Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Iexplore.exe, To Start


  • This topic is locked This topic is locked
8 replies to this topic

#1 BobbyCubby

BobbyCubby

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 25 March 2008 - 09:05 AM

Recently, I've had my PC infected with several viruses - and I'm a virus bonehead, especially over the recent years. Since late 90s early 2000 or so, I've practiced safe browsing habits. However, a friend of mine stayed at my house for a couple weeks who is the utter definition of unsafe - you name in, he's logged in, downloaded, browsed, etc...and I didn't catch it until it was too late.

So now I have a plethora of problems, and am a little overwhelmed. I've followed all steps in the preparing to post a topic log, and in addition, installed a spare security program - CA Internet Security Suite 2008. But the problems persist.

Biggest issue with the prepare phase - the Housecall/Panda/Bit steps, I started each, they'd make it about 2/3s of the way through, and an error would go through and it would shut down.

There are 3 major issues I am having - Iexplore.exe is continuously starting up and hogging resources(I noticed this in the task manager, that it was starting up and eating up memory). I have white screen, which no longer allows me to set my own desktop. Oddest of all, my PC will start randomly playing music or voices or newscasts out of the blue, with no ready explanation.

Doing some research on these issues, I figured it would be best to have experts help me, so here I am, and thank you. The issue I think is the greatest problem(or at least it slows my PC down the most), and so I'd like to work on that, and see where we can go from there.

Once again, thank you all so much.

Hijack This Log...

*******************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:13 AM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: enlfxgw - {5CE71183-A2DF-4834-9D2F-8BA58000126A} - C:\WINDOWS\enlfxgw.dll (file missing)
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: KernelPrx - {9ab37e9c-ec5d-483e-b779-c130707cb3a7} - C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll
O21 - SSODL: zip - {650f05ec-fc76-49d0-b3ec-f004585ff219} - C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 10093 bytes


****************************

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 25 March 2008 - 05:52 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 BobbyCubby

BobbyCubby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 27 March 2008 - 07:53 AM

Hi Sam, thank you for your help. I ran Combofix just as you said, and here is my log of it.

*************************
ComboFix 08-03-25.4 - Owner 2008-03-27 8:20:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.520 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 08:13 . 2008-03-27 08:13 <DIR> d-------- C:\ComboFix(2)
2008-03-25 15:58 . 2008-03-25 16:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-25 15:57 . 2008-03-25 15:57 <DIR> d-------- C:\Program Files\LimeWire
2008-03-24 21:51 . 2008-03-24 21:51 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-24 17:14 . 2008-03-24 17:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-24 17:14 . 2008-03-24 17:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-24 17:14 . 2008-03-24 17:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-24 17:14 . 2008-03-24 17:16 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-24 17:09 . 2008-03-24 17:09 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-24 00:33 . 2008-03-23 17:54 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-23 17:54 . 2008-03-24 00:51 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-20 09:09 . 2008-03-20 09:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 08:58 . 2008-03-20 08:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-20 08:58 . 2008-03-20 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 21:55 . 2008-03-27 08:40 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-03-12 05:42 . 2008-03-27 08:36 68,694 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-03-12 05:42 . 2008-03-27 08:36 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-03-12 05:42 . 2008-03-27 08:36 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-03-12 05:42 . 2008-03-27 08:36 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-03-12 05:42 . 2008-03-27 08:36 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-03-12 05:42 . 2008-03-27 08:36 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-03-12 05:42 . 2008-03-27 08:36 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-03-12 05:42 . 2008-03-27 08:36 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-03-11 21:35 . 2008-03-20 08:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-11 21:25 . 2008-03-27 08:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CallingID
2008-03-11 21:24 . 2008-03-11 21:57 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-11 21:24 . 2008-03-11 21:24 <DIR> d-------- C:\Program Files\CA
2008-03-11 21:24 . 2008-03-11 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-03-11 21:24 . 2007-07-31 12:50 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-03-11 21:24 . 2007-08-01 13:10 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-03-11 21:24 . 2007-07-31 12:50 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-03-11 21:24 . 2008-03-11 21:33 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-03-11 21:24 . 2008-03-11 21:33 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-03-11 21:24 . 2008-03-11 21:33 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-03-11 21:24 . 2008-03-11 21:33 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-03-11 21:24 . 2008-03-11 21:33 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-03-11 21:24 . 2008-03-11 21:33 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-03-11 21:24 . 2008-03-11 21:33 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-03-07 15:53 . 2008-03-05 03:37 <DIR> d-------- C:\SDFix
2008-03-07 15:51 . 2008-03-07 15:51 <DIR> d-------- C:\Program Files\Sun
2008-03-07 15:51 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-07 06:10 . 2008-03-07 06:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WildTangent
2008-03-06 23:53 . 2008-03-06 23:53 <DIR> d-------- C:\Program Files\Turbine
2008-03-06 23:35 . 2008-03-06 23:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-06 23:35 . 2008-03-06 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-06 22:51 . 2008-03-06 22:51 58,368 --a------ C:\oecpt.exe
2008-03-06 22:51 . 2008-03-06 22:51 51,200 --a------ C:\kxwams.exe
2008-03-06 22:26 . 2008-03-06 22:26 <DIR> d-------- C:\Deckard
2008-03-06 22:20 . 2008-03-06 22:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 23:50 . 2008-03-01 23:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-01 06:21 . 2008-03-02 03:42 <DIR> d-------- C:\WINDOWS\wt
2008-03-01 06:20 . 2008-03-09 12:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-03-01 06:07 . 2008-03-07 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-27 02:40 . 2008-03-12 21:51 <DIR> d-------- C:\Program Files\DNA
2008-02-27 02:40 . 2008-02-27 02:40 <DIR> d-------- C:\Program Files\BitTorrent
2008-02-27 02:40 . 2008-03-27 08:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DNA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-03-20 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 19:31 94,208 ----a-w C:\WINDOWS\DUMPa72c.tmp
2008-03-07 19:51 --------- d-----w C:\Program Files\Java
2008-03-07 09:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-07 03:23 374 -c--a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2008-03-01 22:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 22:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Turbine
2008-02-09 02:10 --------- d-----w C:\Program Files\World of Warcraft
2008-02-08 03:00 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-08 00:35 --------- d-----w C:\Program Files\CCleaner
2008-02-07 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-02-07 17:48 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-06 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-01-09 19:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 22:28 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2008-01-01 22:28 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2008-01-01 22:28 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2007-11-18 05:00 325,168 ----a-w C:\Documents and Settings\Desktop\RealPlayer11GOLD.exe
2007-10-20 19:04 54,297,328 ----a-w C:\Documents and Settings\Desktop\InstallMonopolySpongeBobEdition.exe
2007-07-13 01:54 4 -c--a-w C:\Documents and Settings\All Users\Application Data\winam.dat
2007-05-19 20:03 848 -c--a-w C:\Documents and Settings\All Users\Application Data\amprm.dat
2007-05-19 20:03 758 -c--a-w C:\Documents and Settings\All Users\Application Data\amlistx.dat
2007-05-19 19:55 16 -c--a-w C:\Documents and Settings\All Users\Application Data\amguid.dat
2007-05-09 15:16 334 -c--a-w C:\Documents and Settings\All Users\Application Data\awmsg.dat
2006-05-31 13:14 108,056 -c--a-w C:\Program Files\Common Files\secman.dll
2006-03-11 23:09 626,176 -c--a-w C:\Program Files\Common Files\osmax.ocx
2004-05-24 04:57 1,728,602 ----a-w C:\Documents and Settings\Desktop\VisualBoyAdvance.exe
.

