Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Usb Corrupting Virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 mammal

mammal

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 18 December 2007 - 05:46 AM

Hello everyone,
Thanks for making this such a great site. I have a huge problem.

My laptop has slowed down and sometimes, I have to reboot twice inorder for the start button to appear.

I have been using the laptop like this without bothering but I have been forced to post this log because I put in a USB disk and I was unable to open any of the 2 partitions. The partitions had names before which were Dan and John, but now, they just appear as Local Disk H and G and when I try to open them, I am told that the file or directory is corrupt and unreadable. I put in another usb disk and the same problem exists. I have not tried to test them in another laptop for fear of infecting it. Please help. I have alot of important information on my USB disks.

Here are my logs.

1. Here is the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46, on 2007-12-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hyperionics.com/hsdx/InstScript.asp?Buy=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = , 10.125.30.27
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AccChecker] "C:\AccChecker\AccChecker.EXE" -s
O4 - HKLM\..\Run: [RealTray] C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: SPES Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = china.huawei.com
O17 - HKLM\Software\..\Telephony: DomainName = china.huawei.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = china.huawei.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = china.huawei.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = china.huawei.com
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
--
End of file - 8128 bytes

2. Here is the ComboFix file

ComboFix 07-12-17.1 - O77494 2007-12-18 12:23:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.162 [GMT 3:00]
Running from: C:\Documents and Settings\o77494.CHINA\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\shell32.dat
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.
2007-12-18 12:32 . 2007-12-18 12:33 3,972 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-18 12:20 . 2007-12-18 12:20 <DIR> d-------- C:\HJT
2007-12-18 10:58 . 2007-12-18 10:58 <DIR> d-------- C:\Documents and Settings\o77494.CHINA\Application Data\Grisoft
2007-12-18 10:58 . 2007-12-18 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-18 10:58 . 2007-05-30 15:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-17 16:51 . 2007-12-17 16:51 <DIR> d-------- C:\Documents and Settings\o77494.CHINA\Application Data\Nokia Multimedia Player
2007-12-14 12:44 . 2007-12-14 12:44 45,595 -r-hs---- C:\WINDOWS\system32\amvo1.dll
2007-12-14 12:43 . 2007-12-16 22:07 45,595 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2007-12-10 17:37 . 2007-12-10 17:37 149 --a------ C:\WINDOWS\Uedit32.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 09:20 --------- d-----w C:\Documents and Settings\o77494.CHINA\Application Data\uTorrent
2007-12-18 06:53 --------- d-----w C:\Program Files\SPES
2007-12-13 17:43 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-13 17:43 --------- d-----w C:\Program Files\NetWaiting
2007-12-13 17:43 --------- d-----w C:\Program Files\Modem Helper
2007-12-13 17:43 --------- d-----w C:\Program Files\Apoint
2007-12-04 18:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-16 11:37 --------- d-----w C:\Documents and Settings\o77494.CHINA\Application Data\Yahoo!
2007-11-16 11:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-16 11:32 --------- d-----w C:\Program Files\Yahoo!
2007-10-31 09:40 --------- d-----w C:\Program Files\CV4You
2007-10-30 11:03 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-12 05:40 13,824 --sh--r C:\WINDOWS\system32\avpo0.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Shell Icon Overlay Identifier]
@={C6B033C1-16EA-4F40-A2F3-674086B0257D}
[HKEY_CLASSES_ROOT\CLSID\{C6B033C1-16EA-4F40-A2F3-674086B0257D}]
2000-01-10 23:00 57344 --------- C:\WINDOWS\system32\shell16.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 04:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 18:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 18:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 18:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 15:03]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 18:30 C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 10:32]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 14:29]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 19:23]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 03:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40]
"AccChecker"="C:\AccChecker\AccChecker.exe" [2007-08-30 12:42]
"RealTray"="C:\Program Files\K-Lite Codec Pack\Real\mpclauncher.exe" [2007-04-27 23:48]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-03 18:12:15]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-08-25 11:45:30]
SPES Agent.lnk - C:\Program Files\SPES\SPES.exe [2007-08-30 11:56:06]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxvault.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-147214757-305610072-1517763936-284840\Scripts\Logon\0\0]
"Script"=RemoveDomainAdmins.exe
R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys [2005-12-09 17:35]
R3 guardian2;guardian2;C:\WINDOWS\system32\Drivers\oz776.sys [2007-01-28 16:23]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL USB2.0.exe
\Shell\´̣¿ª(&O)\command - H:\USB2.0.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{016a1506-54e2-11dc-9ceb-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{024cdb57-54ae-11dc-9cea-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{024cdbc3-54ae-11dc-9cea-001c2307bbcd}]
\Shell\AutoRun\command - G:\n1deiect.com
\Shell\explore\Command - G:\n1deiect.com
\Shell\open\Command - G:\n1deiect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{025484ab-6cc2-11dc-9d7e-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11646a6e-5b85-11dc-9d11-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11646a6f-5b85-11dc-9d11-001c2307bbcd}]
\Shell\AutoRun\command - H:\ntde1ect.com
\Shell\explore\Command - H:\ntde1ect.com
\Shell\open\Command - H:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19d036ea-acb5-11dc-9e34-001c2307bbcd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCIER/system.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{701e3936-8779-11dc-9da7-001c2307bbcd}]
\Shell\AutoRun\command - H:\ntde1ect.com
\Shell\explore\Command - H:\ntde1ect.com
\Shell\open\Command - H:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7460f0ec-61e5-11dc-9d32-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7460f0ee-61e5-11dc-9d32-001c2307bbcd}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86b9c49a-5852-11dc-9d02-001c2307bbcd}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86b9c49b-5852-11dc-9d02-001c2307bbcd}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86b9c4b7-5852-11dc-9d02-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8dc80cd6-5e49-11dc-9d20-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3aba6be-70b6-11dc-9d8f-001c2307bbcd}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0de4c3d-55f8-11dc-9ced-001c2307bbcd}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0de4c3e-55f8-11dc-9ced-001c2307bbcd}]
\Shell\AutoRun\command - H:\ntde1ect.com
\Shell\explore\Command - H:\ntde1ect.com
\Shell\open\Command - H:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0de4c3f-55f8-11dc-9ced-001c2307bbcd}]
\Shell\AutoRun\command - I:\ntde1ect.com
\Shell\explore\Command - I:\ntde1ect.com
\Shell\open\Command - I:\ntde1ect.com
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 12:37:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\detoured.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\detoured.dll
.
Completion time: 2007-12-18 12:41:59 - machine was rebooted
.
2007-10-31 11:22:56 --- E O F ---

