Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log / Infected


  • This topic is locked This topic is locked
28 replies to this topic

#16 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:02 AM

Posted 11 April 2008 - 02:08 AM

Hi techi

Let's see what this scan will show us...............

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs, Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy & Paste the entire report in your next reply.

Please let me have a fresh Hjt log as well.

Thanks.

BBPP6nz.png


BC AdBot (Login to Remove)

 


#17 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 11 April 2008 - 02:46 AM

I will do this now before i do just a quick update for you, last night I ran spybot search and destroy and 1 of the tmp files created has the win32.tiny.abk. This might shed some light, get back to you with other results shortly.

Thanks
techi

#18 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:02 AM

Posted 11 April 2008 - 11:39 AM

1 of the tmp files created has the win32.tiny.abk. This might shed some light,

It does actually. Thanks for that.
I'll wait until the scan results are back and then i'll take it from there.

BBPP6nz.png


#19 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 11 April 2008 - 03:04 PM

Both logs attached hope it helps

Scanning Report
Friday, April 11, 2008 08:54:05 - 20:58:01

Computer name: LAPTOP
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 5 malware found
AdWare.Win32.Agent (spyware)

* System

Packed.Win32.Monder.gen (virus)

* D:\SYSTEM VOLUME INFORMATION\_RESTORE{9A3A1826-3C08-47E6-B001-DC7D836B6A7A}\RP111\A0029268.EXE (Submitted)

Trojan-Downloader.Win32.Small.iui (virus)

* D:\SYSTEM VOLUME INFORMATION\_RESTORE{9A3A1826-3C08-47E6-B001-DC7D836B6A7A}\RP111\A0029269.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Small.snf (virus)

* D:\SYSTEM VOLUME INFORMATION\_RESTORE{9A3A1826-3C08-47E6-B001-DC7D836B6A7A}\RP111\A0029270.EXE (Renamed & Submitted)

Trojan-Dropper:W32/Agent.DZD (virus)

* D:\TEST\TEST2\A0018031.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 34022
* System: 3282
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 3
* Deleted: 0
* None: 2
* Submitted: 4

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{2A005D96-9936-43BC-802C-8E41B1A23991}.BIN
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MAILFRONTIER\REGINFO.XML

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-04-11
* F-Secure AVP: 7.0.171, 2008-04-11
* F-Secure Pegasus: 1.20.0, 2008-02-28
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:32, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
D:\TEST\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: 12Ghosts Toolbar - {00000000-000a-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12toolbar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7005E34C-4DF0-4E3D-8AB1-A89F55326200}: NameServer = 80.249.249.249,80.249.249.250
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5380 bytes

#20 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:02 AM

Posted 11 April 2008 - 06:20 PM

Hi techi

Let's see if we can nail this once and for sure.

Step 1
Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
Step 2
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

In your next reply, please submit:
SDFix report.txt
and the ComboFix.txt

Thanks.

BBPP6nz.png


#21 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 12 April 2008 - 03:31 PM

Logs attached.