------- Sigcheck -------

2001-08-30 06:30 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2005-08-09 13:46 163840 3f6ab275b6b481acce4a10c92ae0d727 C:\WINDOWS\system32\explorer32\svchost.exe

2001-08-30 06:30 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2001-08-30 06:30 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2001-08-30 06:30 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-03-06_22.32.36.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-17 16:38:32 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-03-07 05:47:36 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-02-17 16:38:33 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-03-07 05:47:36 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-02-17 16:38:33 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-03-07 05:47:36 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-02-17 16:38:29 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:33 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:30 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:33 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:30 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:34 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:31 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:34 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:31 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:34 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:31 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:35 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:32 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:35 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:33 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-03-07 05:47:37 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 16:38:33 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-03-07 05:47:37 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-02-17 16:38:34 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-03-07 05:47:37 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-02-17 16:38:34 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-03-07 05:47:37 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-02-17 16:38:34 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-03-07 05:47:37 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-02-17 16:38:32 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-03-07 05:47:36 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-01-09 19:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 19:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2006-08-24 12:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2006-11-08 01:01:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2007-08-13 22:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
- 2006-09-25 22:25:18 9,158 -c--a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\ARPPRODUCTICON.exe
+ 2008-03-25 01:51:52 9,158 ----a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\ARPPRODUCTICON.exe
- 2006-09-25 22:25:18 9,158 -c--a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut1_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2008-03-25 01:51:52 9,158 ----a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut1_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
- 2006-09-25 22:25:18 9,158 -c--a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut2_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2008-03-25 01:51:52 9,158 ----a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut2_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
- 2006-09-25 22:25:18 9,158 -c--a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut21_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2008-03-25 01:51:53 9,158 ----a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut21_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
- 2006-09-25 22:25:18 9,158 -c--a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut22_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2008-03-25 01:51:52 9,158 ----a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut22_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
- 2006-09-25 22:25:18 9,158 -c--a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut3_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2008-03-25 01:51:53 9,158 ----a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut3_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
- 2006-09-25 22:25:18 9,158 -c--a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut5_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2008-03-25 01:51:53 9,158 ----a-r C:\WINDOWS\Installer\{22C97984-6A68-4140-872E-B2F5123A7387}\NewShortcut5_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2008-03-12 01:26:03 8,854 ----a-r C:\WINDOWS\Installer\{41F61614-9978-4313-854E-B18ABA753EF6}\ARPPRODUCTICON.exe
+ 2008-03-12 01:27:08 10,134 ----a-r C:\WINDOWS\Installer\{BDBAAB1B-B364-465E-931D-4E2E2F0E609A}\ARPPRODUCTICON.exe
+ 2008-03-20 12:59:13 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-03-20 12:59:13 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-03-20 12:59:13 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-03-20 12:59:13 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-03-12 01:34:23 8,854 ----a-r C:\WINDOWS\Installer\{F05A5232-CE5E-4274-AB27-44EB8105898D}\ARPPRODUCTICON.exe
- 1998-10-29 20:45:06 306,688 -c--a-w C:\WINDOWS\IsUninst.exe
+ 1998-10-29 21:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
- 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 12:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2007-02-04 16:27:18 258,352 --s-a-r C:\WINDOWS\system\unicows.dll
+ 2007-03-29 13:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 20:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 18:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 15:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 17:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 13:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-16 22:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 22:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 15:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 19:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 17:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 14:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 17:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 22:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 20:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 15:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 18:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 18:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 14:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 17:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2007-11-21 14:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 17:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 15:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 15:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 12:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 18:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 14:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 14:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 20:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 13:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 14:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 18:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 18:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 17:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 12:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 12:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 13:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 18:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 13:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 15:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 12:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 19:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 12:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 12:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 19:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 15:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 15:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 21:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 18:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 13:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 14:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 10:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 21:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 13:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
- 2006-11-07 07:26:44 71,680 -c--a-w C:\WINDOWS\system32\admparse.dll
+ 2007-08-13 22:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2006-08-02 16:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2006-10-17 16:03:56 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
+ 2007-08-13 22:42:54 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
- 2006-11-07 07:26:44 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-08-13 22:39:20 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2006-10-17 16:03:56 17,408 -c----w C:\WINDOWS\system32\dllcache\corpol.dll
+ 2007-08-13 22:42:54 17,408 -c--a-w C:\WINDOWS\system32\dllcache\corpol.dll
