0480353D086F}
2007-10-12 05:07:05 106496 --a------ P:\WINDOWS\system32\procguard.dll
2007-10-12 05:07:04 27968 --a------ P:\WINDOWS\system32\drivers\procguard.sys
2007-10-12 05:06:49 0 d-------- P:\Program Files\ProcessGuard
2007-10-12 04:34:17 0 d-------- P:\Program Files\MSXML 6.0
2007-10-12 04:27:47 312064 --a------ P:\WINDOWS\system32\rspsc.sys <Not Verified; Resplendence; Principal AntiVirus>
2007-10-12 04:27:44 0 d-------- P:\Program Files\RootKit Hook Analyzer
2007-10-12 04:17:44 8576 --a------ P:\WINDOWS\system32\drivers\KProcWatch.sys
2007-10-12 04:17:43 0 d-------- P:\Program Files\HiddenFinder
2007-10-12 04:13:57 59392 --a------ P:\WINDOWS\system32\dwall_ext.dll <Not Verified; SoftSphere Technologies; DefenseWall HIPS Shell Extension>
2007-10-12 04:13:56 54272 --a------ P:\WINDOWS\system32\dwall_shell.dll
2007-10-12 04:13:56 29184 --a------ P:\WINDOWS\system32\dwall.dll <Not Verified; SoftSphere Technologies; DefenseWall>
2007-10-12 04:13:55 228864 --a------ P:\WINDOWS\system32\drivers\dwall.sys <Not Verified; SoftSphere Technologies; DefenseWall>
2007-10-12 04:13:55 32768 --a------ P:\WINDOWS\system32\defensewall_serv.exe <Not Verified; SoftSphere Technologies; DefenseWall>
2007-10-12 04:13:54 0 d-------- P:\Program Files\DefenseWall
2007-10-12 04:11:47 0 d-------- P:\Program Files\Process Master
2007-10-12 03:59:56 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Uniblue
2007-10-12 03:58:51 0 d-------- P:\Program Files\Uniblue
2007-10-11 15:03:35 0 d-------- P:\WINDOWS\Performance
2007-10-11 15:03:10 0 d-------- P:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-10-11 15:01:14 0 d-------- P:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-10-11 08:31:22 0 d-------- P:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-10 10:53:12 0 d-------- P:\Program Files\Duplicate File Remover
2007-10-09 13:51:12 0 d-------- P:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-10-09 13:34:47 1901 --a------ P:\WINDOWS\panose.bin
2007-10-09 13:33:09 6144 --a------ P:\WINDOWS\system32\W95FIBER.DLL <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-10-09 13:33:09 23184 --a------ P:\WINDOWS\system32\URLCACHE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-10-09 13:33:09 19877 --a------ P:\WINDOWS\SPWHPT.DLL <Not Verified; Eastman Kodak Company; Kodak Digital Science White Point>
2007-10-09 13:33:08 16384 --a------ P:\WINDOWS\PTPICK32.DLL <Not Verified; Eastman Kodak Company; Kodak Precision PT Picker>
2007-10-09 13:33:08 25600 --a------ P:\WINDOWS\pfpick.dll <Not Verified; Eastman Kodak Company; Kodak Digital Science Profile Picker>
2007-10-09 13:33:07 75776 --a------ P:\WINDOWS\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-10-09 13:33:05 94720 --a------ P:\WINDOWS\system32\MSVCRT10.DLL
2007-10-09 13:33:02 9728 --a------ P:\WINDOWS\icccodes.dll <Not Verified; Eastman Kodak Company; KCMS ICCCODES>
2007-10-09 13:33:01 0 d-------- P:\WINDOWS\shellnew
2007-10-09 13:33:01 39095 --a------ P:\WINDOWS\Iccsigs.dat
2007-10-09 13:33:01 42483 --a------ P:\WINDOWS\ICCCODES.DAT
2007-10-09 13:21:31 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Thinstall
2007-10-09 13:04:49 92544 --a------ P:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2007-10-09 13:04:44 0 d-------- P:\Program Files\MagicDisc
2007-10-09 12:21:08 0 d-------- P:\Program Files\MagicISO
2007-10-09 12:20:50 0 d-a------ P:\Documents and Settings\All Users\Application Data\TEMP
2007-10-09 05:53:00 0 d-------- P:\Documents and Settings\All Users\Application Data\Hagel Technologies
2007-10-07 11:53:54 0 d-------- P:\Program Files\Trend Micro
2007-10-07 04:30:50 0 d-------- P:\Program Files\PowerISO
2007-10-07 04:19:34 0 d-------- P:\Program Files\Lavasoft
2007-10-07 04:19:34 0 d-------- P:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 04:18:35 0 d-------- P:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 18:40:16 0 d-------- P:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five
2007-10-05 08:47:18 0 d-------- P:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-05 08:47:08 0 d-------- P:\Program Files\VistaCodecPack
2007-10-05 08:39:42 0 d-------- P:\Program Files\DAMN NFO Viewer
2007-10-04 22:24:09 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Adobe
2007-10-04 22:23:15 0 d-------- P:\Documents and Settings\All Users\Application Data\Adobe
2007-10-04 22:23:04 0 d-------- P:\Program Files\Common Files\Adobe
2007-10-03 12:40:56 0 d-------- P:\Documents and Settings\All Users\Application Data\Kontiki
2007-10-03 12:39:48 0 d-------- P:\Documents and Settings\All Users\Application Data\Channel4
2007-10-03 12:06:59 0 d-------- P:\Program Files\Windows Media Connect 2
2007-10-03 12:02:32 0 d-------- P:\WINDOWS\system32\LogFiles
2007-10-03 12:02:32 0 d-------- P:\WINDOWS\system32\drivers\UMDF
2007-10-03 06:35:00 2232 --a------ P:\WINDOWS\mozver.dat


