Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
18 replies to this topic

#1 plumsy

plumsy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 28 November 2007 - 12:53 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:58 PM, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nse37.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: optimizer by rightonadz - {AB71E94E-3DC4-41eb-BBD5-31E82C9FD1D4} - C:\WINDOWS\system32\gzmrotate.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {D9F079AE-1129-4C1D-9623-2B0AF2F10DD3} - C:\WINDOWS\system32\ddem.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Auto EPSON Stylus CX5900 Series on KEVIN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIP.EXE /FU "C:\WINDOWS\TEMP\E_SB.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38FF639B-E143-43FD-9B9F-72CB1F61A4DE}: NameServer = 198.142.0.51,192.168.0.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10306 bytes

BC AdBot (Login to Remove)

 


#2 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 28 November 2007 - 05:16 AM

Please help me someone.....I have no idea what it all means

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:17 AM

Posted 28 November 2007 - 08:25 AM

Go to:
http://www.bleepingcomputer.com/submit-malware.php
and please submit the following file:


C:\WINDOWS\system32\gzmrotate.dll

When I receive that file I will help you start cleaning up the infection on your computer. Please reply to this topic when it was sent so I can check for it.

#4 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 30 November 2007 - 08:16 AM

Alright....I sent a file. It wasnt C:\WINDOWS\system32\gzmrotate.dll because that didnt exsist but i sent the closest match to it which was C:\WINDOWS\system32\gzmrt.dll. Plz get back to me asap

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:17 AM

Posted 30 November 2007 - 08:48 AM

First we need to update Java:

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 3' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
Next:

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nse37.dll (file missing)
O2 - BHO: optimizer by rightonadz - {AB71E94E-3DC4-41eb-BBD5-31E82C9FD1D4} - C:\WINDOWS\system32\gzmrotate.dll
O2 - BHO: (no name) - {D9F079AE-1129-4C1D-9623-2B0AF2F10DD3} - C:\WINDOWS\system32\ddem.dll
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\nse37.dll
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\ddem.dll

Reboot your computer to go back to normal mode.

Next,
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.

#6 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 30 November 2007 - 08:35 PM