- 2006-11-08 01:03:36 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-13 22:54:10 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2006-10-17 15:44:36 60,416 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-08-13 22:18:02 60,416 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2006-10-17 16:04:50 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-13 22:44:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2006-10-17 16:06:00 78,336 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2007-08-13 22:45:18 78,336 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2006-11-08 01:03:36 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-13 22:54:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2006-11-07 07:26:42 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-08-13 22:39:12 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2006-10-17 15:57:58 36,352 -c----w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2007-08-13 22:36:06 36,352 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2006-11-07 07:26:24 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-13 22:39:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-10-17 16:00:00 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-08-13 22:38:04 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2006-10-17 16:05:10 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-13 22:44:18 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2006-10-17 15:56:10 45,568 -c----w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2007-08-13 22:32:30 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2006-10-17 15:28:56 48,128 -c----w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2007-08-13 22:01:12 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2006-11-08 01:03:36 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-13 22:54:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2006-11-08 01:03:36 413,696 -c----w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-08-13 22:54:10 413,696 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-07-11 17:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 16:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-05-18 18:30:00 61,960 ----a-w C:\WINDOWS\system32\drivers\KmxAgent.sys
+ 2007-10-18 13:46:00 134,672 ----a-w C:\WINDOWS\system32\drivers\KmxCF.sys
+ 2007-09-12 15:02:06 88,840 ----a-w C:\WINDOWS\system32\drivers\KmxCfg.sys
+ 2007-05-18 18:30:00 45,064 ----a-w C:\WINDOWS\system32\drivers\KmxFile.sys
+ 2007-10-18 17:28:08 114,704 ----a-w C:\WINDOWS\system32\drivers\KmxFw.sys
+ 2007-11-02 07:54:34 65,552 ----a-w C:\WINDOWS\system32\drivers\KmxSbx.sys
+ 2007-10-18 13:46:00 93,712 ----a-w C:\WINDOWS\system32\drivers\KmxStart.sys
+ 2007-08-07 16:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2000-08-31 13:00:00 73,728 ----a-w C:\WINDOWS\system32\fdsv.exe
+ 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\system32\fdsv.exe
- 2007-11-26 11:46:08 93,480 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-09 00:47:21 95,864 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2000-08-31 13:00:00 80,412 ----a-w C:\WINDOWS\system32\grep.exe
+ 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\system32\grep.exe
- 2006-10-17 16:06:00 78,336 -c--a-w C:\WINDOWS\system32\ieencode.dll
+ 2007-08-13 22:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
- 2006-11-08 01:03:36 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-13 22:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2006-11-07 07:26:42 55,296 -c--a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-13 22:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-08-13 22:39:10 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2006-11-08 01:03:36 180,736 ------w C:\WINDOWS\system32\ieui.dll
+ 2007-08-13 22:54:10 180,736 ----a-w C:\WINDOWS\system32\ieui.dll
- 2006-10-17 15:57:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-13 22:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2006-11-07 07:26:24 92,672 -c--a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-13 22:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2005-11-10 16:27:06 49,248 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 16:27:16 49,250 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 18:03:54 127,078 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2006-10-17 16:00:00 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-08-13 22:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2006-10-17 16:05:10 40,960 -c--a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-13 22:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-12-14 15:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-10-17 15:58:32 12,288 -c----w C:\WINDOWS\system32\msfeedssync.exe
+ 2007-08-13 22:36:40 12,288 ----a-w C:\WINDOWS\system32\msfeedssync.exe
- 2006-10-17 15:56:10 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2007-08-13 22:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2006-10-17 15:28:56 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-13 22:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2006-11-08 01:03:36 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2007-08-13 22:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2003-04-18 20:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2003-02-06 14:37:54 44,544 ----a-w C:\WINDOWS\system32\msxml4a.dll
+ 2003-02-06 14:37:54 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll
- 2008-02-07 22:53:19 74,606 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-09 16:28:21 74,606 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-02-07 22:53:19 428,860 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-09 16:28:21 428,860 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 13:00:00 98,816 ----a-w C:\WINDOWS\system32\sed.exe
+ 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\system32\sed.exe
- 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2006-09-06 21:43:16 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
- 2000-08-31 13:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
- 2000-08-31 13:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2007-07-27 14:38:00 117,264 ----a-w C:\WINDOWS\system32\UmxSbxExw.dll
+ 2007-07-27 14:38:00 256,528 ----a-w C:\WINDOWS\system32\UmxSbxw.dll
+ 2007-05-18 18:30:00 79,368 ----a-w C:\WINDOWS\system32\UmxWNP.dll
- 2006-11-08 01:03:36 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-08-13 22:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2000-08-31 13:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
- 2006-10-17 16:05:58 206,336 -c----w C:\WINDOWS\system32\WinFXDocObj.exe
+ 2007-08-13 22:45:16 206,336 ----a-w C:\WINDOWS\system32\WinFXDocObj.exe
- 2000-08-31 13:00:00 68,096 ----a-w C:\WINDOWS\system32\zip.exe
+ 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\system32\zip.exe
+ 2003-03-25 22:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
+ 2008-03-12 01:26:59 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-03-12 01:27:00 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5CE71183-A2DF-4834-9D2F-8BA58000126A}"= "C:\WINDOWS\enlfxgw.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{5ce71183-a2df-4834-9d2f-8ba58000126a}]
[HKEY_CLASSES_ROOT\enlfxgw.1]
[HKEY_CLASSES_ROOT\TypeLib\{9DEEBBF9-83A8-48E4-B5BB-C83E0376D420}]
[HKEY_CLASSES_ROOT\enlfxgw]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-27 02:40 290112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 01:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"braviax"="braviax.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 03:56 158208]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-03-11 21:33 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-03-11 21:33 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-03-11 21:33 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-03-11 21:33 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-03-11 21:33 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe" [2008-03-11 21:33 14088]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KernelPrx"= {9ab37e9c-ec5d-483e-b779-c130707cb3a7} - C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll [2008-03-02 19:31 18706]
"zip"= {650f05ec-fc76-49d0-b3ec-f004585ff219} - C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll [2008-03-02 19:31 22766]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
--a------ 2001-05-22 19:13 55296 g:\john\games\Volume 2\Atari icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
--a------ 2001-05-22 19:17 49152 g:\john\games\Volume 2\Banner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 11:12 90112 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-27 18:45 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eraser Pro]
C:\Program Files\Evidence Eraser Pro\Evidence Eraser Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 14:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWClient]
C:\Program Files\AMSys\swsys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-18 01:14 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Video Driver]
C:\Program Files\Common Files\Microsoft Shared\DAO\GATEWAY_SYSTEM\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows LSSS Service]
C:\Program Files\Common Files\Microsoft Shared\DAO\GATEWAY_SYSTEM\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winload32]
--a--c--- 2007-05-04 01:58 68880 C:\WINDOWS\system32\explorer32\winload32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PictureTaker"=3 (0x3)
"ose"=3 (0x3)
"LexBceS"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"FSMA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"G:\\john\\BitTorrent\\bittorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5997:UDP"= 5997:UDP:Shards of Dalaya Login Server
"9000:UDP"= 9000:UDP:Shards of Dalaya World Server
"21630:TCP"= 21630:TCP:BitComet 21630 TCP
"21630:UDP"= 21630:UDP:BitComet 21630 UDP
"15164:UDP"= 15164:UDP:AM Agent
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 09:46]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 13:28]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-03-07 03:28]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2006-03-07 03:17]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 09:46]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 03:54]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-04 08:23]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 08:39]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-12 11:02]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-03-11 21:33]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe" []
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2005-10-20 21:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdcfc187-9ada-11da-bd40-806d6172696f}]
\Shell\AutoRun\command - D:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 02:24:51 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Owner at 9 24 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-03-27 12:39:21 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-28 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 08:40:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll
-> C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
.
**************************************************************************
.
Completion time: 2008-03-27 8:46:43 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-03-27 12:46:10
ComboFix2.txt 2008-03-07 03:32:58
.
2008-03-12 07:02:49 --- E O F ---