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:37 PM

Posted 02 January 2008 - 06:17 AM

Hi mammal, :thumbsup:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :blink:

P.S. Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

#3 mammal

mammal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 02 January 2008 - 03:51 PM

Hello Falu,

Here is the HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41, on 2008-01-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows NT\wordict.exe
C:\Program Files\NetMeeting\inetsock.exe
C:\Program Files\NetMeeting\notpost.exe
C:\Program Files\NetMeeting\lassup.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Windows NT\mscol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Louis\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IMSCMgg] C:\Program Files\Windows NT\mscol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{5028C0F9-5D64-44CE-A7AD-F2DF30BF15D3}: NameServer = 212.88.97.20,81.199.21.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1552E96-F237-462A-AE47-7DC4B7810BD8}: NameServer = 81.199.21.94 81.199.31.33
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS3\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS4\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS5\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Ravsvrs - Unknown owner - C:\Program Files\Outlook Express\Ravsvrs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows Networks - Unknown owner - C:\Program Files\NetMeeting\inetsock.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7367 bytes


Thank you sir.

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:37 PM

Posted 04 January 2008 - 01:08 PM

Hi mammal, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Thank you sir.


You're very welcome!

1. Are you using a firewall? I see nothing in your log that would indicate that you have. I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Comodo Firewall Pro
Online Armor Free edition
Kerio

For a tutorial on Firewalls click: Understanding and Using Firewalls!

2. Go to Start > Run and type: "services.msc" (without the quotes) and click OK
Scroll down in that list until you find the service Ravsvrs.
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.

Do the same for Windows Networks

Click apply and OK and close all open windows.

3. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKLM\..\Run: [IMSCMgg] C:\Program Files\Windows NT\mscol.exe
O23 - Service: Ravsvrs - Unknown owner - C:\Program Files\Outlook Express\Ravsvrs.exe
O23 - Service: Windows Networks - Unknown owner - C:\Program Files\NetMeeting\inetsock.exe


If you didn't set your startpage to be blank checkmark this entry as well:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

4. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following files in bold if they exist:

C:\Program Files\Windows NT\wordict.exe
C:\Program Files\Windows NT\mscol.exe
C:\Program Files\NetMeeting\notpost.exe
C:\Program Files\NetMeeting\lassup.exe

Let me know how this went!

5. First removeCombofix from your desktop, including any files/folders relating to it, since we want the latest version to run. Next download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


6. Run HijackThis, click the Config... button, then go to the Misc Tools section and click Open Uninstall Manager. You'll see a list of programs; click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

Please reboot and post the uninstall_list.txt along with the C:\ComboFix.txt and a fresh HijackThis log.

#5 mammal

mammal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 05 January 2008 - 03:42 AM

Hello Falu,

I cant really tell whether my laptop is fine now but I can see the USB2.0.exe and n1detect.com on the ComboFix Log and I think these are the ones that corrupted my USB disk. Do you know any recovery software I can get for free or purchase, to recover the files on my USB disk because, even after this cleaning process, I get the message that my two partitions are still corrupt and unreadable. Please advise on how to recover my files. I dont know if I should format, then get recovery software, or get software that can recover the files. Thanks.

Here are the Logs:

1. uninstall_list

Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.1
BDE Information Utility
BearShare Pro 5.2.6.0
BOClean
Boson NetSim for CCNP BETA 2b
Broadcom Management Programs 2
CCleaner (remove only)
Conexant D110 MDC V.9x Modem
Dell Driver Reset Tool
Dell Media Experience
Dell ResourceCD
DVD Decrypter (Remove Only)
ESET NOD32 Antivirus
FasType Typing Tutorial 6
HijackThis 2.0.2
HUAWEI 3G Data Card Management
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
InterActual Player
Internal Network Card Power Management
InterVideo WinDVD 6
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3
K-Lite Codec Pack 2.54 Full
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Reader
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (1.5.0.4)
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
mToolkit
mWlsSafe
mXML
mZConfig
Native Instruments Traktor DJ Studio 3
NetWaiting
NOD32 FiX
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.1
Nokia MTP driver
Nokia N73 highlights
Nokia Nseries Skin for Microsoft Windows Media Player
Nokia PC Connectivity Solution
Nokia PC Suite
Nokia themes for your device
Picasa 2
PowerDVD 5.9
PowerQuest PartitionMagic 8.0
QuickSet
QuickTime
RealPlayer
Registry Mechanic 5.1
Self Test Practice Test Engine
Self Test Software: Exam 640-801
Shockwave
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
The French Tutorial Personal Edition
USB Mass Storage Driver Installation
USB Storage Adapter FX/AT
VanDyke Software SecureCRT 5.5
VideoLAN VLC media player 0.8.6a
Visual CertExam Suite 1.9
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Yahoo! Internet Mail
Yahoo! Messenger
ZoneAlarm Pro