ComboFix 07-12-01.2 - Administrator 2007-12-01 12:23:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1552 [GMT 11:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-29 01:52 . 2007-11-29 01:52 64,000 --a------ C:\WINDOWS\system32\gzmrt.dll
2007-11-26 21:25 . 2007-11-26 21:28 <DIR> d-------- C:\thing (THIS IS NOT PART OF THE LOG. this is a program called "regclean.exe" THIS IS NOT PART OF THE LOG)
2007-11-26 21:18 . 2007-11-26 21:18 <DIR> d-------- C:\Program Files\Panicware
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iTunes
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iPod
2007-11-23 22:24 . 2007-11-23 22:24 <DIR> d-------- C:\Program Files\QuickTime
2007-11-22 19:18 . 2004-08-04 23:00 83,968 --a------ C:\WINDOWS\system32\ddem.1
2007-11-19 19:04 . 2000-05-22 00:00 647,872 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-11-19 19:04 . 2004-08-30 14:25 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-11-19 19:04 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2007-11-19 19:04 . 2003-09-05 12:07 168,960 --a------ C:\WINDOWS\system32\XCDZIP35.OCX
2007-11-19 19:04 . 2003-09-10 12:09 140,288 --a------ C:\WINDOWS\system32\comdlg32.ocx
2007-11-19 19:04 . 2005-01-21 12:20 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-11-19 19:02 . 2007-11-19 19:02 <DIR> d-------- C:\Program Files\Adssite Advanced Toolbar
2007-11-19 19:02 . 2007-11-19 19:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Adssite Advanced Toolbar
2007-11-19 19:02 . 2007-11-29 03:27 40,737 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe
2007-11-19 18:59 . 2007-11-19 18:59 <DIR> d-------- C:\Program Files\PlayMP3z
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-08 20:17 . 2007-11-08 20:17 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-06 11:35 . 2007-11-06 11:35 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-06 11:35 . 2007-07-25 15:24 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-06 11:35 . 2007-09-28 18:05 739,840 --a------ C:\WINDOWS\system32\divx.dll
2007-11-06 11:35 . 2006-09-24 17:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2007-11-06 11:35 . 2007-03-10 13:51 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-06 11:35 . 2004-01-25 18:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-11-06 11:35 . 2007-09-04 18:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-06 11:35 . 2007-09-21 02:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2007-11-06 11:35 . 2007-07-29 17:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-06 11:35 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-06 11:35 . 2007-10-03 17:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-11-03 12:12 . 2007-11-03 12:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 00:59 --------- d-----w C:\Program Files\Java
2007-11-29 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-27 10:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-11-26 10:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-26 08:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-26 06:23 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-26 06:22 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-25 10:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Xfire
2007-11-25 09:59 --------- d-----w C:\Program Files\SpeedFan
2007-11-23 11:22 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-19 08:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 08:02 79,875 ----a-w C:\WINDOWS\system32\adssite-remove.exe
2007-11-14 04:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 05:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-12 23:36 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-03 01:08 --------- d-----w C:\Program Files\DivX
2007-10-30 07:32 --------- d-----w C:\Program Files\THQ
2007-10-15 13:02 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-15 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-15 12:49 --------- d-----w C:\Program Files\Bonjour
2007-10-15 12:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-15 12:39 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 09:41 --------- d-----w C:\Program Files\PowerISO
2007-10-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-14 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3 YPack Trial
2007-10-14 06:52 --------- d-----w C:\Program Files\Microsoft Games
2007-10-14 04:27 --------- d-----w C:\Program Files\Azureus
2007-10-13 07:22 --------- d-----w C:\Program Files\BitTorrent
2007-10-13 07:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield Installation Information
2007-10-13 07:14 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-12 08:04 --------- d--h--w C:\Program Files\Pussy
2007-10-10 07:28 77,760 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-08 06:40 --------- d-----w C:\Program Files\Driver Cleaner PE
2007-10-07 08:08 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2007-10-04 06:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 06:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 06:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 06:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-03 13:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-10-03 06:19 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-02 10:34 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-02 10:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2007-10-02 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-02 10:21 23,616 ----a-w C:\WINDOWS\system32\drivers\nchssvad.sys
2007-09-28 07:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 07:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-12 23:45 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2002-01-03 14:12 30,615 ----a-w C:\Documents and Settings\Administrator\x.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-09 11:02]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 10:01]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-08-17 17:23 C:\WINDOWS\system32\nwiz.exe]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 14:25]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 23:21]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 18:03 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-14 17:22]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 11:05]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"postSetupCheck"="C:\WINDOWS\System32\Rundll32.exe" [2004-08-04 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 23:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\system32\gzmrotate.dll DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\Program Files\DAP\DAP.EXE /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5900 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIP.EXE /FU C:\WINDOWS\TEMP\E_S12E.tmp /EF HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\mwinomdt.exe P2D002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-10-02 16:27 1065288 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 20:11 925696 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-09 11:02 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CF-F1-1F-F8-ZN}]
C:\windows\system32\dwdsrngt.exe P2D002

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
S3 BS_DEF;BS_DEF;\??\C:\Program Files\ASUS\AsusUpdate\BS_DEF.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfe3c5b8-c181-11db-ba41-0015e9b988bb}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 08:10:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 20:20:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-12 10:17:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 12:28:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 12:29:20 - machine was rebooted
.
--- E O F ---










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:12 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38FF639B-E143-43FD-9B9F-72CB1F61A4DE}: NameServer = 198.142.0.51,192.168.0.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10258 bytes




Once again the file C:\WINDOWS\system32\gzmrotate.dll didnt exist.
When i did the hjt scan the file O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllV didnt exist either.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:17 AM

Posted 01 December 2007 - 02:26 PM

2007-11-26 21:25 . 2007-11-26 21:28 <DIR> d-------- C:\thing (THIS IS NOT PART OF THE LOG. this is a program called "regclean.exe" THIS IS NOT PART OF THE LOG)


Did you add the above in? If so, why?


Then,

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

Any Adssite programs listed
Righton Adz

Finally,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\gzmrt.dll
C:\Documents and Settings\Administrator\Application Data\Adssite Advanced Toolbar
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\adssite-remove.exe
C:\Documents and Settings\Administrator\x.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnk
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\mwinomdt.exe
C:\windows\system32\dwdsrngt.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CF-F1-1F-F8-ZN}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfe3c5b8-c181-11db-ba41-0015e9b988bb}]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#8 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 01 December 2007 - 06:26 PM