*****************

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 27 March 2008 - 05:12 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\enlfxgw.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5CE71183-A2DF-4834-9D2F-8BA58000126A}"=-
[-HKEY_CLASSES_ROOT\clsid\{5ce71183-a2df-4834-9d2f-8ba58000126a}]
[-HKEY_CLASSES_ROOT\enlfxgw.1]
[-HKEY_CLASSES_ROOT\TypeLib\{9DEEBBF9-83A8-48E4-B5BB-C83E0376D420}]
[-HKEY_CLASSES_ROOT\enlfxgw]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winload32]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


===================



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 BobbyCubby

BobbyCubby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 28 March 2008 - 09:19 PM

Combofix Report

ComboFix 08-03-25.4 - Owner 2008-03-28 12:46:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\enlfxgw.dll
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 08:13 . 2008-03-27 08:13 <DIR> d-------- C:\ComboFix(2)
2008-03-25 15:58 . 2008-03-25 16:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-25 15:57 . 2008-03-25 15:57 <DIR> d-------- C:\Program Files\LimeWire
2008-03-24 21:51 . 2008-03-24 21:51 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-24 17:14 . 2008-03-24 17:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-24 17:14 . 2008-03-24 17:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-24 17:14 . 2008-03-24 17:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-24 17:14 . 2008-03-24 17:16 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-24 17:09 . 2008-03-24 17:09 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-24 00:33 . 2008-03-23 17:54 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-23 17:54 . 2008-03-24 00:51 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-20 09:09 . 2008-03-20 09:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 08:58 . 2008-03-20 08:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-20 08:58 . 2008-03-20 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 21:55 . 2008-03-28 12:46 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-03-12 05:42 . 2008-03-28 03:05 71,574 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-03-12 05:42 . 2008-03-28 03:05 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-03-12 05:42 . 2008-03-28 03:05 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-03-12 05:42 . 2008-03-28 03:05 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-03-12 05:42 . 2008-03-28 03:05 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-03-12 05:42 . 2008-03-28 03:05 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-03-12 05:42 . 2008-03-28 03:05 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-03-12 05:42 . 2008-03-28 03:05 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-03-11 21:35 . 2008-03-20 08:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-11 21:25 . 2008-03-27 08:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CallingID
2008-03-11 21:24 . 2008-03-11 21:57 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-11 21:24 . 2008-03-11 21:24 <DIR> d-------- C:\Program Files\CA
2008-03-11 21:24 . 2008-03-11 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-03-11 21:24 . 2007-07-31 12:50 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-03-11 21:24 . 2007-08-01 13:10 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-03-11 21:24 . 2007-07-31 12:50 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-03-11 21:24 . 2008-03-11 21:33 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-03-11 21:24 . 2008-03-11 21:33 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-03-11 21:24 . 2008-03-11 21:33 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-03-11 21:24 . 2008-03-11 21:33 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-03-11 21:24 . 2008-03-11 21:33 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-03-11 21:24 . 2008-03-11 21:33 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-03-11 21:24 . 2008-03-11 21:33 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-03-07 15:53 . 2008-03-05 03:37 <DIR> d-------- C:\SDFix
2008-03-07 15:51 . 2008-03-07 15:51 <DIR> d-------- C:\Program Files\Sun
2008-03-07 15:51 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-07 06:10 . 2008-03-07 06:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WildTangent
2008-03-06 23:53 . 2008-03-06 23:53 <DIR> d-------- C:\Program Files\Turbine
2008-03-06 23:35 . 2008-03-06 23:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-06 23:35 . 2008-03-06 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-06 22:51 . 2008-03-06 22:51 58,368 --a------ C:\oecpt.exe
2008-03-06 22:51 . 2008-03-06 22:51 51,200 --a------ C:\kxwams.exe
2008-03-06 22:26 . 2008-03-06 22:26 <DIR> d-------- C:\Deckard
2008-03-06 22:20 . 2008-03-06 22:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 23:50 . 2008-03-01 23:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-01 06:21 . 2008-03-02 03:42 <DIR> d-------- C:\WINDOWS\wt
2008-03-01 06:20 . 2008-03-09 12:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-03-01 06:07 . 2008-03-07 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 17:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-03-25 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-03-20 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 19:31 94,208 ----a-w C:\WINDOWS\DUMPa72c.tmp
2008-03-13 01:51 --------- d-----w C:\Program Files\DNA
2008-03-07 19:51 --------- d-----w C:\Program Files\Java
2008-03-07 09:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-07 03:23 374 -c--a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2008-03-01 22:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-27 06:40 --------- d-----w C:\Program Files\BitTorrent
2008-02-17 22:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Turbine
2008-02-09 02:10 --------- d-----w C:\Program Files\World of Warcraft
2008-02-08 03:00 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-08 00:35 --------- d-----w C:\Program Files\CCleaner
2008-02-07 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-02-07 17:48 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-06 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-01-09 19:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 22:28 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2008-01-01 22:28 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2008-01-01 22:28 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2007-11-18 05:00 325,168 ----a-w C:\Documents and Settings\Desktop\RealPlayer11GOLD.exe
2007-10-20 19:04 54,297,328 ----a-w C:\Documents and Settings\Desktop\InstallMonopolySpongeBobEdition.exe
2007-07-13 01:54 4 -c--a-w C:\Documents and Settings\All Users\Application Data\winam.dat
2007-05-19 20:03 848 -c--a-w C:\Documents and Settings\All Users\Application Data\amprm.dat
2007-05-19 20:03 758 -c--a-w C:\Documents and Settings\All Users\Application Data\amlistx.dat
2007-05-19 19:55 16 -c--a-w C:\Documents and Settings\All Users\Application Data\amguid.dat
2007-05-09 15:16 334 -c--a-w C:\Documents and Settings\All Users\Application Data\awmsg.dat
2006-05-31 13:14 108,056 -c--a-w C:\Program Files\Common Files\secman.dll
2006-03-11 23:09 626,176 -c--a-w C:\Program Files\Common Files\osmax.ocx
2004-05-24 04:57 1,728,602 ----a-w C:\Documents and Settings\Desktop\VisualBoyAdvance.exe
.