2. ComboFix

ComboFix 08-01-04.1 - Louis 2008-01-05 10:55:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.199 [GMT 3:00]
Running from: C:\Documents and Settings\Louis\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OCINS
C:\Program Files\OCINS\cnrbtn.html
C:\Program Files\OCINS\cuscfg.dat
C:\Program Files\OCINS\idnaux.dat
C:\Program Files\OCINS\kwacs.dat
C:\Program Files\OCINS\kwrep.dat
C:\Program Files\OCINS\replace.dat
C:\Program Files\OCINS\update\version.dat
C:\Program Files\OCINS\version.dat
C:\WINDOWS\ocinfo.dat
C:\WINDOWS\system32\0.txt
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cnprov.dat
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\sam.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 10:32 . 2008-01-05 10:44 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-05 10:31 . 2008-01-05 10:32 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-05 10:31 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-05 10:31 . 2008-01-05 11:01 352,185 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-05 10:30 . 2008-01-05 10:46 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-17 00:19 . 2007-12-17 00:42 <DIR> d-------- C:\Temp
2007-12-15 10:38 . 2007-12-15 10:38 <DIR> d-------- C:\NetMeeting
2007-12-14 22:17 . 2007-12-14 22:17 <DIR> d-------- C:\My Music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 20:47 --------- d-----w C:\Documents and Settings\Louis\Application Data\uTorrent
2007-12-02 19:48 --------- d-----w C:\Program Files\File Scavenger 3.0
2007-11-22 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 19:23 --------- d-----w C:\Program Files\McGraw-Hill
2007-11-22 19:22 --------- d-----w C:\Program Files\Google
2007-11-13 16:13 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-08 13:17 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-08 13:10 27,656 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-08 13:09 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-10-09 16:47 6,619,230 ----a-w C:\WINDOWS\REGBK02.ZIP
2005-12-15 13:43 34,736 ----a-w C:\Documents and Settings\Louis\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-10-15_14.21.50.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-09 17:45:20 304,640 -c----w C:\WINDOWS\$NtUninstallMSCompPackV1$\msdelta.dll
+ 2006-09-25 14:58:48 221,488 -c----w C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe
+ 2006-09-25 14:58:48 379,184 -c----w C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\updspapi.dll
- 2006-03-10 18:21:04 213,216 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe
+ 2006-09-15 22:05:22 221,488 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe
- 2006-03-10 18:21:04 371,424 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\updspapi.dll
+ 2006-09-15 22:05:22 379,184 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\updspapi.dll
- 2006-04-11 11:29:30 69,120 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\WudfCustom.dll
+ 2006-09-28 16:01:52 58,368 -c----w C:\WINDOWS\$NtUninstallWudf01000$\spuninst\WudfCustom.dll
+ 2006-04-11 11:30:44 93,752 -c----w C:\WINDOWS\$NtUninstallWudf01000$\wudfcoinstaller.dll
+ 2006-04-11 11:27:18 130,048 -c----w C:\WINDOWS\$NtUninstallWudf01000$\wudfhost.exe
+ 2006-04-11 11:26:38 82,944 -c----w C:\WINDOWS\$NtUninstallWudf01000$\wudfpf.sys
+ 2006-04-11 11:26:44 158,208 -c----w C:\WINDOWS\$NtUninstallWudf01000$\wudfplatform.dll
+ 2006-04-11 11:29:18 87,808 -c----w C:\WINDOWS\$NtUninstallWudf01000$\wudfrd.sys
+ 2006-04-11 11:26:56 54,272 -c----w C:\WINDOWS\$NtUninstallWudf01000$\wudfsvc.dll
+ 2006-04-11 11:27:18 304,640 -c----w C:\WINDOWS\$NtUninstallWudf01000$\wudfx.dll
+ 2006-10-04 14:05:26 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
+ 2007-05-08 14:01:12 208,896 ----a-w C:\WINDOWS\CMDLIC.DLL
- 2007-03-13 07:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 05:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2006-05-09 18:02:38 180,736 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2006-11-01 15:31:34 315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-11-04 12:25:29 3,374 ----a-r C:\WINDOWS\Installer\{005F2F10-83F5-47D0-8B11-E905D6581369}\ARPPRODUCTICON.exe
+ 2007-11-04 12:25:29 3,374 ----a-r C:\WINDOWS\Installer\{005F2F10-83F5-47D0-8B11-E905D6581369}\NewShortcut1_1.exe
+ 2007-11-04 12:25:29 49,152 ----a-r C:\WINDOWS\Installer\{005F2F10-83F5-47D0-8B11-E905D6581369}\NewShortcut7_A1DA1D67CC44441B8E01AEB7CB2B60DC.exe
+ 2007-12-01 11:27:05 10,134 ----a-r C:\WINDOWS\Installer\{1308A947-8A17-4F3B-8F37-5CA6A448D7D4}\callmsi.exe
+ 2007-12-01 11:27:05 136,448 ----a-r C:\WINDOWS\Installer\{1308A947-8A17-4F3B-8F37-5CA6A448D7D4}\egui.exe
+ 2007-11-05 11:48:22 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-10-15 20:34:48 22,486 ----a-r C:\WINDOWS\Installer\{DB368901-C41E-4D86-9809-E0EE635A6939}\register_icon.exe
- 2007-10-13 21:00:01 22,486 ----a-r C:\WINDOWS\Installer\{E48949FB-95D7-4818-B45A-DE52BE556547}\register_icon.exe
+ 2007-10-15 12:02:07 22,486 ----a-r C:\WINDOWS\Installer\{E48949FB-95D7-4818-B45A-DE52BE556547}\register_icon.exe
- 2007-06-16 21:11:58 51,200 ----a-w C:\WINDOWS\NirCmd.exe
+ 2000-08-31 05:00:00 51,200 ----a-w C:\WINDOWS\NirCmd.exe