ComboFix 07-12-01.2 - Administrator 2007-12-02 9:34:23.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Administrator\x.exe
C:\WINDOWS\pss\TA_Start.lnk
C:\WINDOWS\system32\adssite-remove.exe
C:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\gzmrt.dll
C:\WINDOWS\system32\mwinomdt.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\x.exe
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\gzmrt.dll
C:\WINDOWS\system32\rightonadz-uninst.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-12-02 09:27 . 2007-12-02 09:27 <DIR> d-------- C:\UltraISO
2007-12-02 09:27 . 2007-12-02 09:27 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2007-11-26 21:25 . 2007-11-26 21:28 <DIR> d-------- C:\thing
2007-11-26 21:18 . 2007-11-26 21:18 <DIR> d-------- C:\Program Files\Panicware
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iTunes
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iPod
2007-11-23 22:24 . 2007-11-23 22:24 <DIR> d-------- C:\Program Files\QuickTime
2007-11-22 19:18 . 2004-08-04 23:00 83,968 --a------ C:\WINDOWS\system32\ddem.1
2007-11-19 19:04 . 2000-05-22 00:00 647,872 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-11-19 19:04 . 2004-08-30 14:25 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-11-19 19:04 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2007-11-19 19:04 . 2003-09-05 12:07 168,960 --a------ C:\WINDOWS\system32\XCDZIP35.OCX
2007-11-19 19:04 . 2003-09-10 12:09 140,288 --a------ C:\WINDOWS\system32\comdlg32.ocx
2007-11-19 19:04 . 2005-01-21 12:20 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-11-19 18:59 . 2007-11-19 18:59 <DIR> d-------- C:\Program Files\PlayMP3z
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-08 20:17 . 2007-11-08 20:17 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-06 11:35 . 2007-11-06 11:35 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-06 11:35 . 2007-07-25 15:24 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-06 11:35 . 2007-09-28 18:05 739,840 --a------ C:\WINDOWS\system32\divx.dll
2007-11-06 11:35 . 2006-09-24 17:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2007-11-06 11:35 . 2007-03-10 13:51 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-06 11:35 . 2004-01-25 18:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-11-06 11:35 . 2007-09-04 18:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-06 11:35 . 2007-09-21 02:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2007-11-06 11:35 . 2007-07-29 17:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-06 11:35 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-06 11:35 . 2007-10-03 17:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-11-03 12:12 . 2007-11-03 12:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 22:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-12-01 12:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-01 10:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-01 03:03 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-01 00:59 --------- d-----w C:\Program Files\Java
2007-11-26 10:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 10:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Xfire
2007-11-25 09:59 --------- d-----w C:\Program Files\SpeedFan
2007-11-23 11:22 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-19 08:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 04:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 05:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-12 23:36 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-03 01:08 --------- d-----w C:\Program Files\DivX
2007-10-30 07:32 --------- d-----w C:\Program Files\THQ
2007-10-15 13:02 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-15 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-15 12:49 --------- d-----w C:\Program Files\Bonjour
2007-10-15 12:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-15 12:39 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 09:41 --------- d-----w C:\Program Files\PowerISO
2007-10-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-14 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3 YPack Trial
2007-10-14 06:52 --------- d-----w C:\Program Files\Microsoft Games
2007-10-14 04:27 --------- d-----w C:\Program Files\Azureus
2007-10-13 07:22 --------- d-----w C:\Program Files\BitTorrent
2007-10-13 07:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield Installation Information
2007-10-13 07:14 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-12 08:04 --------- d--h--w C:\Program Files\Pussy
2007-10-10 07:28 77,760 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-08 06:40 --------- d-----w C:\Program Files\Driver Cleaner PE
2007-10-07 08:08 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2007-10-04 06:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 06:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 06:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 06:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-03 13:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-10-02 10:34 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-02 10:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2007-10-02 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-02 10:21 23,616 ----a-w C:\WINDOWS\system32\drivers\nchssvad.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-01_12.28.48.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-26 06:22:15 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2007-12-01 03:03:05 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-09 11:02]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 10:01]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-08-17 17:23 C:\WINDOWS\system32\nwiz.exe]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 14:25]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 23:21]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 18:03 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-14 17:22]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 11:05]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"postSetupCheck"="C:\WINDOWS\System32\Rundll32.exe" [2004-08-04 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 23:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\Program Files\DAP\DAP.EXE /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5900 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIP.EXE /FU C:\WINDOWS\TEMP\E_S12E.tmp /EF HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-10-02 16:27 1065288 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 20:11 925696 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-09 11:02 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\UltraISO\drivers\ISODrive.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
S3 BS_DEF;BS_DEF;\??\C:\Program Files\ASUS\AsusUpdate\BS_DEF.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 08:10:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 20:20:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-12 10:17:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 09:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 9:40:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-01 12:29
.
--- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:42 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38FF639B-E143-43FD-9B9F-72CB1F61A4DE}: NameServer = 198.142.0.51,192.168.0.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10252 bytes

#9 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 01 December 2007 - 06:37 PM

alright whats going on now, since I did the last 2 scans, I have no sound what-so-ever. I tryed 2 different headphones and 2 diferent types of speakers and still nothing. How do i fix this. Its only after I did what you told me to in your last post!!

