Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System32.smp And Other Problems


  • This topic is locked This topic is locked
12 replies to this topic

#1 GdanskZog

GdanskZog

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 09 April 2008 - 04:47 PM

Greetings.

This morning I discovered that my desktop wallpaper had been replaced with a malware notification message. I searched around for a solution online and have managed to make that problem go away, but I'm afraid I'm still infected. I will attempt to let you know what has been done up to this point.

Right now I'm having the annoying problem of having my active window deselect itself while I am working in it. The timing of these deselections seem random and I don't see any processes running that might be causing it. This problem started with the infection.

I should have come here first and gotten specific help, but I didn't know the extent of this problem. I know this forum didn't necessarily ask for a SDFix Report, but I thought I should include it since I attempted that before I sought help at this particular forum.

1. I restarted in safe mode and ran sdfix which succeeded in removing several trojans. (followed by catchme) The report revealed that it "Could Not Remove C:\WINDOWS\system32smp" (see below)

2. I did a HJT scan too. I will post the most recent below.

3. After I found this site, I did the dss scan. (see below) I apologize for the disorganization and lenghtyness. If someone can help me, I'll try to provide any additional info needed. I'm not very good at this sort of thing, so if I forgot to include something, let me know.

----------------
The SDFIX SCAN REPORT AFTER THE TROJANS WERE REMOVED
----------------
SDFix: Version 1.168
Run by Owner on Wed 04/09/2008 at 12:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:



Could Not Remove C:\WINDOWS\system32smp



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 12:09:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"="C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe:*:Enabled:Medal of Honor Airborne"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\system32smp Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 9 Apr 2008 12,330 ..SHR --- "C:\WINDOWS\Resources\CheckBoot.dll"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"

Finished!



------------------
HIJACK THIS SCAN REPORT (current)
----------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:27 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O21 - SSODL: CheckBoot - {b9ccc692-50b9-49ff-9758-0bf725105bbd} - C:\WINDOWS\Resources\CheckBoot.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6218 bytes


------------------------
DSS SCAN REPORTS
-------------------------

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-09 16:06:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
38: 2008-04-09 20:43:55 UTC - RP38 - Deckard's System Scanner Restore Point
37: 2008-04-09 18:09:54 UTC - RP37 - Installed Ad-Aware 2007
36: 2008-04-09 16:19:19 UTC - RP36 - Software Distribution Service 3.0
35: 2008-04-09 15:57:37 UTC - RP35 - Software Distribution Service 3.0
34: 2008-04-09 01:41:24 UTC - RP34 - System Checkpoint


-- First Restore Point --
1: 2008-03-13 21:38:41 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:51 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O21 - SSODL: CheckBoot - {b9ccc692-50b9-49ff-9758-0bf725105bbd} - C:\WINDOWS\Resources\CheckBoot.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6138 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 AtcL002 (NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller) - c:\windows\system32\drivers\l251x86.sys <Not Verified; Atheros Communications, Inc.; Atheros L2 Fast Ethernet Controller>
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
R3 MTsensor (ATK0110 ACPI UTILITY) - c:\windows\system32\drivers\asacpi.sys <Not Verified; ; ATK0110 ACPI Utility>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 hap17v2k (Creative P17V HAL Driver) - c:\windows\system32\drivers\hap17v2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-09 15:32:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-07 20:23:57 556 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job