- 2006-05-09 19:26:32 7,168 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2006-10-18 18:47:08 7,168 ----a-w C:\WINDOWS\system32\asferror.dll
- 2006-05-09 19:26:34 267,776 ----a-w C:\WINDOWS\system32\Audiodev.dll
+ 2006-10-18 18:47:08 276,992 ----a-w C:\WINDOWS\system32\audiodev.dll
- 2007-10-08 16:03:06 13,312 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-10-29 10:51:52 15,360 ----a-w C:\WINDOWS\system32\BASSMOD.dll
- 2007-10-14 08:23:37 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
+ 2007-10-15 21:17:41 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
- 2006-05-09 17:59:14 585,216 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2006-10-18 18:47:10 542,720 ----a-w C:\WINDOWS\system32\blackbox.dll
- 2006-05-09 19:26:34 219,648 ----a-w C:\WINDOWS\system32\CEWMDM.dll
+ 2006-10-18 18:47:10 229,376 ----a-w C:\WINDOWS\system32\cewmdm.dll
- 2005-11-17 11:12:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-18 10:29:34 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-11-17 11:12:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-18 10:29:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-11-17 11:12:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-18 10:29:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-09 19:26:32 7,168 ----a-w C:\WINDOWS\system32\dllcache\asferror.dll
+ 2006-10-18 18:47:08 7,168 ----a-w C:\WINDOWS\system32\dllcache\asferror.dll
- 2006-05-09 17:59:14 585,216 ----a-w C:\WINDOWS\system32\dllcache\blackbox.dll
+ 2006-10-18 18:47:10 542,720 ----a-w C:\WINDOWS\system32\dllcache\blackbox.dll
- 2006-05-09 19:26:34 219,648 ----a-w C:\WINDOWS\system32\dllcache\CEWMDM.dll
+ 2006-10-18 18:47:10 229,376 ----a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
- 2006-05-09 18:00:02 1,350,656 ----a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
+ 2006-10-18 18:47:10 991,744 ----a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
- 2006-05-09 19:26:32 9,728 ----a-w C:\WINDOWS\system32\dllcache\LAPRXY.dll
+ 2006-10-18 18:47:14 11,264 ----a-w C:\WINDOWS\system32\dllcache\LAPRXY.dll
- 2006-05-09 18:02:02 84,480 ----a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2006-10-18 17:03:58 100,864 ----a-w C:\WINDOWS\system32\dllcache\logagent.exe
- 2006-05-09 19:26:34 345,088 ----a-w C:\WINDOWS\system32\dllcache\mpvis.dll
+ 2006-10-18 18:47:14 243,712 ----a-w C:\WINDOWS\system32\dllcache\mpvis.dll
- 2006-05-09 19:26:34 212,480 ----a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
+ 2006-10-18 18:47:16 179,712 ----a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
- 2006-05-09 19:26:34 26,112 ----a-w C:\WINDOWS\system32\dllcache\MsPMSNSv.dll
+ 2006-10-18 18:47:16 27,136 ----a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
- 2006-05-09 19:26:34 165,376 ----a-w C:\WINDOWS\system32\dllcache\MsPMSP.dll
+ 2006-10-18 18:47:16 175,616 ----a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
- 2006-05-09 17:59:20 417,280 ----a-w C:\WINDOWS\system32\dllcache\MSSCP.dll
+ 2006-10-18 18:47:16 414,208 ----a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2006-05-09 19:26:34 306,688 ----a-w C:\WINDOWS\system32\dllcache\MSWMDM.dll
+ 2006-10-18 18:47:16 321,536 ----a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
- 2006-05-09 19:26:34 201,728 ----a-w C:\WINDOWS\system32\dllcache\qasf.dll
+ 2006-10-18 18:47:18 211,456 ----a-w C:\WINDOWS\system32\dllcache\qasf.dll
- 2006-05-09 18:02:42 1,587,712 ----a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
+ 2006-11-01 15:31:38 1,669,120 ----a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
- 2006-05-09 18:02:38 180,736 ----a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2006-11-01 15:31:34 315,904 ----a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
- 2006-05-09 19:26:34 705,024 ----a-w C:\WINDOWS\system32\dllcache\WMADMOD.dll
+ 2006-10-18 18:47:18 757,248 ----a-w C:\WINDOWS\system32\dllcache\WMADMOD.dll
- 2006-05-09 19:26:34 1,063,424 ----a-w C:\WINDOWS\system32\dllcache\WMADMOE.dll
+ 2006-10-18 18:47:18 1,117,696 ----a-w C:\WINDOWS\system32\dllcache\WMADMOE.dll
- 2006-05-09 19:26:34 221,696 ----a-w C:\WINDOWS\system32\dllcache\WMASF.dll
+ 2006-10-18 18:47:18 222,208 ----a-w C:\WINDOWS\system32\dllcache\WMASF.dll
- 2006-05-09 19:26:34 31,744 ----a-w C:\WINDOWS\system32\dllcache\WMDMLOG.dll
+ 2006-10-18 18:47:18 33,792 ----a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
- 2006-05-09 19:26:34 36,864 ----a-w C:\WINDOWS\system32\dllcache\WMDMPS.dll
+ 2006-10-18 18:47:18 37,376 ----a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
- 2006-05-09 19:26:32 218,112 ----a-w C:\WINDOWS\system32\dllcache\wmerror.dll
+ 2006-10-18 18:47:20 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmerror.dll
- 2006-05-09 19:26:34 155,136 ----a-w C:\WINDOWS\system32\dllcache\wmidx.dll
+ 2006-10-18 18:47:20 157,184 ----a-w C:\WINDOWS\system32\dllcache\wmidx.dll
- 2006-05-09 19:26:34 992,256 ----a-w C:\WINDOWS\system32\dllcache\WMNetMgr.dll
+ 2006-10-18 18:47:20 937,984 ----a-w C:\WINDOWS\system32\dllcache\WMNetMgr.dll
- 2006-05-09 19:26:34 10,394,624 ----a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2006-10-18 18:47:20 10,834,432 ----a-w C:\WINDOWS\system32\dllcache\wmp.dll
- 2006-05-09 19:26:34 237,056 ----a-w C:\WINDOWS\system32\dllcache\wmpasf.dll