#10 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 01 December 2007 - 07:44 PM

Alright I fixed the sound problem, It was the file C:\WINDOWS\system32\gzmrt.dll. I did a system restore, and then did the notepad thing again without that file in it and now the sound works. Is this a problem because i like my sound

Here is the new log for combofix

ComboFix 07-12-01.2 - Administrator 2007-12-02 11:35:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1610 [GMT 11:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\Application Data\Adssite Advanced Toolbar
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Administrator\x.exe
C:\WINDOWS\pss\TA_Start.lnk
C:\WINDOWS\system32\adssite-remove.exe
C:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\mwinomdt.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\x.exe
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\rightonadz-uninst.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 09:27 . 2007-12-02 09:27 <DIR> d-------- C:\UltraISO
2007-12-02 09:27 . 2007-12-02 09:27 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2007-11-29 01:52 . 2007-11-29 01:52 64,000 --a------ C:\WINDOWS\system32\gzmrt.dll
2007-11-26 21:25 . 2007-11-26 21:28 <DIR> d-------- C:\thing
2007-11-26 21:18 . 2007-11-26 21:18 <DIR> d-------- C:\Program Files\Panicware
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iTunes
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iPod
2007-11-23 22:24 . 2007-11-23 22:24 <DIR> d-------- C:\Program Files\QuickTime
2007-11-22 19:18 . 2004-08-04 23:00 83,968 --a------ C:\WINDOWS\system32\ddem.1
2007-11-19 19:04 . 2000-05-22 00:00 647,872 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-11-19 19:04 . 2004-08-30 14:25 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-11-19 19:04 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2007-11-19 19:04 . 2003-09-05 12:07 168,960 --a------ C:\WINDOWS\system32\XCDZIP35.OCX
2007-11-19 19:04 . 2003-09-10 12:09 140,288 --a------ C:\WINDOWS\system32\comdlg32.ocx
2007-11-19 19:04 . 2005-01-21 12:20 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-11-19 18:59 . 2007-11-19 18:59 <DIR> d-------- C:\Program Files\PlayMP3z
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-08 20:17 . 2007-11-08 20:17 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-06 11:35 . 2007-11-06 11:35 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-06 11:35 . 2007-07-25 15:24 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-06 11:35 . 2007-09-28 18:05 739,840 --a------ C:\WINDOWS\system32\divx.dll
2007-11-06 11:35 . 2006-09-24 17:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2007-11-06 11:35 . 2007-03-10 13:51 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-06 11:35 . 2004-01-25 18:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-11-06 11:35 . 2007-09-04 18:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-06 11:35 . 2007-09-21 02:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2007-11-06 11:35 . 2007-07-29 17:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-06 11:35 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-06 11:35 . 2007-10-03 17:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-11-03 12:12 . 2007-11-03 12:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 22:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-12-01 12:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-01 10:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-01 03:03 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-01 03:03 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-01 00:59 --------- d-----w C:\Program Files\Java
2007-11-26 10:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 10:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Xfire
2007-11-25 09:59 --------- d-----w C:\Program Files\SpeedFan
2007-11-23 11:22 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-19 08:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 04:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 05:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-12 23:36 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-03 01:08 --------- d-----w C:\Program Files\DivX
2007-10-30 07:32 --------- d-----w C:\Program Files\THQ
2007-10-15 13:02 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-15 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-15 12:49 --------- d-----w C:\Program Files\Bonjour
2007-10-15 12:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-15 12:39 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 09:41 --------- d-----w C:\Program Files\PowerISO
2007-10-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-14 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3 YPack Trial
2007-10-14 06:52 --------- d-----w C:\Program Files\Microsoft Games
2007-10-14 04:27 --------- d-----w C:\Program Files\Azureus
2007-10-13 07:22 --------- d-----w C:\Program Files\BitTorrent
2007-10-13 07:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield Installation Information
2007-10-13 07:14 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-12 08:04 --------- d--h--w C:\Program Files\Pussy
2007-10-10 07:28 77,760 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-08 06:40 --------- d-----w C:\Program Files\Driver Cleaner PE
2007-10-07 08:08 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2007-10-04 06:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 06:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 06:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 06:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-03 13:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-10-03 06:19 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-02 10:34 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-02 10:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2007-10-02 10:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-02 10:21 23,616 ----a-w C:\WINDOWS\system32\drivers\nchssvad.sys
2007-09-28 07:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 07:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-12 23:45 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-01_12.28.48.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-08 06:40:46 110,332 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-02 00:26:10 76,072 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-09 11:02]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 10:01]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-08-17 17:23 C:\WINDOWS\system32\nwiz.exe]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 14:25]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 23:21]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 18:03 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-14 17:22]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 11:05]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"postSetupCheck"="C:\WINDOWS\System32\Rundll32.exe" [2004-08-04 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 23:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\system32\gzmrotate.dll DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\Program Files\DAP\DAP.EXE /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5900 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIP.EXE /FU C:\WINDOWS\TEMP\E_S12E.tmp /EF HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\mwinomdt.exe P2D002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-10-02 16:27 1065288 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 20:11 925696 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-09 11:02 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CF-F1-1F-F8-ZN}]
C:\windows\system32\dwdsrngt.exe P2D002