-- Find3M Report ---------------------------------------------------------------

2007-10-30 07:15:00 0 d-------- P:\Program Files\Java
2007-10-26 13:31:15 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\uTorrent
2007-10-23 09:39:05 0 --a------ P:\Documents and Settings\WinXP Pro SP2\Application Data\.googlewebacchosts
2007-10-14 10:57:22 0 d-------- P:\Program Files\uTorrent
2007-10-13 01:06:11 0 d--h----- P:\Program Files\InstallShield Installation Information
2007-10-13 01:05:52 0 d-------- P:\Program Files\Common Files\InstallShield
2007-10-07 04:18:35 0 d-------- P:\Program Files\Common Files
2007-09-09 03:53:38 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Talkback
2007-09-09 03:53:12 0 --a------ P:\WINDOWS\nsreg.dat
2007-09-09 03:53:03 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Mozilla
2007-09-06 15:09:55 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Sun
2007-09-06 15:05:38 0 d-------- P:\Program Files\Common Files\Java
2007-09-06 14:59:51 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Macromedia
2007-09-06 14:29:01 0 d-------- P:\Program Files\Ahead
2007-09-06 14:28:55 0 d-------- P:\Program Files\GoldEsel
2007-09-06 14:22:12 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Ahead
2007-09-06 14:16:09 0 d-------- P:\Program Files\Common Files\Ahead
2007-09-06 13:44:28 0 d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\vlc
2007-09-06 13:41:37 0 d-------- P:\Program Files\VideoLAN
2007-09-06 12:05:26 0 d-------- P:\Program Files\Alcohol Soft
2007-09-06 11:33:58 0 d-------- P:\Program Files\Messenger
2007-09-06 11:01:05 298104 --a------ P:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-08-18 06:19:47 62 --ahs---- P:\Documents and Settings\WinXP Pro SP2\Application Data\desktop.ini
2007-08-18 06:15:53 21640 --a------ P:\WINDOWS\system32\emptyregdb.dat
2007-08-18 03:34:22 0 -rahs---- P:\MSDOS.SYS
2007-08-18 03:34:22 0 -rahs---- P:\IO.SYS
2007-08-18 03:34:22 0 --a------ P:\CONFIG.SYS
2007-08-18 03:34:22 0 --a------ P:\AUTOEXEC.BAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe" [04/08/2004 12:00 P:\WINDOWS\system32\rundll32.exe]
"nod32kui"="P:\Program Files\Eset\nod32kui.exe" [06/09/2007 11:01]
"NeroFilterCheck"="P:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"PWRISOVM.EXE"="P:\Program Files\PowerISO\PWRISOVM.EXE" [09/04/2007 12:23]
"DU Meter"="P:\Program Files\DU Meter\DUMeter.exe" [27/11/2006 14:18]
"!1_pgaccount"="P:\Program Files\ProcessGuard\pgaccount.exe" [23/12/2005 11:37]
"nwiz"="nwiz.exe" [22/10/2006 11:22 P:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [04/08/2004 12:00 P:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"SpySweeper"="P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [19/07/2007 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="P:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00]
"PeerGuardian"="P:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 17:40]

P:\Documents and Settings\WinXP Pro SP2\Start Menu\Programs\Startup\
MagicDisc.lnk - P:\Program Files\MagicDisc\MagicDisc.exe [09/10/2007 13:04:45]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\P:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder Gold Version.lnk]
path=P:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan Guarder Gold Version.lnk
backup=P:\WINDOWS\pss\Trojan Guarder Gold Version.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!1_ProcessGuard_Startup]
"P:\Program Files\ProcessGuard\procguard.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"P:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"P:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"P:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefenseWall]
"P:\Program Files\DefenseWall\DefenseWall.exe" regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
P:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE P:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE P:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SocketScanner Monitor]
P:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
P:\Program Files\UnHackMe\hackmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"P:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wma Program]
P:\DOCUME~1\WINXPP~1\APPLIC~1\2ONESA~1\Nounlocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kdx"=P:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

Writing 'netsvcs' with data '6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN' failed.


*Newly Created Service* - PGFILTER



-- End of Deckard's System Scanner: finished at 2007-10-30 07:50:05 ------------

-------------------

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:44:35, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
P:\WINDOWS\System32\smss.exe
P:\WINDOWS\system32\winlogon.exe
P:\WINDOWS\system32\services.exe
P:\WINDOWS\system32\lsass.exe
P:\WINDOWS\system32\svchost.exe
P:\WINDOWS\System32\svchost.exe
P:\WINDOWS\system32\svchost.exe
P:\WINDOWS\Explorer.EXE
P:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
P:\WINDOWS\system32\spoolsv.exe
P:\Program Files\ProcessGuard\dcsuserprot.exe
P:\Program Files\Eset\nod32krn.exe
P:\WINDOWS\system32\nvsvc32.exe
P:\WINDOWS\system32\oodag.exe
P:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
P:\WINDOWS\system32\rundll32.exe
P:\WINDOWS\system32\devldr32.exe
P:\Program Files\Eset\nod32kui.exe
P:\Program Files\PowerISO\PWRISOVM.EXE
P:\Program Files\DU Meter\DUMeter.exe
P:\Program Files\ProcessGuard\pgaccount.exe
P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
P:\WINDOWS\system32\ctfmon.exe
P:\Program Files\PeerGuardian2\pg2.exe
P:\Program Files\MagicDisc\MagicDisc.exe
P:\WINDOWS\system32\wuauclt.exe
P:\WINDOWS\system32\Notepad.exe
P:\WINDOWS\system32\Notepad.exe
P:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
P:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "P:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] P:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] "P:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [DU Meter] "P:\Program Files\DU Meter\DUMeter.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "P:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" P:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "P:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] P:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = P:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - P:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: p:\program files\explabs.com\socketshield\wrnetdrv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189076234165
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - P:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DiamondCS ProcessGuard Service v3.200 (DCSPGSRV) - DiamondCS - P:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: DefenseWall internal service (defensewall_serv) - SoftSphere Technologies - P:\WINDOWS\system32\defensewall_serv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - P:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - P:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - P:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - P:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - P:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6407 bytes


---------------------------


#8 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 30 October 2007 - 11:52 AM

Eventually... :thumbsup:

Had to shutdown all services with START > RUN > msconfig whilst physically offline.

Then ran ComboFix as directed (both in Safe Mode then normal.

ComboFix.txt Log

----------------------------
ComboFix 07-10-29.1 - WinXP Pro SP2 2007-10-30 15:23:55.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383 [GMT 0:00]
Running from: P:\Documents and Settings\WinXP Pro SP2\desktop\ComboFix.exe
Command switches used :: /KillAll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