+ 2006-10-18 18:47:20 242,688 ----a-w C:\WINDOWS\system32\dllcache\wmpasf.dll
- 2006-05-09 19:26:34 87,040 ----a-w C:\WINDOWS\system32\dllcache\wmpband.dll
+ 2006-10-18 18:47:20 96,256 ----a-w C:\WINDOWS\system32\dllcache\wmpband.dll
- 2006-05-09 19:26:34 301,056 ----a-w C:\WINDOWS\system32\dllcache\wmpdxm.dll
+ 2006-10-18 18:47:20 314,880 ----a-w C:\WINDOWS\system32\dllcache\wmpdxm.dll
- 2006-05-09 19:25:54 62,976 ----a-w C:\WINDOWS\system32\dllcache\wmplayer.exe
+ 2006-10-18 18:46:20 64,000 ----a-w C:\WINDOWS\system32\dllcache\wmplayer.exe
- 2006-05-09 19:26:34 7,706,112 ----a-w C:\WINDOWS\system32\dllcache\wmploc.dll
+ 2006-10-18 18:47:20 8,231,936 ----a-w C:\WINDOWS\system32\dllcache\wmploc.dll
- 2006-05-09 19:26:34 97,792 ----a-w C:\WINDOWS\system32\dllcache\wmpshell.dll
+ 2006-10-18 18:47:20 99,840 ----a-w C:\WINDOWS\system32\dllcache\wmpshell.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
- 2006-05-09 19:26:34 564,736 ----a-w C:\WINDOWS\system32\dllcache\WMSPDMOD.dll
+ 2006-10-18 18:47:22 603,648 ----a-w C:\WINDOWS\system32\dllcache\WMSPDMOD.dll
- 2006-05-09 19:26:34 1,280,000 ----a-w C:\WINDOWS\system32\dllcache\WMSPDMOE.dll
+ 2006-10-18 18:47:22 1,329,152 ----a-w C:\WINDOWS\system32\dllcache\WMSPDMOE.dll
- 2006-05-09 19:22:32 2,463,744 ----a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-10-18 18:47:22 2,450,944 ----a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
- 2006-05-09 17:58:46 646,656 ------w C:\WINDOWS\system32\drivers\umdf\wpdmtpdr.dll
+ 2006-10-18 18:47:22 671,232 ------w C:\WINDOWS\system32\drivers\umdf\wpdmtpdr.dll
- 2006-05-09 17:58:44 40,704 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-10-18 17:00:00 38,528 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
- 2006-04-11 11:26:38 82,944 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-28 15:55:50 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
- 2006-04-11 11:29:18 87,808 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-09-28 16:00:34 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
- 2006-05-09 17:59:18 229,376 ------w C:\WINDOWS\system32\drmupgds.exe
+ 2006-10-18 17:00:46 249,856 ------w C:\WINDOWS\system32\drmupgds.exe
- 2006-05-09 18:00:02 1,350,656 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-10-18 18:47:10 991,744 ----a-w C:\WINDOWS\system32\drmv2clt.dll
- 2007-10-15 11:21:43 224,399 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-01-05 08:03:32 224,402 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2005-08-26 12:55:46 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 19:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-08-26 12:55:58 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 19:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-08-26 15:14:46 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 20:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2006-05-09 19:26:32 9,728 ----a-w C:\WINDOWS\system32\LAPRXY.dll
+ 2006-10-18 18:47:14 11,264 ----a-w C:\WINDOWS\system32\LAPRXY.dll
+ 2007-11-14 13:04:46 796,048 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
- 2006-05-09 18:02:02 84,480 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-18 17:03:58 100,864 ----a-w C:\WINDOWS\system32\logagent.exe
- 2006-05-09 18:00:08 382,976 ------w C:\WINDOWS\system32\MFPLAT.dll
+ 2006-10-18 18:47:14 212,992 ----a-w C:\WINDOWS\system32\mfplat.dll
- 2006-05-09 18:00:56 241,152 ------w C:\WINDOWS\system32\MP43DECD.dll
+ 2006-10-18 18:47:14 259,072 ------w C:\WINDOWS\system32\MP43DECD.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\MP43DMOD.dll
+ 2006-10-18 18:47:14 4,096 ----a-w C:\WINDOWS\system32\MP43DMOD.dll
- 2006-05-09 18:00:58 299,520 ------w C:\WINDOWS\system32\MP4SDECD.dll
+ 2006-10-18 18:47:14 317,440 ------w C:\WINDOWS\system32\MP4SDECD.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\MP4SDMOD.dll
+ 2006-10-18 18:47:14 4,096 ----a-w C:\WINDOWS\system32\MP4SDMOD.dll
- 2006-05-09 18:00:58 241,152 ------w C:\WINDOWS\system32\MPG4DECD.dll
+ 2006-10-18 18:47:14 259,072 ------w C:\WINDOWS\system32\MPG4DECD.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
+ 2006-10-18 18:47:14 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
- 2006-05-09 17:45:20 304,640 ------w C:\WINDOWS\system32\MSDelta.dll
+ 2006-10-02 12:28:42 312,128 ------w C:\WINDOWS\system32\msdelta.dll
- 2006-05-09 19:26:34 212,480 ----a-w C:\WINDOWS\system32\msnetobj.dll
+ 2006-10-18 18:47:16 179,712 ----a-w C:\WINDOWS\system32\msnetobj.dll
- 2006-05-09 19:26:34 26,112 ----a-w C:\WINDOWS\system32\MsPMSNSv.dll
+ 2006-10-18 18:47:16 27,136 ----a-w C:\WINDOWS\system32\mspmsnsv.dll
- 2006-05-09 19:26:34 165,376 ----a-w C:\WINDOWS\system32\MsPMSP.dll
+ 2006-10-18 18:47:16 175,616 ----a-w C:\WINDOWS\system32\mspmsp.dll
- 2006-05-09 17:59:20 417,280 ----a-w C:\WINDOWS\system32\MSSCP.dll
+ 2006-10-18 18:47:16 414,208 ----a-w C:\WINDOWS\system32\msscp.dll
- 2006-05-09 19:26:34 306,688 ----a-w C:\WINDOWS\system32\MSWMDM.dll
+ 2006-10-18 18:47:16 321,536 ----a-w C:\WINDOWS\system32\mswmdm.dll
+ 2006-05-09 17:58:48 345,600 ----a-w C:\WINDOWS\system32\PortableDeviceApi(2).dll
- 2006-05-09 17:58:48 345,600 ------w C:\WINDOWS\system32\PortableDeviceApi.dll