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\UltraISO\drivers\ISODrive.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
S3 BS_DEF;BS_DEF;\??\C:\Program Files\ASUS\AsusUpdate\BS_DEF.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfe3c5b8-c181-11db-ba41-0015e9b988bb}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 08:10:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 20:20:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-12 10:17:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 11:38:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 11:39:06
C:\ComboFix2.txt ... 2007-12-02 09:40
C:\ComboFix3.txt ... 2007-12-01 12:29
.
--- E O F ---

Edited by plumsy, 01 December 2007 - 07:47 PM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:17 AM

Posted 02 December 2007 - 01:17 PM

Please do not do a system restore again until we get your computer completely cleaned. When you do that we need to reperform previous cleanings.

First,

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 3' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
Then,


* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\gzmrt.dll
C:\WINDOWS\system32\mwinomdt.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\windows\system32\dwdsrngt.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{CF-F1-1F-F8-ZN}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#12 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 02 December 2007 - 06:41 PM

I will do that but can you then get back to asap because i have no sound until you do

Plus when i did the system restore, i only went back to before the last combofix scan so it shouldnt have undone anything but the combofix scan.

Edited by plumsy, 02 December 2007 - 06:58 PM.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:17 AM

Posted 02 December 2007 - 06:57 PM

Yes, do this fix now and I will get back to you quickly.

#14 plumsy

plumsy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 04 December 2007 - 04:09 AM