SDFix: Version 1.169
Run by Martin Browne on 12/04/2008 at 10:31

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Name:
rwtatpl

Path:
\??\C:\WINDOWS\Cursors\rwtatpl.lid

rwtatpl - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Cursors\rwtatpl.lid - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 10:47:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0010c6268faf]
"001842e161cb"=hex:15,13,d4,ab,7d,55,1b,4c,84,72,47,b5,1d,f6,57,a7
"001b59a73bfe"=hex:c0,78,e5,6d,3b,a0,d3,97,38,f6,e1,22,87,4d,91,c2
"00192d01d108"=hex:5b,80,e8,1f,b2,3b,82,73,b7,94,6a,52,04,25,70,b8
"001e3a41db98"=hex:82,e1,f0,69,b4,1a,59,24,58,38,57,6c,34,95,29,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:3a,7e,3c,43,89,cb,3d,b6,b5,bf,17,78,95,73,7a,cf,b5,42,b0,5d,b9,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,77,75,92,a6,2c,f9,38,72,cb,0c,70,fe,e9,8c,46,66,69,..
"khjeh"=hex:12,0a,5b,55,54,76,95,86,08,fa,f2,96,84,5a,83,e5,cb,bf,6f,40,52,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:de,b7,64,aa,87,7a,01,fa,2a,71,76,c9,25,56,14,de,20,c9,36,92,e1,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c6268faf]
"001842e161cb"=hex:15,13,d4,ab,7d,55,1b,4c,84,72,47,b5,1d,f6,57,a7
"001b59a73bfe"=hex:c0,78,e5,6d,3b,a0,d3,97,38,f6,e1,22,87,4d,91,c2
"00192d01d108"=hex:5b,80,e8,1f,b2,3b,82,73,b7,94,6a,52,04,25,70,b8
"001e3a41db98"=hex:82,e1,f0,69,b4,1a,59,24,58,38,57,6c,34,95,29,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:3a,7e,3c,43,89,cb,3d,b6,b5,bf,17,78,95,73,7a,cf,b5,42,b0,5d,b9,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,77,75,92,a6,2c,f9,38,72,cb,0c,70,fe,e9,8c,46,66,69,..
"khjeh"=hex:12,0a,5b,55,54,76,95,86,08,fa,f2,96,84,5a,83,e5,cb,bf,6f,40,52,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:de,b7,64,aa,87,7a,01,fa,2a,71,76,c9,25,56,14,de,20,c9,36,92,e1,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0010c6268faf]
"001842e161cb"=hex:15,13,d4,ab,7d,55,1b,4c,84,72,47,b5,1d,f6,57,a7
"001b59a73bfe"=hex:c0,78,e5,6d,3b,a0,d3,97,38,f6,e1,22,87,4d,91,c2
"00192d01d108"=hex:5b,80,e8,1f,b2,3b,82,73,b7,94,6a,52,04,25,70,b8
"001e3a41db98"=hex:82,e1,f0,69,b4,1a,59,24,58,38,57,6c,34,95,29,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:3a,7e,3c,43,89,cb,3d,b6,b5,bf,17,78,95,73,7a,cf,b5,42,b0,5d,b9,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,77,75,92,a6,2c,f9,38,72,cb,0c,70,fe,e9,8c,46,66,69,..
"khjeh"=hex:12,0a,5b,55,54,76,95,86,08,fa,f2,96,84,5a,83,e5,cb,bf,6f,40,52,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:de,b7,64,aa,87,7a,01,fa,2a,71,76,c9,25,56,14,de,20,c9,36,92,e1,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 15 Dec 2005 139,264 A..HR --- "C:\Program Files\EDC16 flasher\GetID\Get_ID_hdd+CPU.exe"
Tue 12 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 12 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3a8714eb7dd4db456941e95c20d46049\BIT9C.tmp"
Sat 12 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4121ff78bd22983fb850d6acfea61c00\BIT98.tmp"
Sat 12 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\612ce0df709f1f49b2994166ec93f292\BIT97.tmp"
Sat 12 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\991099a35378d98f420ab4028323ec84\BIT9B.tmp"
Sat 12 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ba203fc55df79697d61ee240fe4d59fa\BIT9A.tmp"
Sat 12 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d05e90bdbe498b084a93603bc30f3c3c\BIT99.tmp"

Finished!



ComboFix 08-04-11.5 - Martin Browne 2008-04-12 21:20:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.705 [GMT 1:00]
Running from: C:\Documents and Settings\Martin Browne\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ELosoft.DLL