+ 2006-10-18 18:47:18 284,160 ----a-w C:\WINDOWS\system32\portabledeviceapi.dll
- 2006-05-09 17:58:48 101,376 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-10-18 18:47:18 101,888 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-05-09 17:58:38 168,960 ----a-w C:\WINDOWS\system32\PortableDeviceTypes(2).dll
- 2006-05-09 17:58:38 168,960 ------w C:\WINDOWS\system32\PortableDeviceTypes.dll
+ 2006-10-18 18:47:18 166,912 ----a-w C:\WINDOWS\system32\portabledevicetypes.dll
- 2006-05-09 17:58:50 103,424 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
+ 2006-10-18 18:47:18 132,096 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
- 2006-05-09 17:58:48 188,928 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
+ 2006-10-18 18:47:18 199,168 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
+ 2006-05-09 19:26:34 201,728 ----a-w C:\WINDOWS\system32\qasf(2).dll
- 2006-05-09 19:26:34 201,728 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2006-10-18 18:47:18 211,456 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2007-12-02 19:49:46 172,736 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2006-01-19 19:29:19 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2006-09-25 14:58:48 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2005-06-28 06:21:34 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-25 14:58:48 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2007-10-05 07:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 05:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2006-05-09 19:36:46 6,656 ----a-w C:\WINDOWS\system32\uWDF.exe
+ 2006-10-18 18:58:00 8,704 ----a-w C:\WINDOWS\system32\uwdf.exe
+ 2007-11-14 13:04:52 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-11-14 13:05:16 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-11-14 13:04:52 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-11-14 13:04:52 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-11-14 13:04:52 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-11-14 13:04:52 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2007-11-14 13:04:54 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-11-14 13:04:54 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2007-11-14 13:04:54 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\wdfApi.dll
+ 2006-10-18 18:47:18 4,096 ----a-w C:\WINDOWS\system32\wdfapi.dll
- 2006-05-09 19:36:46 6,656 ----a-w C:\WINDOWS\system32\WdfMgr.exe
+ 2006-10-18 18:58:00 8,704 ----a-w C:\WINDOWS\system32\wdfmgr.exe
- 2006-05-09 19:26:34 705,024 ----a-w C:\WINDOWS\system32\WMADMOD.dll
+ 2006-10-18 18:47:18 757,248 ----a-w C:\WINDOWS\system32\WMADMOD.dll
- 2006-05-09 19:26:34 1,063,424 ----a-w C:\WINDOWS\system32\WMADMOE.dll
+ 2006-10-18 18:47:18 1,117,696 ----a-w C:\WINDOWS\system32\WMADMOE.dll
+ 2006-05-09 19:26:34 221,696 ----a-w C:\WINDOWS\system32\wmasf(4).dll
- 2006-05-09 19:26:34 221,696 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2006-10-18 18:47:18 222,208 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2006-05-09 19:26:34 31,744 ----a-w C:\WINDOWS\system32\WMDMLOG.dll
+ 2006-10-18 18:47:18 33,792 ----a-w C:\WINDOWS\system32\wmdmlog.dll
- 2006-05-09 19:26:34 36,864 ----a-w C:\WINDOWS\system32\WMDMPS.dll
+ 2006-10-18 18:47:18 37,376 ----a-w C:\WINDOWS\system32\wmdmps.dll
- 2006-05-09 19:26:34 417,280 ----a-w C:\WINDOWS\system32\wmdrmdev.dll
+ 2006-10-18 18:47:18 429,056 ----a-w C:\WINDOWS\system32\wmdrmdev.dll
- 2006-05-09 19:26:34 337,408 ----a-w C:\WINDOWS\system32\wmdrmnet.dll
+ 2006-10-18 18:47:20 348,672 ----a-w C:\WINDOWS\system32\wmdrmnet.dll
- 2006-05-09 17:59:34 513,536 ------w C:\WINDOWS\system32\wmdrmsdk.dll
+ 2006-10-18 18:47:20 535,040 ------w C:\WINDOWS\system32\wmdrmsdk.dll
- 2006-05-09 19:26:32 218,112 ----a-w C:\WINDOWS\system32\wmerror.dll
+ 2006-10-18 18:47:20 227,328 ----a-w C:\WINDOWS\system32\wmerror.dll
- 2006-05-09 19:26:34 155,136 ----a-w C:\WINDOWS\system32\wmidx.dll
+ 2006-10-18 18:47:20 157,184 ----a-w C:\WINDOWS\system32\wmidx.dll
- 2006-05-09 19:26:34 992,256 ----a-w C:\WINDOWS\system32\WMNetMgr.dll
+ 2006-10-18 18:47:20 937,984 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
- 2006-05-09 19:26:34 10,394,624 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2006-10-18 18:47:20 10,834,432 ----a-w C:\WINDOWS\system32\wmp.dll
- 2006-05-09 19:26:34 237,056 ----a-w C:\WINDOWS\system32\wmpasf.dll
+ 2006-10-18 18:47:20 242,688 ----a-w C:\WINDOWS\system32\wmpasf.dll
- 2006-05-09 19:26:34 301,056 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-18 18:47:20 314,880 ----a-w C:\WINDOWS\system32\wmpdxm.dll
- 2006-05-09 19:26:34 433,152 ------w C:\WINDOWS\system32\wmpeffects.dll
+ 2006-10-18 18:47:20 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
- 2006-05-09 19:26:34 1,641,472 ----a-w C:\WINDOWS\system32\wmpencen.dll
+ 2006-10-18 18:47:20 1,661,440 ----a-w C:\WINDOWS\system32\wmpencen.dll
- 2006-05-09 19:26:34 7,706,112 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-18 18:47:20 8,231,936 ----a-w C:\WINDOWS\system32\wmploc.dll
- 2006-05-09 18:00:22 546,816 ------w C:\WINDOWS\system32\wmpmde.dll
+ 2006-10-18 18:47:20 613,376 ------w C:\WINDOWS\system32\wmpmde.dll