------- Sigcheck -------

2001-08-30 06:30 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2005-08-09 13:46 163840 3f6ab275b6b481acce4a10c92ae0d727 C:\WINDOWS\system32\explorer32\svchost.exe

2001-08-30 06:30 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2001-08-30 06:30 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2001-08-30 06:30 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-27 02:40 290112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 01:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 03:56 158208]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-03-11 21:33 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-03-11 21:33 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-03-11 21:33 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-03-11 21:33 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-03-11 21:33 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe" [2008-03-11 21:33 14088]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KernelPrx"= {9ab37e9c-ec5d-483e-b779-c130707cb3a7} - C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll [2008-03-02 19:31 18706]
"zip"= {650f05ec-fc76-49d0-b3ec-f004585ff219} - C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll [2008-03-02 19:31 22766]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
--a------ 2001-05-22 19:13 55296 g:\john\games\Volume 2\Atari icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
--a------ 2001-05-22 19:17 49152 g:\john\games\Volume 2\Banner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 11:12 90112 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-27 18:45 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eraser Pro]
C:\Program Files\Evidence Eraser Pro\Evidence Eraser Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 14:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWClient]
C:\Program Files\AMSys\swsys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-18 01:14 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Video Driver]
C:\Program Files\Common Files\Microsoft Shared\DAO\GATEWAY_SYSTEM\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows LSSS Service]
C:\Program Files\Common Files\Microsoft Shared\DAO\GATEWAY_SYSTEM\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PictureTaker"=3 (0x3)
"ose"=3 (0x3)
"LexBceS"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"FSMA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"G:\\john\\BitTorrent\\bittorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5997:UDP"= 5997:UDP:Shards of Dalaya Login Server
"9000:UDP"= 9000:UDP:Shards of Dalaya World Server
"21630:TCP"= 21630:TCP:BitComet 21630 TCP
"21630:UDP"= 21630:UDP:BitComet 21630 UDP
"15164:UDP"= 15164:UDP:AM Agent
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 09:46]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 13:28]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-03-07 03:28]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2006-03-07 03:17]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 09:46]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 03:54]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-04 08:23]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 08:39]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-12 11:02]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-03-11 21:33]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe" []
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2005-10-20 21:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdcfc187-9ada-11da-bd40-806d6172696f}]
\Shell\AutoRun\command - D:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 02:24:51 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Owner at 9 24 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-03-28 16:11:23 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-28 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 13:02:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll
-> C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll
.
Completion time: 2008-03-28 13:07:22
ComboFix-quarantined-files.txt 2008-03-28 17:06:37
ComboFix2.txt 2008-03-27 12:46:45
ComboFix3.txt 2008-03-07 03:32:58
.
2008-03-12 07:02:49 --- E O F ---


HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:54 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: KernelPrx - {9ab37e9c-ec5d-483e-b779-c130707cb3a7} - C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll
O21 - SSODL: zip - {650f05ec-fc76-49d0-b3ec-f004585ff219} - C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 9602 bytes


F-Secure report

Scanning Report
Friday, March 28, 2008 13:20:32 - 22:13:02

Computer name: GATEWAY_SYSTEM
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\ F:\ G:\
Result: 8 malware found
Tracking Cookie (spyware)

* System

Trojan-Downloader:W32/Zlob.HOA (virus)

* System
* C:\WINDOWS\INSTALLER\{9AB37E9C-EC5D-483E-B779-C130707CB3A7}\KERNELPRX.DLL
* C:\WINDOWS\INSTALLER\{650F05EC-FC76-49D0-B3EC-F004585FF219}\ZIP.DLL

Trojan-Dropper.Win32.FriJoiner (virus)

* System

Trojan-Dropper.Win32.FriJoiner.ms (virus)

* C:\KXWAMS.EXE

Trojan-PSW.Win32.QQPass (virus)

* System

Trojan-PSW.Win32.QQPass.bdy (virus)

* C:\OECPT.EXE

Statistics
Scanned:

* Files: 54777
* System: 4461
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 8
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{AE5DADAB-6975-4A0B-B9BA-59233376E024}.BIN

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-03-28
* F-Secure AVP: 7.0.171, 2008-03-28
* F-Secure Pegasus: 1.20.0, 2008-02-26
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics


**********

That's all three reports

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 29 March 2008 - 07:18 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\oecpt.exe
C:\kxwams.exe
C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll
C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KernelPrx"=-
"zip"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

Let me know how your computer is working now and any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 BobbyCubby

BobbyCubby
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 31 March 2008 - 06:13 PM

My apologies for taking so long to reply; work has been a bear. I ran the combofix a couple days ago and fell asleep; when I woke up the PC had been turned off and log erased. At the time it appeared all problems had been fixed, however, the white screen came back. I ran the same text into the combofix again, and then followed it up with a hijack this log. After running the combofix for the second time the white screen is gone, and iexplore hasnt been a problem. I think I am ok, but not sure.


Combofix Log:


ComboFix 08-03-25.4 - Owner 2008-03-31 17:44:03.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.488 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\kxwams.exe
C:\oecpt.exe
C:\WINDOWS\Installer\{650f05ec-fc76-49d0-b3ec-f004585ff219}\zip.dll
C:\WINDOWS\Installer\{9ab37e9c-ec5d-483e-b779-c130707cb3a7}\KernelPrx.dll
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 13:27 . 2008-03-31 13:27 <DIR> d-------- C:\__ddf__
2008-03-30 17:08 . 2008-03-30 18:30 1,097 --a------ C:\WINDOWS\checkip.dat
2008-03-29 19:21 . 2008-03-31 15:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-29 19:21 . 2008-03-29 19:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-29 19:15 . 2008-03-29 19:16 <DIR> d-------- C:\Program Files\iTunes
2008-03-29 19:15 . 2008-03-29 19:15 <DIR> d-------- C:\Program Files\iPod
2008-03-29 19:15 . 2008-03-29 19:15 <DIR> d-------- C:\Program Files\Bonjour
2008-03-29 19:12 . 2008-03-29 19:14 <DIR> d-------- C:\Program Files\QuickTime
2008-03-29 19:06 . 2008-03-29 19:06 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-29 19:04 . 2008-03-29 19:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-29 19:04 . 2008-03-29 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-28 13:17 . 2008-03-28 13:17 <DIR> d-------- C:\fsaua.data
2008-03-27 08:13 . 2008-03-27 08:13 <DIR> d-------- C:\ComboFix(2)
2008-03-25 15:58 . 2008-03-25 16:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-24 21:51 . 2008-03-24 21:51 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-24 17:14 . 2008-03-24 17:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-24 17:14 . 2008-03-24 17:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-24 17:14 . 2008-03-24 17:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-24 17:14 . 2008-03-24 17:16 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-24 17:09 . 2008-03-24 17:09 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-24 00:33 . 2008-03-23 17:54 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-23 17:54 . 2008-03-24 00:51 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-20 09:09 . 2008-03-20 09:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 08:58 . 2008-03-20 08:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-20 08:58 . 2008-03-20 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-12 21:55 . 2008-03-31 17:44 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-03-12 05:42 . 2008-03-31 15:28 80,534 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-03-12 05:42 . 2008-03-31 15:28 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-03-12 05:42 . 2008-03-31 15:28 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-03-12 05:42 . 2008-03-31 15:28 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-03-12 05:42 . 2008-03-31 15:28 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-03-12 05:42 . 2008-03-31 15:28 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-03-12 05:42 . 2008-03-31 15:28 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-03-12 05:42 . 2008-03-31 15:28 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-03-11 21:35 . 2008-03-20 08:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-11 21:25 . 2008-03-31 17:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CallingID
2008-03-11 21:24 . 2008-03-11 21:57 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-03-11 21:24 . 2008-03-11 21:24 <DIR> d-------- C:\Program Files\CA
2008-03-11 21:24 . 2008-03-11 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-03-11 21:24 . 2007-07-31 12:50 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-03-11 21:24 . 2007-08-01 13:10 250,544 --a------ C:\WINDOWS\system32\KeyHelp.ocx
2008-03-11 21:24 . 2007-07-31 12:50 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-03-11 21:24 . 2008-03-11 21:33 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-03-11 21:24 . 2008-03-11 21:33 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-03-11 21:24 . 2008-03-11 21:33 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-03-11 21:24 . 2008-03-11 21:33 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-03-11 21:24 . 2008-03-11 21:33 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-03-11 21:24 . 2008-03-11 21:33 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-03-11 21:24 . 2008-03-11 21:33 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-03-07 15:53 . 2008-03-05 03:37 <DIR> d-------- C:\SDFix