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-12 10:28 . 2008-04-12 10:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-12 10:24 . 2008-04-12 10:24 <DIR> d-------- C:\SDFix
2008-04-11 08:49 . 2008-04-11 08:49 <DIR> d-------- C:\fsaua.data
2008-04-05 19:55 . 2008-04-05 19:55 <DIR> d-------- C:\Deckard
2008-04-03 23:27 . 2008-04-04 08:12 <DIR> d-------- C:\fixwareout
2008-04-02 14:24 . 2008-04-02 14:24 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-04-02 13:28 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-04-02 13:27 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-04-02 13:27 . 2004-08-04 00:56 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-04-02 13:27 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-04-02 13:27 . 2004-08-04 00:56 61,952 --a--c--- C:\WINDOWS\system32\dllcache\kstvtune.ax
2008-04-02 13:27 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-04-02 13:27 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-04-02 13:27 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-04-02 13:27 . 2004-08-04 00:56 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2008-04-02 13:27 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-04-02 13:27 . 2004-08-04 00:56 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2008-04-01 07:29 . 2008-04-01 07:29 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\pdf995
2008-04-01 07:29 . 2008-04-01 07:29 28 --a------ C:\WINDOWS\pdf995.ini
2008-03-25 19:21 . 2008-03-25 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\12Ghosts
2008-03-25 19:17 . 2008-03-25 19:17 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\12Ghosts
2008-03-25 19:14 . 2008-03-25 19:14 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\SLAutoSave
2008-03-25 11:22 . 2008-03-25 11:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-25 11:22 . 2008-03-25 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 08:58 . 2008-04-12 20:09 1,113 --a------ C:\rollback.ini
2008-03-25 00:04 . 2004-08-04 00:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-03-25 00:03 . 2008-03-25 00:03 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-25 00:03 . 2008-03-25 00:03 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\PC Suite
2008-03-25 00:02 . 2008-03-25 00:10 <DIR> d-------- C:\Program Files\Nokia
2008-03-24 21:01 . 2008-03-24 21:01 <DIR> d-------- C:\Program Files\Real
2008-03-24 21:01 . 2008-03-24 21:01 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-24 21:01 . 2008-03-24 21:01 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-23 12:20 . 2008-03-23 12:20 <DIR> d-------- C:\Program Files\FlashFXP
2008-03-23 12:20 . 2008-03-23 12:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FlashFXP
2008-03-20 11:51 . 2008-03-20 11:51 <DIR> d-------- C:\Program Files\Foxit Software
2008-03-15 02:37 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-15 02:36 . 2008-03-15 02:37 <DIR> d-------- C:\Program Files\Java
2008-03-15 02:35 . 2008-03-15 02:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-13 11:45 . 2008-03-13 18:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-13 11:45 . 2008-03-13 11:45 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\SUPERAntiSpyware.com
2008-03-13 11:45 . 2008-03-13 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-13 11:44 . 2008-03-13 11:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-13 02:23 . 2008-03-13 02:23 98 --a------ C:\WINDOWS\wininit.ini
2008-03-12 22:44 . 2008-03-12 22:41 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-12 22:44 . 2008-03-12 22:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-12 22:38 . 2008-03-13 00:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-12 22:38 . 2008-03-13 00:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-12 01:53 . 2008-03-25 17:03 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\MailFrontier
2008-03-12 01:48 . 2008-04-12 21:23 921,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-12 01:48 . 2008-04-12 10:25 11,204 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-12 01:43 . 2008-03-12 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-12 01:43 . 2008-04-12 10:40 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-12 01:23 . 2008-03-12 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiSpyInfo
2008-03-12 01:04 . 2008-03-12 01:04 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 09:25 520,192 ----a-w C:\WINDOWS\Internet Logs\xDB26.tmp
2008-04-12 09:24 3,109,376 ----a-w C:\WINDOWS\Internet Logs\xDB27.tmp
2008-04-12 07:30 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\MailWasherPro
2008-04-10 21:48 51,200 ----a-w C:\WINDOWS\Internet Logs\xDB24.tmp
2008-04-10 21:48 3,094,528 ----a-w C:\WINDOWS\Internet Logs\xDB25.tmp
2008-04-10 21:44 50,176 ----a-w C:\WINDOWS\Internet Logs\xDB22.tmp
2008-04-10 21:44 3,094,528 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-04-10 21:39 55,808 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2008-04-10 21:39 3,101,184 ----a-w C:\WINDOWS\Internet Logs\xDB21.tmp
2008-04-10 21:32 576,000 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-04-10 21:32 3,094,016 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-04-09 19:44 3,098,112 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-04-09 15:03 3,089,920 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-04-05 16:29 3,056,640 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-04-05 11:25 3,054,592 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-04-04 07:06 3,052,032 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-04-03 01:04 0 ----a-w C:\Documents and Settings\Martin Browne\Martin Browne_notes.dat
2008-04-03 00:46 156,672 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-04-02 13:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 13:17 --------- d-----w C:\Program Files\12Ghosts