- 2006-05-09 19:26:34 135,680 ------w C:\WINDOWS\system32\wmpps.dll
+ 2006-10-18 18:47:20 130,048 ----a-w C:\WINDOWS\system32\wmpps.dll
- 2006-05-09 19:26:34 97,792 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2006-10-18 18:47:20 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
- 2006-05-09 19:26:34 203,776 ----a-w C:\WINDOWS\system32\wmpsrcwp.dll
+ 2006-10-18 18:47:20 204,288 ----a-w C:\WINDOWS\system32\wmpsrcwp.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
- 2006-05-09 19:26:34 564,736 ----a-w C:\WINDOWS\system32\WMSPDMOD.dll
+ 2006-10-18 18:47:22 603,648 ----a-w C:\WINDOWS\system32\WMSPDMOD.dll
- 2006-05-09 19:26:34 1,280,000 ----a-w C:\WINDOWS\system32\WMSPDMOE.dll
+ 2006-10-18 18:47:22 1,329,152 ----a-w C:\WINDOWS\system32\WMSPDMOE.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\WMVADVD.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVD.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
+ 2006-05-09 19:22:32 2,463,744 ----a-w C:\WINDOWS\system32\wmvcore(4).dll
- 2006-05-09 19:22:32 2,463,744 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-18 18:47:22 2,450,944 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-05-09 18:01:06 1,463,808 ----a-w C:\WINDOWS\system32\WMVDECOD(2).dll
- 2006-05-09 18:01:06 1,463,808 ------w C:\WINDOWS\system32\WMVDECOD.dll
+ 2006-10-18 18:47:22 1,543,680 ------w C:\WINDOWS\system32\WMVDECOD.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
- 2006-05-09 19:26:34 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-18 18:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
- 2006-05-09 18:00:58 1,455,616 ------w C:\WINDOWS\system32\WMVENCOD.dll
+ 2006-10-18 18:47:22 1,574,912 ------w C:\WINDOWS\system32\WMVENCOD.dll
- 2006-05-09 18:01:06 1,359,360 ------w C:\WINDOWS\system32\WMVSDECD.dll
+ 2006-10-18 18:47:22 1,382,912 ------w C:\WINDOWS\system32\WMVSDECD.dll
- 2006-05-09 18:00:58 770,560 ------w C:\WINDOWS\system32\WMVSENCD.dll
+ 2006-10-18 18:47:22 767,488 ------w C:\WINDOWS\system32\WMVSENCD.dll
- 2006-05-09 18:00:56 636,928 ------w C:\WINDOWS\system32\WMVXENCD.dll
+ 2006-10-18 18:47:22 656,896 ------w C:\WINDOWS\system32\WMVXENCD.dll
- 2006-05-09 17:58:50 670,208 ----a-w C:\WINDOWS\system32\wpd_ci.dll
+ 2006-10-18 18:47:22 629,760 ----a-w C:\WINDOWS\system32\wpd_ci.dll
- 2006-05-09 17:58:40 35,840 ----a-w C:\WINDOWS\system32\wpdconns.dll
+ 2006-10-18 18:47:22 35,840 ----a-w C:\WINDOWS\system32\wpdconns.dll
- 2006-05-09 17:58:40 144,896 ----a-w C:\WINDOWS\system32\wpdmtp.dll
+ 2006-10-18 18:47:22 154,624 ----a-w C:\WINDOWS\system32\wpdmtp.dll
- 2006-05-09 17:58:40 55,808 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-18 18:47:22 63,488 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
- 2006-05-09 17:58:54 3,745,280 ------w C:\WINDOWS\system32\WpdShext.dll
+ 2006-10-18 18:47:22 2,603,008 ------w C:\WINDOWS\system32\WpdShext.dll
- 2006-05-09 17:58:54 13,824 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-18 17:00:14 17,408 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-18 18:47:22 38,400 ------w C:\WINDOWS\system32\wpdshextres.dll
+ 2006-05-09 17:58:54 52,224 ----a-w C:\WINDOWS\system32\WPDShServiceObj(2).dll
- 2006-05-09 17:58:54 52,224 ------w C:\WINDOWS\system32\WPDShServiceObj.dll
+ 2006-10-18 18:47:22 133,632 ----a-w C:\WINDOWS\system32\wpdshserviceobj.dll
- 2006-05-09 17:58:46 343,552 ----a-w C:\WINDOWS\system32\WPDSp.dll
+ 2006-10-18 18:47:22 356,352 ----a-w C:\WINDOWS\system32\wpdsp.dll
- 2006-04-11 11:30:44 93,752 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-28 17:13:26 95,344 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
- 2006-04-11 11:27:18 130,048 ------w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-28 15:56:38 146,432 ------w C:\WINDOWS\system32\WudfHost.exe
- 2006-04-11 11:26:44 158,208 ------w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-28 15:56:16 165,376 ------w C:\WINDOWS\system32\WudfPlatform.dll
- 2006-04-11 11:26:56 54,272 ------w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-28 15:56:14 55,808 ------w C:\WINDOWS\system32\WudfSvc.dll
- 2006-04-11 11:27:18 304,640 ------w C:\WINDOWS\system32\WUDFx.dll
+ 2006-09-28 15:56:38 316,416 ------w C:\WINDOWS\system32\WUDFx.dll
+ 2007-11-14 13:04:56 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-11-14 13:04:56 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2007-11-14 13:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 09:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2007-11-14 13:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-11-14 13:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-11-14 13:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 13:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 13:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 13:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 13:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 13:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 13:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-18 17:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-10-18 17:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-11-14 13:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 08:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-10-18 17:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-10-18 17:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-11-14 13:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-14 13:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-10-11 13:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-11-14 13:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-11-14 13:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-11-14 13:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-11-14 13:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-14 13:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-11-14 13:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-14 13:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 08:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-11-14 13:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-14 13:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 13:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-11-14 13:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2007-08-08 17:02:00 235,008 ----a-w C:\WINDOWS\UNBOC.EXE
+ 2006-06-05 11:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 11:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 11:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 18:33 155648]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 01:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 01:10 114688]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 13:48 157592]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49 338432]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-04 11:18 180269]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-08 16:13 1410304]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-10-10 20:02 606208 --a------ C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-10-10 20:01 86016 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2007-10-10 15:47 49152 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-08 16:17]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 07:00]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 14:14]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2005-07-26 10:46]
S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;C:\WINDOWS\system32\DRIVERS\ewusbapp.sys [2005-07-26 10:46]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;C:\WINDOWS\system32\DRIVERS\ewusbser.sys [2005-07-26 10:46]
S3 umpusbxp;UMP Serial Port Driver;C:\WINDOWS\system32\DRIVERS\umpusbxp.sys [2004-07-20 22:39]
S4 Ravsvrs;Ravsvrs;C:\Program Files\Outlook Express\Ravsvrs.exe []
S4 Windows Networks;Windows Networks;C:\Program Files\NetMeeting\inetsock.exe [1983-12-13 22:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cdeeedb-5dfe-11dc-9e03-00123fec166e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCIER/system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3783971a-04db-11db-be24-00123fec166e}]
\Shell\AutoRun\command - svchost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3783971c-04db-11db-be24-00123fec166e}]
\Shell\AutoRun\command - svchost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3783971d-04db-11db-be24-00123fec166e}]
\Shell\AutoRun\command - svchost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54aa6dcb-5466-11dc-9dfa-00123fec166e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL USB2.0.exe
\Shell\´̣¿ª(&O)\command - USB2.0.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6deb68bc-75a6-11dc-9e2c-00123fec166e}]
\Shell\AutoRun\command - F:\ntde1ect.com
\Shell\explore\Command - F:\ntde1ect.com
\Shell\open\Command - F:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7918313e-50eb-11dc-9df8-00123fec166e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCIER/system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd8cfa01-8321-11dc-9e80-00123fec166e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL USB2.0.exe
\Shell\´̣¿ª(&O)\command - F:\USB2.0.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 11:04:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 11:09:43 - machine was rebooted [Louis]
ComboFix-quarantined-files.txt 2008-01-05 08:09:37
.
2007-09-30 05:03:31 --- E O F ---

3. HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:52 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{5028C0F9-5D64-44CE-A7AD-F2DF30BF15D3}: NameServer = 212.88.97.20,81.199.21.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1552E96-F237-462A-AE47-7DC4B7810BD8}: NameServer = 81.199.21.94 81.199.31.33
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS3\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS4\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O17 - HKLM\System\CS5\Services\Tcpip\..\{0BADDEC2-6297-4A30-A777-DC2FC188A108}: NameServer = 81.199.21.94,81.199.31.33
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7153 bytes

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:37 PM

Posted 08 January 2008 - 03:50 PM

Hi mammal, :thumbsup:

You've been posting on the same problem at
another forum, which means that you've been wasting my time and that of my coach.

Sorry but this thread will be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users