P:\H.exe
P:\WINDOWS\service.exe
P:\WINDOWS\system32\koos.exe
P:\WINDOWS\system32\kprof
P:\WINDOWS\system32\poof
.
---- Previous Run -------
.
P:\WINDOWS\service.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 12:20 <DIR> d-------- P:\Program Files\AvaFind
2007-10-30 12:20 <DIR> d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\AvaFind Data
2007-10-30 07:19 <DIR> d-------- P:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-30 07:04 14,848 --a------ P:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-30 07:04 14,848 --a--c--- P:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-30 07:03 31,616 --a------ P:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-30 07:03 31,616 --a--c--- P:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-26 12:11 <DIR> d-------- P:\Program Files\WinPcap
2007-10-26 12:03 <DIR> d-------- P:\Program Files\FlvRecorder
2007-10-26 12:03 52,856 --a------ P:\WINDOWS\img1972.zip
2007-10-26 11:32 468,480 --a------ P:\WINDOWS\system32\NMDll.dll
2007-10-26 11:32 208,896 --a------ P:\WINDOWS\system32\HDBHO.dll
2007-10-26 11:32 20,480 --a------ P:\WINDOWS\yhl.dll
2007-10-26 11:32 7,168 --a------ P:\WINDOWS\lq.dll
2007-10-26 11:31 <DIR> d-------- P:\Program Files\HiDownload
2007-10-26 09:54 <DIR> d-------- P:\URLHelper
2007-10-26 09:44 <DIR> d-------- P:\Program Files\URLHelper
2007-10-26 09:33 52,736 --a------ P:\service.exe
2007-10-26 09:32 <DIR> d-------- P:\flvrecorder
2007-10-26 07:42 <DIR> d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Prevx
2007-10-26 07:29 9,728 --a------ P:\WINDOWS\system32\drivers\pxscinst.dll
2007-10-26 07:29 7,680 --a------ P:\WINDOWS\system32\drivers\pxinst.dll
2007-10-26 07:11 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Prevx
2007-10-24 07:18 <DIR> d-------- P:\Program Files\PeerGuardian2
2007-10-23 08:04 <DIR> d-------- P:\Program Files\Google
2007-10-23 06:36 <DIR> d-------- P:\getservices
2007-10-22 14:38 <DIR> d-------- P:\Program Files\Alawar
2007-10-16 05:21 <DIR> d-------- P:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-16 05:21 163,128 --a------ P:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-16 05:21 23,864 --a------ P:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-16 05:21 21,816 --a------ P:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-16 05:21 20,280 --a------ P:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-16 05:20 <DIR> d-------- P:\Program Files\Webroot
2007-10-16 05:20 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 05:20 1,521,464 --a------ P:\WINDOWS\WRSetup.dll
2007-10-16 05:17 <DIR> d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Webroot
2007-10-15 09:31 <DIR> d-------- P:\WINDOWS\pss
2007-10-13 01:06 <DIR> d-------- P:\Program Files\LizardTech
2007-10-12 22:33 <DIR> d-------- P:\WINDOWS\nview
2007-10-12 22:30 208,896 --a------ P:\WINDOWS\system32\nvudisp.exe
2007-10-12 15:08 23,600 --a------ P:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-10-12 14:02 36,224 -ra------ P:\WINDOWS\system32\drivers\lne100v5.sys
2007-10-12 11:50 <DIR> d-------- P:\Program Files\Yamicsoft
2007-10-12 11:48 0 --a------ P:\WINDOWS\system32\sys_dll.dll
2007-10-12 11:24 <DIR> d-------- P:\Program Files\Mgtweak
2007-10-12 11:17 1,060,864 --a------ P:\WINDOWS\system32\mfc71.dll
2007-10-12 11:16 <DIR> d-------- P:\Program Files\LitexMedia
2007-10-12 11:14 <DIR> d-------- P:\Program Files\BlazeVideo
2007-10-12 11:14 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\BlazeVideo
2007-10-12 05:49 216,212 --a------ P:\WINDOWS\system32\pghash.dat
2007-10-12 05:49 171,292 --a------ P:\WINDOWS\system32\pguard.dat
2007-10-12 05:08 <DIR> d-------- P:\Program Files\ExPLabs.com
2007-10-12 05:08 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\{02B3E9A6-0AD1-434D-ABC5-0480353D086F}
2007-10-12 05:07 106,496 --a------ P:\WINDOWS\system32\procguard.dll
2007-10-12 05:07 27,968 --a------ P:\WINDOWS\system32\drivers\procguard.sys
2007-10-12 05:06 <DIR> d-------- P:\Program Files\ProcessGuard
2007-10-12 04:34 <DIR> d-------- P:\Program Files\MSXML 6.0
2007-10-12 04:27 <DIR> d-------- P:\Program Files\RootKit Hook Analyzer
2007-10-12 04:27 312,064 --a------ P:\WINDOWS\system32\rspsc.sys
2007-10-12 04:17 <DIR> d-------- P:\Program Files\HiddenFinder
2007-10-12 04:17 8,576 --a------ P:\WINDOWS\system32\drivers\KProcWatch.sys
2007-10-12 04:13 <DIR> d-------- P:\Program Files\DefenseWall
2007-10-12 04:13 228,864 --a------ P:\WINDOWS\system32\drivers\dwall.sys
2007-10-12 04:13 59,392 --a------ P:\WINDOWS\system32\dwall_ext.dll
2007-10-12 04:13 54,272 --a------ P:\WINDOWS\system32\dwall_shell.dll
2007-10-12 04:13 32,768 --a------ P:\WINDOWS\system32\defensewall_serv.exe
2007-10-12 04:13 29,184 --a------ P:\WINDOWS\system32\dwall.dll
2007-10-12 04:11 <DIR> d-------- P:\Program Files\Process Master
2007-10-12 03:59 <DIR> d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Uniblue
2007-10-12 03:58 <DIR> d-------- P:\Program Files\Uniblue
2007-10-11 15:03 <DIR> d-------- P:\WINDOWS\Performance
2007-10-11 15:03 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-10-11 15:01 <DIR> d-------- P:\Program Files\Microsoft Windows Vista Upgrade Advisor
2007-10-11 08:31 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-10 10:53 <DIR> d-------- P:\Program Files\Duplicate File Remover
2007-10-09 13:34 1,901 --a------ P:\WINDOWS\panose.bin
2007-10-09 13:21 <DIR> d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Thinstall
2007-10-09 13:04 <DIR> d-------- P:\Program Files\MagicDisc
2007-10-09 13:04 92,544 --a------ P:\WINDOWS\system32\drivers\mcdbus.sys