ComboFix 07-12-01.2 - Administrator 2007-12-04 19:52:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1586 [GMT 11:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\gzmrotate.dll
C:\WINDOWS\system32\gzmrt.dll
C:\WINDOWS\system32\mwinomdt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gzmrt.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-02 09:27 . 2007-12-02 09:27 <DIR> d-------- C:\UltraISO
2007-12-02 09:27 . 2007-12-02 09:27 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2007-11-26 21:25 . 2007-11-26 21:28 <DIR> d-------- C:\thing
2007-11-26 21:18 . 2007-11-26 21:18 <DIR> d-------- C:\Program Files\Panicware
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-26 21:01 . 2007-11-26 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iTunes
2007-11-23 22:25 . 2007-11-23 22:25 <DIR> d-------- C:\Program Files\iPod
2007-11-23 22:24 . 2007-11-23 22:24 <DIR> d-------- C:\Program Files\QuickTime
2007-11-22 19:18 . 2004-08-04 23:00 83,968 --a------ C:\WINDOWS\system32\ddem.1
2007-11-19 19:04 . 2000-05-22 00:00 647,872 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-11-19 19:04 . 2004-08-30 14:25 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-11-19 19:04 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2007-11-19 19:04 . 2003-09-05 12:07 168,960 --a------ C:\WINDOWS\system32\XCDZIP35.OCX
2007-11-19 19:04 . 2003-09-10 12:09 140,288 --a------ C:\WINDOWS\system32\comdlg32.ocx
2007-11-19 19:04 . 2005-01-21 12:20 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-11-19 18:59 . 2007-11-19 18:59 <DIR> d-------- C:\Program Files\PlayMP3z
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-08 20:17 . 2007-11-08 20:17 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-06 11:35 . 2007-11-06 11:35 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-06 11:35 . 2007-07-25 15:24 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-06 11:35 . 2007-09-28 18:05 739,840 --a------ C:\WINDOWS\system32\divx.dll
2007-11-06 11:35 . 2006-09-24 17:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2007-11-06 11:35 . 2007-03-10 13:51 282,624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-06 11:35 . 2004-01-25 18:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-11-06 11:35 . 2007-09-04 18:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-06 11:35 . 2007-09-21 02:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2007-11-06 11:35 . 2007-07-29 17:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-06 11:35 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-06 11:35 . 2007-10-03 17:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 08:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-03 21:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-12-03 09:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-03 09:00 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-03 09:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-03 01:39 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 00:59 --------- d-----w C:\Program Files\Java
2007-11-26 10:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 10:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Xfire
2007-11-25 09:59 --------- d-----w C:\Program Files\SpeedFan
2007-11-23 11:22 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-19 08:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 04:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 05:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-12 23:36 --------- d-----w C:\Program Files\Spyware Doctor
2007-11-03 01:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2007-11-03 01:08 --------- d-----w C:\Program Files\DivX
2007-10-30 07:32 --------- d-----w C:\Program Files\THQ
2007-10-15 13:02 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-15 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-15 12:49 --------- d-----w C:\Program Files\Bonjour
2007-10-15 12:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-15 12:39 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 09:41 --------- d-----w C:\Program Files\PowerISO
2007-10-14 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-14 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3 YPack Trial
2007-10-14 06:52 --------- d-----w C:\Program Files\Microsoft Games
2007-10-14 04:27 --------- d-----w C:\Program Files\Azureus
2007-10-13 07:22 --------- d-----w C:\Program Files\BitTorrent
2007-10-13 07:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield Installation Information
2007-10-13 07:14 --------- d-----w C:\Program Files\AGEIA Technologies
2007-10-12 08:04 --------- d--h--w C:\Program Files\Pussy
2007-10-10 07:28 77,760 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-08 06:40 --------- d-----w C:\Program Files\Driver Cleaner PE
2007-10-07 08:08 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2007-10-04 06:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 06:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 06:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 06:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-09-28 07:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 07:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-12 23:45 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-01_12.28.48.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-02 06:21:03 7,168 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2007-12-02 05:01:16 8,192 ----a-w C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2007-10-02 06:21:01 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
+ 2007-12-02 05:01:18 32,768 ----a-w C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
- 2007-10-02 06:20:55 716,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2007-12-02 05:01:25 720,896 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2007-10-02 06:20:56 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2007-12-02 05:01:18 299,008 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2007-10-02 06:21:03 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
+ 2007-12-02 05:01:23 32,768 ----a-w C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
- 2007-10-02 06:21:04 299,008 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2007-12-02 05:01:21 303,104 ----a-w C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2007-10-02 06:21:02 1,290,240 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
+ 2007-12-02 05:01:23 1,294,336 ----a-w C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
- 2007-10-02 06:21:02 1,699,840 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
+ 2007-12-02 05:01:17 1,703,936 ----a-w C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
- 2007-10-02 06:21:02 86,016 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2007-12-02 05:01:24 90,112 ----a-w C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2007-10-02 06:21:02 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2007-12-02 05:01:21 466,944 ----a-w C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2007-10-02 06:21:02 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2007-12-02 05:01:19 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2007-10-02 06:21:02 64,000 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
+ 2007-12-02 05:01:19 66,560 ----a-w C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
- 2007-10-02 06:21:02 368,640 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
+ 2007-12-02 05:01:22 372,736 ----a-w C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