2008-04-02 10:58 3,000,832 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-04-02 10:58 263,680 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-04-01 06:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-29 00:03 104,448 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-03-28 14:54 45,056 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-03-28 14:54 2,963,968 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-03-28 14:39 572,928 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-03-24 22:56 227,328 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-03-24 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-24 20:01 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-24 20:01 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-23 00:42 101,888 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-03-23 00:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-22 14:15 2,587,136 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-03-22 14:15 164,352 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-03-22 09:56 2,576,896 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-03-22 09:56 157,184 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-03-22 09:22 145,408 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-03-21 21:07 206,848 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-03-21 21:07 2,564,096 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-03-20 17:23 901,632 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-03-15 14:46 156,672 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-03-15 00:51 2,329,600 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-03-15 00:51 2,223,616 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-03-14 23:19 --------- d-----w C:\Program Files\Elnec_sw
2008-03-14 00:28 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-03-13 23:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 23:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-13 15:28 48,640 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-03-13 10:56 2,716,672 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-03-13 10:56 2,067,968 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-03-11 12:26 --------- d-----w C:\Program Files\Zone Labs
2008-03-11 06:18 12,424 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys.install_backup
2008-03-11 04:08 --------- d-----w C:\Program Files\Lavasoft
2008-03-11 00:50 --------- d-----w C:\Program Files\Intel
2008-03-11 00:40 --------- d-----w C:\Program Files\Driver Magician
2008-03-10 15:29 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-03-10 14:03 --------- d-----w C:\Program Files\Auction Auto Bidder
2008-03-09 22:58 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\InstallShield
2008-03-09 17:16 --------- d-----w C:\Program Files\PCPitstop
2008-03-08 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-03-07 20:21 --------- d-----w C:\Program Files\LogoManager Pro Suite
2008-03-02 22:41 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-02 22:41 --------- d-----w C:\Program Files\AVSMedia
2008-03-02 22:10 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\DivX
2008-03-02 12:03 --------- d-----w C:\Program Files\EDC16 flasher
2008-02-29 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-29 22:48 --------- d-----w C:\Program Files\Motorola
2008-02-29 22:12 --------- d-----w C:\Program Files\DIFX
2008-02-24 21:23 --------- d-----r C:\Documents and Settings\Martin Browne\Application Data\Brother
2008-02-22 23:38 --------- d-----w C:\Program Files\XP TCPIP Repair
2008-02-22 11:37 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\InternetCalls
2008-02-22 11:34 --------- d-----w C:\Program Files\InternetCalls.com
2008-02-20 23:55 --------- d-----w C:\Program Files\Common Files\LogoManager
2008-01-25 11:58 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-01-25 11:58 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 17:51 486856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01 4632576]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Qualcomm\EuShlExt.dll [2006-08-17 15:57 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ePad995.lnk]
backup=C:\WINDOWS\pss\ePad995.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin Browne^Start Menu^Programs^Startup^12Ghosts FTP.lnk]
backup=C:\WINDOWS\pss\12Ghosts FTP.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin Browne^Start Menu^Programs^Startup^12Ghosts Tower.lnk]
backup=C:\WINDOWS\pss\12Ghosts Tower.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin Browne^Start Menu^Programs^Startup^12Ghosts TrayProtect.lnk]
backup=C:\WINDOWS\pss\12Ghosts TrayProtect.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InternetCalls]
--a------ 2007-04-18 16:49 7116352 C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-26 12:01 4632576 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-26 12:01 921600 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
--a------ 2008-03-09 18:37 1684480 C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2005-08-16 21:54 339968 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 05:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-24 21:01 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2005-09-09 15:32 102400 C:\WINDOWS\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"mnmsrvc"=2 (0x2)
"12Ghosts TrayProtect"=2 (0x2)
"12Ghosts Synchronize"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 DLPortIO;DriverLINX Port I/O Driver;C:\WINDOWS\system32\DRIVERS\DLPortIO.SYS [2005-03-11 13:26]
R2 pardrv;pardrv;C:\WINDOWS\system32\drivers\pardrv.sys [2003-09-29 13:51]
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-10-23 18:04]
R3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 08:27]
S3 MAC_MOT;MAC_MOT;C:\Program Files\BKE v2.2\MAC_MOT.sys [1999-05-14 02:00]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2005-09-21 13:31]
S3 umpserenum;Serenum Filter Driver ;C:\WINDOWS\system32\DRIVERS\umpserenum.sys [2007-07-20 23:22]
S3 umpusbvista;UMP Serial Port Driver ;C:\WINDOWS\system32\DRIVERS\umpusbvista.sys [2007-07-20 23:21]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 12Ghosts Synchronize;12Ghosts Synchronize;C:\Program Files\12Ghosts\12srvc.exe [2008-03-19 09:19]
S4 12Ghosts TrayProtect;12Ghosts TrayProtect;C:\Program Files\12Ghosts\12srvc.exe [2008-03-19 09:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a1f3e00-192b-11dc-a2e6-0010c6268faf}]
\Shell\AutoRun\command - setupSNK.exe