2007-10-09 12:21 <DIR> d-------- P:\Program Files\MagicISO
2007-10-09 12:20 <DIR> d-a------ P:\Documents and Settings\All Users\Application Data\TEMP
2007-10-09 05:53 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Hagel Technologies
2007-10-07 11:57 51,200 --a------ P:\WINDOWS\NirCmd.exe
2007-10-07 11:53 <DIR> d-------- P:\Program Files\Trend Micro
2007-10-07 04:30 <DIR> d-------- P:\Program Files\PowerISO
2007-10-07 04:19 <DIR> d-------- P:\Program Files\Lavasoft
2007-10-07 04:19 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 04:18 <DIR> d-------- P:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 18:40 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five
2007-10-05 08:47 <DIR> d-------- P:\Program Files\VistaCodecPack
2007-10-05 08:47 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-05 08:39 <DIR> d-------- P:\Program Files\DAMN NFO Viewer
2007-10-04 22:23 <DIR> d-------- P:\Program Files\Common Files\Adobe
2007-10-03 12:40 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Kontiki
2007-10-03 12:39 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Channel4
2007-10-03 12:07 221,184 --a------ P:\WINDOWS\system32\wmpns.dll
2007-10-03 12:06 <DIR> d-------- P:\Program Files\Windows Media Connect 2
2007-10-03 12:02 <DIR> d-------- P:\WINDOWS\system32\LogFiles
2007-10-03 12:02 <DIR> d-------- P:\WINDOWS\system32\drivers\UMDF
2007-10-03 06:35 2,232 --a------ P:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-21 06:15 683,520 ----a-w P:\WINDOWS\system32\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w P:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w P:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w P:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w P:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w P:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 203,096 ----a-w P:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w P:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w P:\WINDOWS\system32\wups.dll
2007-07-10 22:55 7,680 ----a-w P:\WINDOWS\system32\ff_vfw.dll
2007-07-09 13:09 584,192 ----a-w P:\WINDOWS\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-07_13.00.44.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-24 04:47:44 49,152 ----a-w P:\WINDOWS\$hf_mig$\KB904942\SP2QFE\wdigest.dll
+ 2005-10-12 23:12:25 14,048 ----a-w P:\WINDOWS\$hf_mig$\KB904942\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w P:\WINDOWS\$hf_mig$\KB904942\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w P:\WINDOWS\$hf_mig$\KB904942\update\spcustom.dll
+ 2005-10-12 23:12:28 716,000 ----a-w P:\WINDOWS\$hf_mig$\KB904942\update\update.exe
+ 2005-10-12 23:12:33 371,424 ----a-w P:\WINDOWS\$hf_mig$\KB904942\update\updspapi.dll
+ 2005-10-12 23:12:26 213,216 -c----w P:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe
+ 2005-10-12 23:12:33 371,424 -c----w P:\WINDOWS\$NtUninstallKB904942$\spuninst\updspapi.dll
+ 2004-08-04 12:00:00 49,152 -c----w P:\WINDOWS\$NtUninstallKB904942$\wdigest.dll
+ 2007-10-16 10:14:44 53,248 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2007-10-16 10:14:45 12,800 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2007-10-16 10:14:45 473,600 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2007-10-16 10:14:34 2,676,224 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:35 2,846,720 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:36 563,712 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:37 567,296 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:38 576,000 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:39 577,024 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:40 577,536 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:41 577,536 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:42 578,560 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:46 578,560 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-10-16 10:14:47 145,920 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2007-10-16 10:14:47 159,232 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2007-10-16 10:14:48 364,544 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2007-10-16 10:14:49 178,176 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2007-10-16 10:14:44 223,232 ----a-w P:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2007-09-28 08:06:08 135,168 ----a-w P:\WINDOWS\catchme.exe
+ 2007-10-26 09:51:17 136,192 ----a-w P:\WINDOWS\catchme.exe
+ 2007-10-12 04:36:03 528,446 ----a-w P:\WINDOWS\gmer.dll
+ 2006-05-25 21:05:20 745,531 ----a-w P:\WINDOWS\gmer.exe
+ 2002-05-06 12:44:28 42,483 ----a-w P:\WINDOWS\ICCCODES.DAT
+ 2002-05-06 12:44:28 9,728 ----a-w P:\WINDOWS\icccodes.dll
+ 2002-05-06 12:44:28 39,095 ----a-w P:\WINDOWS\Iccsigs.dat
+ 2007-10-30 12:20:31 25,214 ----a-r P:\WINDOWS\Installer\{909577E9-BFB5-48E2-8237-71DCA373F147}\_18be6784.exe
+ 2007-10-30 12:20:31 10,134 ----a-r P:\WINDOWS\Installer\{909577E9-BFB5-48E2-8237-71DCA373F147}\_294823.exe
+ 2007-10-30 12:20:31 25,214 ----a-r P:\WINDOWS\Installer\{909577E9-BFB5-48E2-8237-71DCA373F147}\_4ae13d6c.exe
+ 2005-03-18 15:23:10 53,248 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2005-03-18 15:23:10 12,800 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Diagnostics.dll
+ 2005-03-18 15:23:14 473,600 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll
+ 2004-09-29 11:38:58 2,676,224 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-03-18 15:23:10 145,920 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.dll