- 2007-10-02 06:21:02 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2007-12-02 05:01:25 241,664 ----a-w C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2007-10-02 06:21:02 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2007-12-02 05:01:21 323,584 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2007-10-02 06:21:02 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2007-12-02 05:01:19 131,072 ----a-w C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2007-10-02 06:21:03 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2007-12-02 05:01:20 77,824 ----a-w C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2007-10-02 06:21:03 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2007-12-02 05:01:24 126,976 ----a-w C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2007-10-02 06:21:04 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2007-12-02 05:01:16 819,200 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2007-10-02 06:21:03 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2007-12-02 05:01:18 57,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2007-10-02 06:21:03 569,344 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2007-12-02 05:01:17 573,440 ----a-w C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2007-10-02 06:21:03 1,245,184 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2007-12-03 05:01:36 1,265,664 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-10-02 06:21:03 2,039,808 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2007-12-02 05:01:20 2,052,096 ----a-w C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
- 2007-10-02 06:21:03 1,335,296 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.Xml.dll
+ 2007-12-02 05:01:22 1,339,392 ----a-w C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
- 2007-10-02 06:21:02 1,216,512 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2007-12-03 05:01:37 1,232,896 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2007-12-03 05:01:49 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_cb0c348f\CustomMarshalers.dll
+ 2007-12-03 05:02:12 3,391,488 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_bc493f8c\mscorlib.dll
+ 2007-12-03 05:02:07 1,470,464 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_84f5a81f\System.Design.dll
+ 2007-12-03 05:01:51 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_8cf31fe3\System.Drawing.Design.dll
+ 2007-12-03 05:02:09 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_554a45e6\System.Drawing.dll
+ 2007-12-03 05:01:56 3,018,752 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_06165458\System.Windows.Forms.dll
+ 2007-12-03 05:02:03 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3fd9f9a8\System.Xml.dll
+ 2007-12-03 05:01:48 1,966,080 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_b157aebf\System.dll
+ 2007-12-03 05:02:28 20,480 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_abca8a59\vjscor.dll
+ 2007-12-03 05:02:14 69,632 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_cf53835a\VJSharpCodeProvider.dll
+ 2007-12-03 05:02:27 4,468,736 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_f868da8f\vjslib.dll
+ 2007-12-03 05:02:17 32,768 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslibcw\1.0.5000.0__b03f5f7f11d50a3a_ede744a9\vjslibcw.dll
+ 2007-12-03 05:02:17 10,240 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_33a675f9\VJSWfcBrowserStubLib.dll
- 2003-02-20 09:19:32 253,952 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-13 10:30:52 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2003-02-20 09:19:34 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
+ 2004-07-14 14:49:18 20,480 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
- 2003-02-20 09:19:38 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
+ 2004-07-14 14:49:26 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
- 2003-02-20 09:19:36 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-13 10:30:52 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2003-02-20 09:09:08 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-13 09:57:52 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 00:20:44 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
+ 2004-07-15 00:23:28 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe
- 2003-02-21 00:21:00 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
+ 2004-07-15 00:23:44 626,688 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
- 2003-02-20 09:06:20 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
+ 2004-07-14 13:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll
+ 2003-10-08 03:30:14 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
- 2003-02-20 21:24:38 7,168 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
+ 2004-07-15 03:31:00 8,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
- 2003-02-20 21:24:40 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
+ 2004-07-15 03:31:04 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
- 2003-02-20 09:09:40 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
+ 2004-07-14 13:35:30 196,608 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
- 2003-02-20 21:26:36 716,800 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
+ 2004-07-15 03:28:58 720,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
- 2003-02-20 21:26:38 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
+ 2004-07-15 03:28:56 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
- 2003-02-20 21:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
+ 2004-07-15 03:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
- 2003-02-20 21:25:04 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
+ 2004-07-15 03:28:50 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
- 2003-02-20 09:09:12 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
+ 2004-07-14 13:32:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
- 2003-02-20 09:09:12 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
+ 2004-07-14 13:32:46 233,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
- 2003-02-20 09:09:14 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-13 09:57:58 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2003-02-20 09:06:32 311,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-13 09:56:30 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2003-02-20 09:09:16 98,304 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-13 09:58:00 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2003-02-20 21:26:34 2,088,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-13 09:50:46 2,142,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-20 09:09:18 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
+ 2004-07-14 13:33:22 143,360 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
- 2003-02-20 09:09:18 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
+ 2004-07-14 13:33:24 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
- 2003-02-20 09:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-13 09:58:02 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2003-02-20 09:07:34 2,494,464 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-13 09:57:00 2,523,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2003-02-20 09:08:32 2,482,176 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-13 09:57:28 2,514,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-01-15 05:11:26 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
- 2003-02-20 09:09:30 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
+ 2004-07-14 13:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
- 2003-02-20 21:26:46 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
+ 2004-07-15 03:28:48 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
+ 2004-07-14 14:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_aspnet_isapi.dll