2008-03-07 15:51 . 2008-03-07 15:51 <DIR> d-------- C:\Program Files\Sun
2008-03-07 15:51 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-07 06:10 . 2008-03-07 06:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WildTangent
2008-03-06 23:53 . 2008-03-06 23:53 <DIR> d-------- C:\Program Files\Turbine
2008-03-06 23:35 . 2008-03-06 23:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-06 23:35 . 2008-03-06 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-06 22:26 . 2008-03-06 22:26 <DIR> d-------- C:\Deckard
2008-03-06 22:20 . 2008-03-06 22:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 23:50 . 2008-03-01 23:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-01 06:21 . 2008-03-02 03:42 <DIR> d-------- C:\WINDOWS\wt
2008-03-01 06:20 . 2008-03-09 12:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-03-01 06:07 . 2008-03-07 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-27 02:40 . 2008-03-30 17:49 <DIR> d-------- C:\Program Files\DNA
2008-02-27 02:40 . 2008-02-27 02:40 <DIR> d-------- C:\Program Files\BitTorrent
2008-02-27 02:40 . 2008-03-31 17:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DNA
2008-02-17 18:59 . 2008-02-17 18:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Turbine
2008-02-07 20:35 . 2008-02-07 20:35 <DIR> d-------- C:\Program Files\CCleaner
2008-02-07 20:21 . 2008-02-07 20:21 <DIR> d-------- C:\Documents and Settings\Desktop\transprt
2008-02-07 20:21 . 2008-02-07 20:21 <DIR> d-------- C:\Documents and Settings\Desktop\Stuff
2008-02-07 20:21 . 2008-02-07 20:21 <DIR> d-------- C:\Documents and Settings\Desktop\School Stuff
2008-02-07 20:21 . 2008-02-07 20:21 <DIR> d-------- C:\Documents and Settings\Desktop\Quoty Joky
2008-02-07 20:21 . 2008-02-07 20:22 <DIR> d-------- C:\Documents and Settings\Desktop\playlist ck
2008-02-07 20:21 . 2007-10-20 15:04 54,297,328 --a------ C:\Documents and Settings\Desktop\InstallMonopolySpongeBobEdition.exe
2008-02-07 20:21 . 2004-05-24 00:57 1,728,602 --a------ C:\Documents and Settings\Desktop\VisualBoyAdvance.exe
2008-02-07 20:21 . 2007-11-18 01:00 325,168 --a------ C:\Documents and Settings\Desktop\RealPlayer11GOLD.exe
2008-02-07 13:48 . 2008-02-07 13:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-02-07 13:18 . 2008-02-08 22:10 <DIR> d-------- C:\Program Files\World of Warcraft
2008-02-06 00:36 . 2008-02-06 00:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-02-06 00:35 . 2008-02-07 23:00 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-02-06 00:35 . 2008-02-06 00:36 36,688,040 --a------ C:\BellSouthIW.re~
2008-02-06 00:35 . 2005-07-12 02:28 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2008-02-06 00:35 . 2005-07-12 02:28 6,048 --a------ C:\WINDOWS\system32\MCC16.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 11:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-29 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-25 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-03-20 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 19:31 94,208 ----a-w C:\WINDOWS\DUMPa72c.tmp
2008-03-07 19:51 --------- d-----w C:\Program Files\Java
2008-03-07 03:23 374 -c--a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2008-03-01 22:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-07 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-09 19:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 22:28 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2008-01-01 22:28 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2008-01-01 22:28 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2007-12-14 15:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-07-13 01:54 4 -c--a-w C:\Documents and Settings\All Users\Application Data\winam.dat
2007-05-19 20:03 848 -c--a-w C:\Documents and Settings\All Users\Application Data\amprm.dat
2007-05-19 20:03 758 -c--a-w C:\Documents and Settings\All Users\Application Data\amlistx.dat
2007-05-19 19:55 16 -c--a-w C:\Documents and Settings\All Users\Application Data\amguid.dat
2007-05-09 15:16 334 -c--a-w C:\Documents and Settings\All Users\Application Data\awmsg.dat
2006-05-31 13:14 108,056 -c--a-w C:\Program Files\Common Files\secman.dll
2006-03-11 23:09 626,176 -c--a-w C:\Program Files\Common Files\osmax.ocx
.