+ 2005-03-18 15:23:10 159,232 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.dll
+ 2005-03-18 15:23:14 364,544 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectPlay.dll
+ 2005-03-18 15:23:12 178,176 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll
+ 2005-03-18 15:23:14 223,232 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.dll
+ 2004-12-01 14:53:06 2,846,720 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-02-05 18:32:54 563,712 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-03-18 16:23:14 567,296 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-05-26 14:15:56 576,000 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2906.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-07-22 16:21:34 577,024 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-09-28 13:11:52 577,536 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2908.0\Microsoft.DirectX.Direct3DX.dll
+ 2005-12-05 16:20:50 577,536 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2909.0\Microsoft.DirectX.Direct3DX.dll
+ 2006-02-03 06:40:48 578,560 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.dll
+ 2006-03-31 10:27:50 578,560 ----a-w P:\WINDOWS\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll
+ 2002-05-06 12:44:28 75,776 ----a-w P:\WINDOWS\PCDLIB32.DLL
+ 2002-05-06 12:44:30 25,600 ----a-w P:\WINDOWS\pfpick.dll
+ 2002-05-06 12:44:30 16,384 ----a-w P:\WINDOWS\PTPICK32.DLL
+ 2002-05-06 12:44:30 19,877 ----a-w P:\WINDOWS\SPWHPT.DLL
+ 2007-10-12 03:59:04 9,728 ----a-w P:\WINDOWS\system32\BASSMOD.dll
- 2007-06-14 18:09:18 1,023,488 ----a-w P:\WINDOWS\system32\browseui.dll
+ 2007-08-22 13:12:15 1,022,976 ----a-w P:\WINDOWS\system32\browseui.dll
- 2007-06-14 18:09:18 151,040 ----a-w P:\WINDOWS\system32\cdfview.dll
+ 2007-08-22 13:12:15 151,040 ----a-w P:\WINDOWS\system32\cdfview.dll
- 2007-06-14 18:09:18 1,054,208 ----a-w P:\WINDOWS\system32\danim.dll
+ 2007-08-22 13:12:16 1,054,208 ----a-w P:\WINDOWS\system32\danim.dll
- 2007-06-14 18:09:18 1,023,488 -c--a-w P:\WINDOWS\system32\dllcache\browseui.dll
+ 2007-08-22 13:12:15 1,022,976 -c--a-w P:\WINDOWS\system32\dllcache\browseui.dll
- 2007-06-14 18:09:18 151,040 -c--a-w P:\WINDOWS\system32\dllcache\cdfview.dll
+ 2007-08-22 13:12:15 151,040 -c--a-w P:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-06-14 18:09:18 1,054,208 -c--a-w P:\WINDOWS\system32\dllcache\danim.dll
+ 2007-08-22 13:12:16 1,054,208 -c--a-w P:\WINDOWS\system32\dllcache\danim.dll
- 2007-06-14 18:09:18 357,888 -c--a-w P:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-08-22 13:12:16 357,888 -c--a-w P:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-06-14 18:09:19 205,312 -c--a-w P:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-08-22 13:12:16 205,312 -c--a-w P:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-06-14 18:09:19 55,808 -c--a-w P:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-08-22 13:12:16 55,808 -c--a-w P:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-14 14:07:24 18,432 -c--a-w P:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-21 10:30:45 18,432 -c--a-w P:\WINDOWS\system32\dllcache\iedw.exe
- 2007-06-14 18:09:19 251,392 -c--a-w P:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-22 13:12:16 251,392 -c--a-w P:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-05-16 15:12:02 683,520 -c--a-w P:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 -c--a-w P:\WINDOWS\system32\dllcache\inetcomm.dll
- 2007-06-14 18:09:19 96,256 -c--a-w P:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-22 13:12:16 96,256 -c--a-w P:\WINDOWS\system32\dllcache\inseng.dll
- 2007-06-14 18:09:19 16,384 -c--a-w P:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-08-22 13:12:16 16,384 -c--a-w P:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-06-14 18:09:20 3,058,688 -c--a-w P:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-08-22 13:12:17 3,058,176 -c--a-w P:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-06-14 18:09:19 449,024 -c--a-w P:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-08-22 13:12:17 449,024 -c--a-w P:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-06-14 18:09:19 146,432 -c--a-w P:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-08-22 13:12:17 146,432 -c--a-w P:\WINDOWS\system32\dllcache\msrating.dll
- 2007-06-14 18:09:20 532,480 -c--a-w P:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-08-22 13:12:17 532,480 -c--a-w P:\WINDOWS\system32\dllcache\mstime.dll
+ 2006-10-22 11:22:00 3,994,624 -c--a-w P:\WINDOWS\system32\dllcache\nv4_mini.sys
- 2007-06-14 18:09:20 39,424 -c--a-w P:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-08-22 13:12:17 39,424 -c--a-w P:\WINDOWS\system32\dllcache\pngfilt.dll
- 2004-08-04 12:00:00 581,120 -c--a-w P:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 -c--a-w P:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2007-06-14 18:09:20 1,494,528 -c--a-w P:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2007-08-22 13:12:18 1,494,528 -c--a-w P:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-06-14 18:09:20 474,112 -c--a-w P:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2007-08-22 13:12:18 474,112 -c--a-w P:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-06-14 18:09:20 615,424 -c--a-w P:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-08-22 13:12:18 615,424 -c--a-w P:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 12:00:00 49,152 -c--a-w P:\WINDOWS\system32\dllcache\wdigest.dll
+ 2006-03-24 04:37:50 49,152 -c--a-w P:\WINDOWS\system32\dllcache\wdigest.dll