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 21:23:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-12 21:24:36
ComboFix-quarantined-files.txt 2008-04-12 20:24:26
Pre-Run: 35,136,741,376 bytes free
Post-Run: 35,119,869,952 bytes free
.
2008-03-12 00:10:10 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31:58, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\TEST\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: 12Ghosts Toolbar - {00000000-000a-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12toolbar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7005E34C-4DF0-4E3D-8AB1-A89F55326200}: NameServer = 80.249.249.249,80.249.249.250
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5107 bytes

#22 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:02 AM

Posted 13 April 2008 - 03:41 PM

Hi techi

Ok, that got a bit more.
Just a few things to clean up now.

Step 1
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\WINDOWS\Internet Logs\xDB26.tmp
C:\WINDOWS\Internet Logs\xDB27.tmp
C:\WINDOWS\Internet Logs\xDB24.tmp
C:\WINDOWS\Internet Logs\xDB25.tmp
C:\WINDOWS\Internet Logs\xDB22.tmp
C:\WINDOWS\Internet Logs\xDB23.tmp
C:\WINDOWS\Internet Logs\xDB20.tmp
C:\WINDOWS\Internet Logs\xDB21.tmp
C:\WINDOWS\Internet Logs\xDB1E.tmp
C:\WINDOWS\Internet Logs\xDB1F.tmp
C:\WINDOWS\Internet Logs\xDB1D.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

In your next reply, please submit:
A new ComboFix.txt
a new Hjt log
Could you let me know if you are still having any problems with the 'spamming'?
and also.... is your full 'Zone Alarm' running? i need to know if the Anti-Virus is running or not.

Thanks.

Edited by Starbuck, 13 April 2008 - 04:33 PM.

BBPP6nz.png


#23 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 14 April 2008 - 03:06 PM

Logs attached, taken with no malware/firewall/anti virus programs running. I will load zonealarm and check for backround spam.