------- Sigcheck -------

2001-08-30 06:30 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2005-08-09 13:46 163840 3f6ab275b6b481acce4a10c92ae0d727 C:\WINDOWS\system32\explorer32\svchost.exe

2001-08-30 06:30 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 03:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2001-08-30 06:30 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2001-08-30 06:30 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot_2008-03-27_ 8.44.42.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 19:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 19:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 20:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 19:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2008-03-29 23:15:27 86,016 ----a-r C:\WINDOWS\Installer\{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}\PrntWzrdIco.exe
+ 2008-03-29 23:24:24 102,400 ----a-r C:\WINDOWS\Installer\{80FD852F-5AAC-4129-B931-06AAFFA43138}\iTunesIco.exe
+ 2008-03-29 23:06:42 27,136 ----a-r C:\WINDOWS\Installer\{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}\AppleSoftwareUpdateIco.exe
+ 2007-07-24 19:17:08 81,920 ----a-w C:\WINDOWS\system32\dns-sd.exe
+ 2007-07-24 19:17:08 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
+ 2006-09-19 18:44:04 15,664 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
+ 2008-02-18 15:16:24 30,464 -c--a-w C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.sys
+ 2006-10-03 23:47:52 109,360 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-27 02:40 290112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 01:14 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 03:56 158208]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-03-11 21:33 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-03-11 21:33 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-03-11 21:33 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-03-11 21:33 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-03-11 21:33 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe" [2008-03-11 21:33 14088]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
--a------ 2001-05-22 19:13 55296 g:\john\games\Volume 2\Atari icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
--a------ 2001-05-22 19:17 49152 g:\john\games\Volume 2\Banner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 11:12 90112 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-03-29 21:06 587568 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eraser Pro]
C:\Program Files\Evidence Eraser Pro\Evidence Eraser Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 14:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWClient]
C:\Program Files\AMSys\swsys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-18 01:14 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Video Driver]
C:\Program Files\Common Files\Microsoft Shared\DAO\GATEWAY_SYSTEM\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows LSSS Service]
C:\Program Files\Common Files\Microsoft Shared\DAO\GATEWAY_SYSTEM\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PictureTaker"=3 (0x3)
"ose"=3 (0x3)
"LexBceS"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"FSMA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"G:\\john\\BitTorrent\\bittorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5997:UDP"= 5997:UDP:Shards of Dalaya Login Server
"9000:UDP"= 9000:UDP:Shards of Dalaya World Server
"21630:TCP"= 21630:TCP:BitComet 21630 TCP
"21630:UDP"= 21630:UDP:BitComet 21630 UDP
"15164:UDP"= 15164:UDP:AM Agent
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 09:46]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 13:28]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-03-07 03:28]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2006-03-07 03:17]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 09:46]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 03:54]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-04 08:23]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 08:39]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-12 11:02]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-03-11 21:33]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe" []
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2005-10-20 21:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdcfc187-9ada-11da-bd40-806d6172696f}]
\Shell\AutoRun\command - D:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 02:24:51 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Owner at 9 24 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-03-31 21:00:00 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-28 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 18:00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 18:04:20
ComboFix-quarantined-files.txt 2008-03-31 22:03:43
ComboFix2.txt 2008-03-29 21:13:45
ComboFix3.txt 2008-03-29 20:45:54
ComboFix4.txt 2008-03-28 17:07:26
ComboFix5.txt 2008-03-27 12:46:45
.
2008-03-12 07:02:49 --- E O F ---


Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:09 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 10035 bytes


Thanks!

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 31 March 2008 - 06:40 PM

Delete this file.

C:\Documents and Settings\Owner\Application Data\internaldb6334.dat


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)



Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 AM

Posted 21 April 2008 - 07:13 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users