- 2007-06-26 14:09:10 658,944 -c--a-w P:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-08-22 13:12:18 658,944 -c--a-w P:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-12 04:36:03 64,529 ----a-w P:\WINDOWS\system32\drivers\gmer.sys
+ 2007-01-25 17:31:34 42,000 ----a-w P:\WINDOWS\system32\drivers\npf.sys
- 2004-08-03 22:29:56 1,897,408 ----a-w P:\WINDOWS\system32\drivers\nv4_mini.sys
+ 2006-10-22 11:22:00 3,994,624 ----a-w P:\WINDOWS\system32\drivers\nv4_mini.sys
+ 2006-11-23 16:04:02 7,552 ----a-w P:\WINDOWS\system32\drivers\pxcom.sys
+ 2006-11-23 16:04:06 100,864 ----a-w P:\WINDOWS\system32\drivers\PxEmu.sys
+ 2006-11-23 16:04:02 274,432 ----a-w P:\WINDOWS\system32\drivers\pxfsf.sys
+ 2006-08-24 09:55:58 13,568 ----a-w P:\WINDOWS\system32\drivers\pxrd.sys
+ 2006-11-23 16:04:06 11,648 ----a-w P:\WINDOWS\system32\drivers\pxscrmbl.sys
+ 2006-11-23 16:04:04 18,560 ----a-w P:\WINDOWS\system32\drivers\pxtdi.sys
+ 2005-04-03 13:02:12 8,944 ----a-w P:\WINDOWS\system32\drivers\UnHackMeDrv.sys
- 2007-06-14 18:09:18 357,888 ----a-w P:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-22 13:12:16 357,888 ----a-w P:\WINDOWS\system32\dxtmsft.dll
- 2007-06-14 18:09:19 205,312 ----a-w P:\WINDOWS\system32\dxtrans.dll
+ 2007-08-22 13:12:16 205,312 ----a-w P:\WINDOWS\system32\dxtrans.dll
- 2007-06-14 18:09:19 55,808 ----a-w P:\WINDOWS\system32\extmgr.dll
+ 2007-08-22 13:12:16 55,808 ----a-w P:\WINDOWS\system32\extmgr.dll
- 2007-06-14 18:09:19 251,392 ----a-w P:\WINDOWS\system32\iepeers.dll
+ 2007-08-22 13:12:16 251,392 ----a-w P:\WINDOWS\system32\iepeers.dll
- 2007-06-14 18:09:19 96,256 ----a-w P:\WINDOWS\system32\inseng.dll
+ 2007-08-22 13:12:16 96,256 ----a-w P:\WINDOWS\system32\inseng.dll
- 2007-06-14 18:09:19 16,384 ----a-w P:\WINDOWS\system32\jsproxy.dll
+ 2007-08-22 13:12:16 16,384 ----a-w P:\WINDOWS\system32\jsproxy.dll
+ 2006-10-22 11:22:00 425,984 ----a-w P:\WINDOWS\system32\keystone.exe
+ 2002-05-06 12:44:28 148,992 ----a-w P:\WINDOWS\system32\MFC30.DLL
+ 2002-05-06 12:44:28 36,352 ----a-w P:\WINDOWS\system32\MFCANS32.DLL
+ 2002-05-06 12:44:28 58,368 ----a-w P:\WINDOWS\system32\MFCO30.DLL
+ 2002-05-06 12:44:28 4,096 ----a-w P:\WINDOWS\system32\MFCUIA32.DLL
- 2007-09-06 02:50:42 17,474,680 ----a-w P:\WINDOWS\system32\MRT.exe
+ 2007-09-28 05:19:39 18,089,592 ----a-w P:\WINDOWS\system32\MRT.exe
- 2007-06-14 18:09:20 3,058,688 ----a-w P:\WINDOWS\system32\mshtml.dll
+ 2007-08-22 13:12:17 3,058,176 ----a-w P:\WINDOWS\system32\mshtml.dll
- 2007-06-14 18:09:19 449,024 ----a-w P:\WINDOWS\system32\mshtmled.dll
+ 2007-08-22 13:12:17 449,024 ----a-w P:\WINDOWS\system32\mshtmled.dll
- 2007-06-14 18:09:19 146,432 ----a-w P:\WINDOWS\system32\msrating.dll
+ 2007-08-22 13:12:17 146,432 ----a-w P:\WINDOWS\system32\msrating.dll
- 2007-06-14 18:09:20 532,480 ----a-w P:\WINDOWS\system32\mstime.dll
+ 2007-08-22 13:12:17 532,480 ----a-w P:\WINDOWS\system32\mstime.dll
+ 2002-05-06 12:44:28 35,328 ----a-w P:\WINDOWS\system32\MSVCIRTD.DLL
+ 2002-05-06 12:44:28 94,720 ----a-w P:\WINDOWS\system32\MSVCRT10.DLL
+ 2002-05-06 12:44:28 141,824 ----a-w P:\WINDOWS\system32\MSVCRTD.DLL
+ 2007-05-15 14:43:10 1,320,800 ----a-w P:\WINDOWS\system32\msxml6.dll
+ 2005-09-08 00:03:50 86,728 ----a-w P:\WINDOWS\system32\msxml6r.dll
- 2004-08-04 00:56:46 4,274,816 ----a-w P:\WINDOWS\system32\nv4_disp.dll
+ 2006-10-22 11:22:00 4,527,488 ----a-w P:\WINDOWS\system32\nv4_disp.dll
+ 2006-10-22 11:22:00 212,992 ----a-w P:\WINDOWS\system32\nvapi.dll
+ 2006-10-22 11:22:00 442,368 ----a-w P:\WINDOWS\system32\nvappbar.exe
+ 2006-10-22 11:22:00 35,840 ----a-w P:\WINDOWS\system32\nvcod.dll
+ 2006-10-22 11:22:00 35,840 ----a-w P:\WINDOWS\system32\nvcodins.dll
+ 2006-10-22 11:22:00 147,456 ----a-w P:\WINDOWS\system32\nvcolor.exe
+ 2006-10-22 11:22:00 7,700,480 ----a-w P:\WINDOWS\system32\nvcpl.dll
+ 2006-10-22 11:22:00 794,624 ----a-w P:\WINDOWS\system32\nvcplui.exe
+ 2006-10-22 11:22:00 1,011,712 ----a-w P:\WINDOWS\system32\nvcpluir.dll
+ 2006-10-22 11:22:00 5,619,712 ----a-w P:\WINDOWS\system32\nvdisps.dll
+ 2006-10-22 11:22:00 5,255,168 ----a-w P:\WINDOWS\system32\nvdispsr.dll
+ 2006-10-22 11:22:00 1,339,392 ----a-w P:\WINDOWS\system32\nvdspsch.exe
+ 2006-10-22 11:22:00 311,296 ----a-w P:\WINDOWS\system32\nvexpbar.dll
+ 2006-10-22 11:22:00 3,047,424 ----a-w P:\WINDOWS\system32\nvgames.dll
+ 2006-10-22 11:22:00 3,203,072 ----a-w P:\WINDOWS\system32\nvgamesr.dll
+ 2006-10-22 11:22:00 581,632 ----a-w P:\WINDOWS\system32\nvhwvid.dll
+ 2006-10-22 11:22:00 1,470,464 ----a-w P:\WINDOWS\system32\nview.dll
+ 2006-10-22 11:22:00 229,376 ----a-w P:\WINDOWS\system32\nvmccs.dll
+ 2006-10-22 11:22:00 45,056 ----a-w P:\WINDOWS\system32\nvmccsrs.dll
+ 2006-10-22 11:22:00 188,416 ----a-w P:\WINDOWS\system32\nvmccss.dll
+ 2006-10-22 11:22:00 458,752 ----a-w P:\WINDOWS\system32\nvmccssr.dll
+ 2006-10-22 11:22:00 86,016 ----a-w P:\WINDOWS\system32\nvmctray.dll
+ 2006-10-22 11:22:00 888,832 ----a-w P:\WINDOWS\system32\nvmobls.dll
+ 2006-10-22 11:22:00 2,859,008 ----a-w P:\WINDOWS\system32\nvmoblsr.dll
+ 2006-10-22 11:22:00 286,720 ----a-w P:\WINDOWS\system32\nvnt4cpl.dll
+ 2006-10-22 11:22:00 5,644,288 ----a-w P:\WINDOWS\system32\nvoglnt.dll
+ 2006-10-22 11:22:00 466,944 ----a-w P:\WINDOWS\system32\nvshell.dll
+ 2006-10-22 11:22:00 159,810 ----a-w P:\WINDOWS\system32\nvsvc32.exe
+ 2006-10-22 11:22:00 2,924,544 ----a-w P:\WINDOWS\system32\nvvitvs.dll
+ 2006-10-22 11:22:00 2,973,696 ----a-w P:\WINDOWS\system32\nvvitvsr.dll
+ 2006-10-22 11:22:00 81,920 ----a-w P:\WINDOWS\system32\nvwddi.dll
+ 2006-10-22 11:22:00 1,662,976 ----a-w P:\WINDOWS\system32\nvwdmcpl.dll