ComboFix 08-04-11.5 - Martin Browne 2008-04-14 20:56:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.707 [GMT 1:00]
Running from: C:\Documents and Settings\Martin Browne\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Martin Browne\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1D.tmp
C:\WINDOWS\Internet Logs\xDB1E.tmp
C:\WINDOWS\Internet Logs\xDB1F.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB20.tmp
C:\WINDOWS\Internet Logs\xDB21.tmp
C:\WINDOWS\Internet Logs\xDB22.tmp
C:\WINDOWS\Internet Logs\xDB23.tmp
C:\WINDOWS\Internet Logs\xDB24.tmp
C:\WINDOWS\Internet Logs\xDB25.tmp
C:\WINDOWS\Internet Logs\xDB26.tmp
C:\WINDOWS\Internet Logs\xDB27.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1D.tmp
C:\WINDOWS\Internet Logs\xDB1E.tmp
C:\WINDOWS\Internet Logs\xDB1F.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB20.tmp
C:\WINDOWS\Internet Logs\xDB21.tmp
C:\WINDOWS\Internet Logs\xDB22.tmp
C:\WINDOWS\Internet Logs\xDB23.tmp
C:\WINDOWS\Internet Logs\xDB24.tmp
C:\WINDOWS\Internet Logs\xDB25.tmp
C:\WINDOWS\Internet Logs\xDB26.tmp
C:\WINDOWS\Internet Logs\xDB27.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-12 10:28 . 2008-04-12 10:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-12 10:24 . 2008-04-12 10:24 <DIR> d-------- C:\SDFix
2008-04-11 08:49 . 2008-04-11 08:49 <DIR> d-------- C:\fsaua.data
2008-04-05 19:55 . 2008-04-05 19:55 <DIR> d-------- C:\Deckard
2008-04-03 23:27 . 2008-04-04 08:12 <DIR> d-------- C:\fixwareout
2008-04-02 14:24 . 2008-04-02 14:24 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-04-02 13:28 . 2004-08-03 23:10 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-04-02 13:27 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-04-02 13:27 . 2004-08-04 00:56 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-04-02 13:27 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-04-02 13:27 . 2004-08-04 00:56 61,952 --a--c--- C:\WINDOWS\system32\dllcache\kstvtune.ax
2008-04-02 13:27 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-04-02 13:27 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-04-02 13:27 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-04-02 13:27 . 2004-08-04 00:56 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2008-04-02 13:27 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-04-02 13:27 . 2004-08-04 00:56 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2008-04-01 07:29 . 2008-04-01 07:29 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\pdf995
2008-04-01 07:29 . 2008-04-01 07:29 28 --a------ C:\WINDOWS\pdf995.ini
2008-03-25 19:21 . 2008-03-25 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\12Ghosts
2008-03-25 19:17 . 2008-03-25 19:17 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\12Ghosts
2008-03-25 19:14 . 2008-03-25 19:14 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\SLAutoSave
2008-03-25 11:22 . 2008-03-25 11:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-25 11:22 . 2008-03-25 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 08:58 . 2008-04-14 20:47 2,387 --a------ C:\rollback.ini
2008-03-25 00:04 . 2004-08-04 00:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-03-25 00:03 . 2008-03-25 00:03 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-25 00:03 . 2008-03-25 00:03 <DIR> d-------- C:\Documents and Settings\Martin Browne\Application Data\PC Suite
2008-03-25 00:02 . 2008-03-25 00:10 <DIR> d-------- C:\Program Files\Nokia
2008-03-24 21:01 . 2008-03-24 21:01 <DIR> d-------- C:\Program Files\Real
2008-03-24 21:01 . 2008-03-24 21:01 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-24 21:01 . 2008-03-24 21:01 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-23 12:20 . 2008-03-23 12:20 <DIR> d-------- C:\Program Files\FlashFXP
2008-03-23 12:20 . 2008-03-23 12:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FlashFXP
2008-03-20 11:51 . 2008-03-20 11:51 <DIR> d-------- C:\Program Files\Foxit Software
2008-03-15 02:37 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-15 02:36 . 2008-03-15 02:37 <DIR> d-------- C:\Program Files\Java
2008-03-15 02:35 . 2008-03-15 02:35 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 19:58 1,067,040 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-14 19:54 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\MailWasherPro
2008-04-13 10:57 12,404 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-03 01:04 0 ----a-w C:\Documents and Settings\Martin Browne\Martin Browne_notes.dat
2008-04-02 13:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 13:17 --------- d-----w C:\Program Files\12Ghosts
2008-04-01 06:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-25 16:03 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\MailFrontier
2008-03-24 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 00:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-14 23:19 --------- d-----w C:\Program Files\Elnec_sw
2008-03-13 23:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 17:27 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-13 10:45 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\SUPERAntiSpyware.com
2008-03-13 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-13 10:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-12 23:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-12 21:41 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-12 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-12 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiSpyInfo
2008-03-11 12:26 --------- d-----w C:\Program Files\Zone Labs
2008-03-11 06:18 12,424 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys.install_backup
2008-03-11 04:08 --------- d-----w C:\Program Files\Lavasoft
2008-03-11 00:50 --------- d-----w C:\Program Files\Intel
2008-03-11 00:40 --------- d-----w C:\Program Files\Driver Magician
2008-03-10 15:29 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-03-10 14:03 --------- d-----w C:\Program Files\Auction Auto Bidder
2008-03-09 22:58 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\InstallShield
2008-03-09 17:16 --------- d-----w C:\Program Files\PCPitstop
2008-03-08 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-03-07 20:21 --------- d-----w C:\Program Files\LogoManager Pro Suite
2008-03-02 22:41 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-02 22:41 --------- d-----w C:\Program Files\AVSMedia
2008-03-02 22:10 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\DivX
2008-03-02 12:03 --------- d-----w C:\Program Files\EDC16 flasher
2008-02-29 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-29 22:48 --------- d-----w C:\Program Files\Motorola
2008-02-29 22:12 --------- d-----w C:\Program Files\DIFX
2008-02-24 21:23 --------- d-----r C:\Documents and Settings\Martin Browne\Application Data\Brother
2008-02-22 23:38 --------- d-----w C:\Program Files\XP TCPIP Repair
2008-02-22 11:37 --------- d-----w C:\Documents and Settings\Martin Browne\Application Data\InternetCalls
2008-02-22 11:34 --------- d-----w C:\Program Files\InternetCalls.com
2008-02-20 23:55 --------- d-----w C:\Program Files\Common Files\LogoManager
.