+ 2004-07-14 13:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_CORPerfMonExt.dll
+ 2004-07-14 13:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_fusion.dll
+ 2004-07-14 13:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_mscorjit.dll
+ 2004-07-15 03:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_mscorlib.dll
+ 2003-02-20 09:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_mscorsn.dll
+ 2004-07-14 13:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_mscorsvr.dll
+ 2004-07-14 13:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_mscorwks.dll
+ 2003-02-20 18:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_msvcr71.dll
+ 2004-07-14 13:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3708\_PerfCounter.dll
- 2003-02-20 09:09:34 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
+ 2004-07-14 13:35:04 319,488 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SOS.dll
- 2003-02-20 21:26:38 1,290,240 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
+ 2004-07-15 03:32:00 1,294,336 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
- 2003-02-20 21:25:42 299,008 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
+ 2004-07-15 03:31:14 303,104 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
- 2003-02-20 21:26:42 1,699,840 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
+ 2004-07-15 03:29:02 1,703,936 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
- 2003-02-20 21:26:44 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
+ 2004-07-15 03:28:54 90,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
- 2003-02-20 21:26:46 1,216,512 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-13 10:35:38 1,232,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2003-02-20 21:26:50 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
+ 2004-07-15 03:28:58 466,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
- 2003-02-20 21:26:50 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
+ 2004-07-15 03:28:56 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
- 2003-02-20 09:09:36 64,000 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
+ 2004-07-14 13:35:12 66,560 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
- 2003-02-20 21:26:52 368,640 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
+ 2004-07-15 03:31:58 372,736 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
- 2003-02-20 21:26:54 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
+ 2004-07-15 03:31:12 241,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
- 2003-02-20 21:26:56 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
+ 2004-07-15 03:28:58 323,584 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
- 2003-02-20 21:26:56 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
+ 2004-07-15 03:31:54 131,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
- 2003-02-20 21:26:58 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2004-07-15 03:28:52 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2003-02-20 21:27:00 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
+ 2004-07-15 03:28:54 126,976 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
- 2003-02-20 21:27:02 1,245,184 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-13 10:35:46 1,265,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2003-02-20 21:27:06 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
+ 2004-07-15 03:28:58 819,200 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
- 2003-02-20 21:24:18 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
+ 2004-07-15 03:28:52 57,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
- 2003-02-20 21:27:06 569,344 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
+ 2004-07-15 03:31:16 573,440 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
- 2003-02-20 21:27:08 2,039,808 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2004-07-15 03:32:02 2,052,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
- 2003-02-20 21:27:10 1,335,296 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
+ 2004-07-15 03:29:00 1,339,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
+ 2004-06-22 02:51:38 53,248 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
- 2003-02-21 00:20:38 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
+ 2004-07-15 00:23:20 737,280 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe
- 2003-02-20 19:04:18 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
+ 2004-07-14 21:15:14 1,032,192 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
- 2003-02-20 10:10:40 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
+ 2004-07-14 15:11:56 31,744 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
- 2005-09-22 21:29:00 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
+ 2006-12-22 02:02:36 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
- 2007-11-10 22:28:35 62,742 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-03 11:43:01 62,742 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-10 22:28:35 401,398 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-03 11:43:01 401,398 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-08 06:40:46 110,332 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-02 00:26:10 76,072 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-09 11:02]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 10:01]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-08-17 17:23 C:\WINDOWS\system32\nwiz.exe]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 14:25]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 23:21]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 18:03 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 23:00 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-14 17:22]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 11:05]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"postSetupCheck"="C:\WINDOWS\System32\Rundll32.exe" [2004-08-04 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 23:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
C:\Program Files\DAP\DAP.EXE /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5900 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIP.EXE /FU C:\WINDOWS\TEMP\E_S12E.tmp /EF HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-10-02 16:27 1065288 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 20:11 925696 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-09 11:02 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\UltraISO\drivers\ISODrive.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
S3 BS_DEF;BS_DEF;\??\C:\Program Files\ASUS\AsusUpdate\BS_DEF.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 08:10:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 20:20:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-12 10:17:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 19:57:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 19:58:28 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-02 11:39
C:\ComboFix3.txt ... 2007-12-02 09:40
.
--- E O F ---







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:06 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38FF639B-E143-43FD-9B9F-72CB1F61A4DE}: NameServer = 198.142.0.51,192.168.0.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9781 bytes

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:17 AM

Posted 04 December 2007 - 12:06 PM

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 3' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
Then reboot and post a last log and you should be clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users