+ 2006-10-22 11:22:00 1,019,904 ----a-w P:\WINDOWS\system32\nvwimg.dll
+ 2006-10-22 11:22:00 1,236,992 ----a-w P:\WINDOWS\system32\nvwss.dll
+ 2006-10-22 11:22:00 1,732,608 ----a-w P:\WINDOWS\system32\nvwssr.dll
+ 2006-10-22 11:22:00 1,622,016 ----a-w P:\WINDOWS\system32\nwiz.exe
+ 2007-01-25 17:31:34 88,952 ----a-w P:\WINDOWS\system32\Packet.dll
- 2007-10-07 04:39:03 58,596 ----a-w P:\WINDOWS\system32\perfc009.dat
+ 2007-10-30 15:31:21 58,596 ----a-w P:\WINDOWS\system32\perfc009.dat
- 2007-10-07 04:39:03 392,296 ----a-w P:\WINDOWS\system32\perfh009.dat
+ 2007-10-30 15:31:21 392,296 ----a-w P:\WINDOWS\system32\perfh009.dat
- 2007-06-14 18:09:20 39,424 ----a-w P:\WINDOWS\system32\pngfilt.dll
+ 2007-08-22 13:12:17 39,424 ----a-w P:\WINDOWS\system32\pngfilt.dll
+ 2007-01-25 17:31:36 53,299 ----a-w P:\WINDOWS\system32\pthreadVC.dll
+ 2004-08-03 22:31:20 36,224 ----a-w P:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\an983.sys
+ 2004-08-04 00:56:46 4,274,816 ----a-w P:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\nv4_disp.dll
+ 2004-08-03 22:29:56 1,897,408 ----a-w P:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\nv4_mini.sys
- 2007-06-14 18:09:20 1,494,528 ----a-w P:\WINDOWS\system32\shdocvw.dll
+ 2007-08-22 13:12:18 1,494,528 ----a-w P:\WINDOWS\system32\shdocvw.dll
- 2007-06-14 18:09:20 474,112 ----a-w P:\WINDOWS\system32\shlwapi.dll
+ 2007-08-22 13:12:18 474,112 ----a-w P:\WINDOWS\system32\shlwapi.dll
+ 2007-07-19 21:42:36 16,184 ----a-w P:\WINDOWS\system32\ssiefr.EXE
- 2007-10-05 09:07:31 279,552 ----a-w P:\WINDOWS\system32\swreg.exe
+ 2007-07-22 18:39:27 279,552 ----a-w P:\WINDOWS\system32\swreg.exe
+ 2002-05-06 12:44:28 23,184 ----a-w P:\WINDOWS\system32\URLCACHE.DLL
- 2007-06-14 18:09:20 615,424 ----a-w P:\WINDOWS\system32\urlmon.dll
+ 2007-08-22 13:12:18 615,424 ----a-w P:\WINDOWS\system32\urlmon.dll
+ 2002-05-06 12:44:28 6,144 ----a-w P:\WINDOWS\system32\W95FIBER.DLL
+ 2007-01-25 17:31:34 68,480 ----a-w P:\WINDOWS\system32\WanPacket.dll
- 2004-08-04 12:00:00 49,152 ----a-w P:\WINDOWS\system32\wdigest.dll
+ 2006-03-24 04:37:50 49,152 ----a-w P:\WINDOWS\system32\wdigest.dll
- 2007-06-26 14:09:10 658,944 ----a-w P:\WINDOWS\system32\wininet.dll
+ 2007-08-22 13:12:18 658,944 ----a-w P:\WINDOWS\system32\wininet.dll
+ 2007-01-25 17:31:36 240,496 ----a-w P:\WINDOWS\system32\wpcap.dll
+ 2007-07-19 21:42:36 219,448 ----a-w P:\WINDOWS\system32\WRLogonNtf.dll
+ 2007-07-19 21:42:36 26,424 ----a-w P:\WINDOWS\system32\wrlzma.dll
- 2007-06-14 13:39:54 115,712 ------w P:\WINDOWS\system32\xpsp3res.dll
+ 2007-08-21 10:20:02 115,712 ----a-w P:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-30 15:27:09 16,384 ----atw P:\WINDOWS\TEMP\Perflib_Perfdata_620.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!1_pgaccount"="P:\Program Files\ProcessGuard\pgaccount.exe" [2005-12-23 11:37]
"MSConfig"="P:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 12:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\combofix]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\P:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder Gold Version.lnk]
path=P:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan Guarder Gold Version.lnk
backup=P:\WINDOWS\pss\Trojan Guarder Gold Version.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\P:^Documents and Settings^WinXP Pro SP2^Start Menu^Programs^Startup^MagicDisc.lnk]
path=P:\Documents and Settings\WinXP Pro SP2\Start Menu\Programs\Startup\MagicDisc.lnk
backup=P:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!1_ProcessGuard_Startup]
"P:\Program Files\ProcessGuard\procguard.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"P:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"P:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvaFind]
"P:\Program Files\AvaFind\AvaFind.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"P:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
"rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
"P:\WINDOWS\system32\cmd.exe" /c "cd /d P:\ComboFix\ & Combobatch.bat"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
P:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefenseWall]
"P:\Program Files\DefenseWall\DefenseWall.exe" regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]
"P:\Program Files\DU Meter\DUMeter.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
P:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
P:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"P:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" P:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE P:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
"P:\Program Files\PeerGuardian2\pg2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"P:\Program Files\PowerISO\PWRISOVM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SocketScanner Monitor]
P:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
P:\Program Files\UnHackMe\hackmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"P:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wma Program]
P:\DOCUME~1\WINXPP~1\APPLIC~1\2ONESA~1\Nounlocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"StarWindService"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"O&O Defrag"=2 (0x2)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NOD32krn"=2 (0x2)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"defensewall_serv"=2 (0x2)
"DCSPGSRV"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"BthServ"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kdx"=P:\Program Files\Kontiki\KHost.exe -all