((((((((((((((((((((((((((((( snapshot@2008-04-12_21.24.08.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 05:21:48 3,592,192 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
- 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 02:21:45 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 10:00:00 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 02:21:45 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-06 11:00:57 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 02:21:45 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-06 04:59:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 02:21:46 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-12-06 11:01:25 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-12-07 02:21:47 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-01 17:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 02:21:47 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 02:21:48 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 02:21:48 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 02:21:48 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 05:53:32 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 02:21:48 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 02:21:48 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 02:21:48 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 02:21:48 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 10:00:00 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 02:21:45 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-08 12:38:38 243,128 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-13 10:57:46 243,128 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-12-07 02:21:45 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 11:00:57 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 02:21:45 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 04:59:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 02:21:45 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 02:21:46 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-12-07 02:21:47 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 02:21:47 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 02:21:47 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 17:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 02:21:48 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-04-12 09:44:47 69,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-13 11:03:22 69,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-12 09:44:47 438,052 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-13 11:03:22 438,052 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-12-07 02:21:48 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-04-12 09:40:27 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-04-12 20:28:53 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 17:51 486856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01 4632576]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Qualcomm\EuShlExt.dll [2006-08-17 15:57 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ePad995.lnk]
backup=C:\WINDOWS\pss\ePad995.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin Browne^Start Menu^Programs^Startup^12Ghosts FTP.lnk]
backup=C:\WINDOWS\pss\12Ghosts FTP.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin Browne^Start Menu^Programs^Startup^12Ghosts Tower.lnk]
backup=C:\WINDOWS\pss\12Ghosts Tower.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Martin Browne^Start Menu^Programs^Startup^12Ghosts TrayProtect.lnk]
backup=C:\WINDOWS\pss\12Ghosts TrayProtect.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InternetCalls]
--a------ 2007-04-18 16:49 7116352 C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-26 12:01 4632576 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-26 12:01 921600 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
--a------ 2008-03-09 18:37 1684480 C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2005-08-16 21:54 339968 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 05:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-24 21:01 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2005-09-09 15:32 102400 C:\WINDOWS\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"mnmsrvc"=2 (0x2)
"12Ghosts TrayProtect"=2 (0x2)
"12Ghosts Synchronize"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 DLPortIO;DriverLINX Port I/O Driver;C:\WINDOWS\system32\DRIVERS\DLPortIO.SYS [2005-03-11 13:26]
R2 pardrv;pardrv;C:\WINDOWS\system32\drivers\pardrv.sys [2003-09-29 13:51]
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-10-23 18:04]
R3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 08:27]
S3 MAC_MOT;MAC_MOT;C:\Program Files\BKE v2.2\MAC_MOT.sys [1999-05-14 02:00]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2005-09-21 13:31]
S3 umpserenum;Serenum Filter Driver ;C:\WINDOWS\system32\DRIVERS\umpserenum.sys [2007-07-20 23:22]
S3 umpusbvista;UMP Serial Port Driver ;C:\WINDOWS\system32\DRIVERS\umpusbvista.sys [2007-07-20 23:21]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 12Ghosts Synchronize;12Ghosts Synchronize;C:\Program Files\12Ghosts\12srvc.exe [2008-03-19 09:19]
S4 12Ghosts TrayProtect;12Ghosts TrayProtect;C:\Program Files\12Ghosts\12srvc.exe [2008-03-19 09:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a1f3e00-192b-11dc-a2e6-0010c6268faf}]
\Shell\AutoRun\command - setupSNK.exe

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 20:59:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 21:00:16
ComboFix-quarantined-files.txt 2008-04-14 20:00:04
ComboFix2.txt 2008-04-12 20:24:38
Pre-Run: 35,230,621,696 bytes free
Post-Run: 35,215,335,424 bytes free
.
2008-04-13 10:56:15 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:05:00, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\TEST\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: 12Ghosts Toolbar - {00000000-000a-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12toolbar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7005E34C-4DF0-4E3D-8AB1-A89F55326200}: NameServer = 80.249.249.249,80.249.249.250
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4927 bytes

#24 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 14 April 2008 - 03:33 PM

Now here's an interesting one, with zonealarm loaded and all rights enabled for services there is NO tmp files being created in windows\temp Yippie!!.

The other thing is when I run netstat there is NO spam being sent in the backround, although I do have a question here is a copy/paste of netstat.

Its looking really really good now we might be there, I think you hit the nail on the head.

Immediately after I enabled all rights this what I got from netstat.
C:\Documents and Settings\Martin Browne>netstat

Active Connections

Proto Local Address Foreign Address State
TCP laptop:4398 localhost:4399 ESTABLISHED
TCP laptop:4399 localhost:4398 ESTABLISHED
TCP laptop:4400 localhost:4401 ESTABLISHED
TCP laptop:4401 localhost:4400 ESTABLISHED
TCP laptop:4437 dyna-aus2.nslb.sj.mozilla.com:https ESTABLISHED

The Ip address listed below I have no idea what it is and it did seem to be linked to the spam. It's the TIME_WAIT that scares me in that it how netstat looked before sending the spam, only no spam this time.

C:\Documents and Settings\Martin Browne>netstat

Active Connections

Proto Local Address Foreign Address State
TCP laptop:4398 localhost:4399 ESTABLISHED
TCP laptop:4399 localhost:4398 ESTABLISHED
TCP laptop:4400 localhost:4401 ESTABLISHED
TCP laptop:4401 localhost:4400 ESTABLISHED
TCP laptop:4436 84.53.134.72:http TIME_WAIT

C:\Documents and Settings\Martin Browne>

#25 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:02 AM

Posted 15 April 2008 - 02:11 AM

Hi techi

The Ip address listed below I have no idea what it is and it did seem to be linked to the spam

The ip address listed and the one in your Hjt log.... relate to the same company.
So there's nothing to worry about there.

It's the TIME_WAIT that scares me in that it how netstat looked before sending the spam

The 'TIME_WAIT' is nothing to worry about.
This will explain:

The TIME_WAIT state is part of the closing of a TCP connection. When the connection is closed, it spends some time in TIME_WAIT to allow packets which are delayed en route to be discarded before another socket is opened on the same port. Allowing the port to be reused immediately could lead to potential for confusion.


From what i can see from the logs.... everything looks good now and the 'Spam sending' has been resolved.
Sorry we didn't pick it up earlier... it's not an infection that shows up easily.
Once you gave us a name, we knew what to look for.

Step 1
Please remove SDFix from your system.
Delete any desktop icon you may have and then navigate to this folder ( the folder in bold )
C:\SDFix
Then right click on this folder and select 'delete'.

Step 2
Please uninstall ComboFix by
Clicking on Start ...then run ... and type in combofix /u (don't forget there's is a gap between x and /) Then press Ok
Posted Image

When shown the disclaimer, Select "2"

This action will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Reset System Restore.

Like i say, your logs look good now...... but
If you really want to be sure, feel free to run another F-Secure online scan.
It's entirely up to you.
The link and instructions are in Post #16

If you run another scan, please post the results back here.
Thanks.

BBPP6nz.png


#26 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 16 April 2008 - 01:43 AM

F-Secure re-run it showed no malware found and no show report option appeared this time.

I have a couple of folders that were created during malware removal "erdnt & erunt" in the windows directory, do i remove these? readme states not too unless instructed to by yourself.

#27 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:02 AM

Posted 16 April 2008 - 09:01 AM

Hi techi

I have a couple of folders that were created during malware removal "erdnt & erunt" in the windows directory, do i remove these? readme states not too unless instructed to by yourself.

These are registry backups made by the security programs we ran.
The backups are made in case we have problems with anything that we remove.
They are perfectly harmless, but you can remove them if you want now.

F-Secure re-run it showed no malware found and no show report option appeared this time.

That's good to hear.
Now we have managed to sort out your problems please refer back to Post #12 to find out how you may have become infected and how to take measures to prevent this happening again.
Glad i could help you.

BBPP6nz.png


#28 techi

techi
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 16 April 2008 - 11:34 AM

Hi Starbuck,
All I can say is Many Many Thanks my only thing now is if I can try help someone in the future.

Kindest Regards & Thanks
Martin

#29 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:02:02 AM

Posted 20 April 2008 - 07:43 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users