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;P:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 dwall;DefenseWall driver;P:\WINDOWS\system32\Drivers\dwall.sys
R2 procguard;procguard;\??\P:\WINDOWS\system32\drivers\procguard.sys
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;P:\WINDOWS\system32\DRIVERS\LNE100V5.sys
S2 DCSPGSRV;DiamondCS ProcessGuard Service v3.200;"P:\Program Files\ProcessGuard\dcsuserprot.exe"
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;P:\WINDOWS\system32\DRIVERS\AN983.sys
S3 KProcWatch;KProcWatch;\??\P:\WINDOWS\system32\drivers\KProcWatch.sys
S4 defensewall_serv;DefenseWall internal service;P:\WINDOWS\system32\defensewall_serv.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 04:01:50 P:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- P:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-10-22 03:23:05 P:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- P:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 15:33:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 15:38:51 - machine was rebooted
P:\ComboFix2.txt ... 2007-10-07 12:01
.
--- E O F ---


***********************

ComboFix2.txt file

ComboFix 07-10-07.2 - WinXP Pro SP2 2007-10-07 12:58:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.150 [GMT 1:00]
Running from: P:\Documents and Settings\WinXP Pro SP2\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-07 12:57 51,200 --a------ P:\WINDOWS\NirCmd.exe
2007-10-07 12:53 <DIR> d-------- P:\Program Files\Trend Micro
2007-10-07 05:30 <DIR> d-------- P:\Program Files\PowerISO
2007-10-07 05:19 <DIR> d-------- P:\Program Files\Lavasoft
2007-10-07 05:19 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-07 05:18 <DIR> d-------- P:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 19:40 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five
2007-10-05 19:39 <DIR> d-------- P:\Program Files\3wPlayer
2007-10-05 19:39 <DIR> d-------- P:\Program Files\2 One Safe
2007-10-05 19:39 <DIR> d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\2 One Safe
2007-10-05 09:47 <DIR> d-------- P:\Program Files\VistaCodecPack
2007-10-05 09:47 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-05 09:39 <DIR> d-------- P:\Program Files\DAMN NFO Viewer
2007-10-03 13:40 <DIR> d-------- P:\Program Files\Kontiki
2007-10-03 13:40 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Kontiki
2007-10-03 13:39 <DIR> d-------- P:\Documents and Settings\All Users\Application Data\Channel4
2007-10-03 13:07 221,184 --a------ P:\WINDOWS\system32\wmpns.dll
2007-10-03 13:06 <DIR> d-------- P:\Program Files\Windows Media Connect 2
2007-10-03 13:02 <DIR> d-------- P:\WINDOWS\system32\LogFiles
2007-10-03 13:02 <DIR> d-------- P:\WINDOWS\system32\drivers\UMDF
2007-10-03 07:35 1,156 --a------ P:\WINDOWS\mozver.dat
2007-09-09 05:06 443,752 --a------ P:\WINDOWS\system32\d3dx10_34.dll
2007-09-09 05:06 443,752 --a------ P:\WINDOWS\system32\d3dx10_33.dll
2007-09-09 05:06 3,497,832 --a------ P:\WINDOWS\system32\d3dx9_34.dll
2007-09-09 05:06 3,495,784 --a------ P:\WINDOWS\system32\d3dx9_33.dll
2007-09-09 05:06 266,088 --a------ P:\WINDOWS\system32\xactengine2_8.dll
2007-09-09 05:06 261,480 --a------ P:\WINDOWS\system32\xactengine2_7.dll
2007-09-09 05:06 18,280 --a------ P:\WINDOWS\system32\x3daudio1_2.dll
2007-09-09 05:06 1,124,720 --a------ P:\WINDOWS\system32\D3DCompiler_34.dll
2007-09-09 05:06 1,123,696 --a------ P:\WINDOWS\system32\D3DCompiler_33.dll
2007-09-09 04:53 0 --a------ P:\WINDOWS\nsreg.dat
2007-09-09 04:53 <DIR> d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Talkback

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 13:00 --------- d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\uTorrent
2007-09-09 23:00 --------- d-------- P:\Program Files\uTorrent
2007-09-06 15:29 --------- d-------- P:\Program Files\Ahead
2007-09-06 15:28 --------- d--h----- P:\Program Files\InstallShield Installation Information
2007-09-06 15:28 --------- d-------- P:\Program Files\GoldEsel
2007-09-06 15:28 --------- d-------- P:\Program Files\Common Files\InstallShield
2007-09-06 15:22 --------- d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\Ahead
2007-09-06 15:16 --------- d-------- P:\Program Files\Common Files\Ahead
2007-09-06 14:44 --------- d-------- P:\Documents and Settings\WinXP Pro SP2\Application Data\vlc
2007-09-06 14:41 --------- d-------- P:\Program Files\VideoLAN
2007-09-06 13:05 223128 --a------ P:\WINDOWS\system32\drivers\vaxscsi.sys
2007-09-06 13:05 --------- d-------- P:\Program Files\Alcohol Soft
2007-09-06 13:01 96256 --a------ P:\WINDOWS\system32\drivers\sptd7741.sys
2007-09-06 13:01 643072 --a------ P:\WINDOWS\system32\drivers\sptd.sys
2007-09-06 12:01 512096 --a------ P:\WINDOWS\system32\drivers\amon.sys
2007-09-06 12:01 298104 --a------ P:\WINDOWS\system32\imon.dll
2007-09-06 12:01 15424 --a------ P:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-23 09:54 --------- d-------- P:\Program Files\Orange
2007-08-18 07:20 --------- d-------- P:\Program Files\microsoft frontpage
2007-08-07 13:58 8320 --a------ P:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ P:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ P:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ P:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ P:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ P:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ P:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ P:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ P:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ P:\WINDOWS\system32\wups.dll
2007-07-10 23:55 7680 --a------ P:\WINDOWS\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 P:\WINDOWS\system32\bthprops.cpl]
"nod32kui"="P:\Program Files\Eset\nod32kui.exe" [2007-09-06 12:01]
"NeroFilterCheck"="P:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"SunJavaUpdateSched"="P:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"4oD"="P:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]
"Adobe Reader Speed Launcher"="P:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"heart five nurb mix"="P:\Documents and Settings\All Users\Application Data\Blue Blah Heart Five\memo vga.exe" [2007-10-07 12:34]
"PWRISOVM.EXE"="P:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 13:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="P:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="P:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18]
"kdx"="P:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]
"Wma Program"="P:\DOCUME~1\WINXPP~1\APPLIC~1\2ONESA~1\Nounlocks.exe" [2007-10-05 19:39]

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;P:\WINDOWS\system32\DRIVERS\AN983.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\WindowMode.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - HTTPFILTER
*Newly Created Service* - SCDEMU
.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 12:00:05 P:\WINDOWS\Tasks\AE1B23D39334D63B.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 13:00:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 13:01:20
.
--- E O F ---

Attached Files


Edited by londonliving, 30 October 2007 - 02:11 PM.


#9 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 08 November 2007 - 08:24 AM

Thanks for your help on this, but I have decided to reformat as that seemed the only way...

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:57 AM

Posted 08 November 2007 - 09:22 AM

My apologies for not getting back to you on this. I seem to have missed the email notice.

I think your decision is wise. As stated before afresh start would be the way I would go. Even tho we could clean up a lot of it, the types of infections you had leave behind a lot of damage and it is very difficult to trace and repair all of it.

You seem to have a good knowledge of security programs, although I would lighten up a bit on those and be more careful of what you download. Then read over the following topic and use the advice that applies to you:

How did I get infected?, With steps so it does not happen again!


Using SpywareBlaster and Secunia Software Inspector are highly recommended.

Glad I was able to help and wish I had done more. Thanks for letting us know your decision.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#11 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 AM

Posted 27 November 2007 - 06:45 AM

Hi Papakid

Thanks for the links - very informative.

The machine now has Linux - Mandriva 2007 KDE for web stuff and a stripped down Win XP Pro occupying just 96Mb.

Will be posting a new log for a different machine as my friend told me he caught something on his external hard drive he uses to bring images and videos.

Keep up the good work, thanks for your help.

Please close this topic

Cheers
LL




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users