-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 15:17:00 0 d-------- C:\WINDOWS\LastGood
2008-04-09 15:17:00 0 d-------- C:\Program Files\Panda Security
2008-04-09 14:03:33 0 d-------- C:\Program Files\EndItAll
2008-04-09 13:09:56 0 d-------- C:\Program Files\Lavasoft
2008-04-09 13:09:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 11:50:49 0 d-------- C:\Program Files\Trend Micro
2008-04-09 11:01:40 0 d-------- C:\WINDOWS\ERUNT
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-09 10:25:46 0 d-------- C:\WINDOWS\system32smp
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-09 10:25:46 4096 --a------ C:\WINDOWS\a.bat
2008-04-09 10:25:46 0 d-------- C:\Documents and Settings\Owner\Desktopvirii
2008-04-09 10:25:46 4096 --a------ C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
2008-04-09 10:25:46 4096 --a------ C:\Documents and Settings\Owner\Desktopfwebd.exe
2008-04-09 10:25:46 4096 --a------ C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\mssecu.exe
2008-04-09 10:25:45 0 d-------- C:\WINDOWS\mslagent
2008-04-09 10:25:45 4096 --a------ C:\WINDOWS\bdn.com
2008-04-09 10:25:36 0 d-------- C:\Documents and Settings\All Users\Application Data\ojqryzgj
2008-04-07 20:00:50 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-04-06 15:05:01 17632 --a------ C:\WINDOWS\system\ctl3d.dll <Not Verified; Microsoft Corporation; 3d Windows Control>
2008-04-06 15:05:01 0 d-------- C:\MUSIC
2008-04-06 13:18:29 0 d-------- C:\Program Files\Aldo's Pianito
2008-04-06 12:45:40 0 d-------- C:\WG09E.TMP
2008-04-06 12:45:34 0 d-------- C:\WINGROOV
2008-04-06 12:43:39 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2008-04-06 12:38:30 0 d-------- C:\WG0A4.TMP
2008-04-01 13:00:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-01 13:00:22 0 d-------- C:\Program Files\iPod
2008-04-01 13:00:20 0 d-------- C:\Program Files\iTunes
2008-04-01 13:00:12 0 d-------- C:\Program Files\Bonjour
2008-04-01 12:59:50 0 d-------- C:\Program Files\QuickTime
2008-04-01 12:59:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-01 12:59:41 0 d-------- C:\Program Files\Apple Software Update
2008-04-01 12:59:27 0 d-------- C:\Program Files\Common Files\Apple
2008-04-01 12:59:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-01 12:46:43 0 d-------- C:\WINDOWS\Sun
2008-04-01 12:46:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2008-03-29 18:17:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2008-03-29 12:00:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-29 11:58:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-03-29 11:58:19 0 d-------- C:\Program Files\Google
2008-03-24 21:40:47 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-24 21:39:08 0 d-------- C:\WINDOWS\nview
2008-03-24 15:58:04 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-03-19 20:01:01 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-19 20:00:26 0 d-------- C:\Program Files\Java
2008-03-19 19:59:10 0 d-------- C:\Program Files\Common Files\Java
2008-03-19 19:58:55 0 d-------- C:\Program Files\LimeWire
2008-03-18 18:53:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 18:53:07 0 d-------- C:\Fraps
2008-03-18 00:42:29 0 d-------- C:\Program Files\FirePower
2008-03-18 00:36:57 0 d-------- C:\Program Files\Microsoft Games
2008-03-17 03:01:42 0 d-------- C:\Program Files\MSXML 4.0
2008-03-16 22:33:12 0 d-------- C:\Documents and Settings\Owner\Application Data\teamspeak2
2008-03-16 19:38:23 0 d-------- C:\Program Files\Activision
2008-03-16 19:36:18 0 d--hs---- C:\WINDOWS\ftpcache
2008-03-16 18:55:48 0 d-------- C:\Program Files\TSO
2008-03-16 18:55:10 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-03-16 15:21:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Image Zone Express
2008-03-16 09:46:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-03-16 00:58:07 0 d-------- C:\Program Files\EA GAMES
2008-03-16 00:51:25 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-16 00:32:34 0 d-------- C:\Program Files\Electronic Arts
2008-03-16 00:31:49 0 d-------- C:\WINDOWS\system32\AGEIA
2008-03-16 00:31:49 0 d-------- C:\Program Files\AGEIA Technologies
2008-03-16 00:31:37 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 23:49:33 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-15 23:48:19 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-15 23:43:47 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-03-15 23:43:38 0 d-------- C:\Program Files\Common Files\HP
2008-03-15 23:43:08 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-15 23:42:45 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-15 23:41:59 15104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-15 23:41:38 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-03-15 23:41:38 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-03-15 23:41:38 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-03-15 23:41:38 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-03-15 23:41:38 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-03-15 23:41:38 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-03-15 23:41:35 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-03-15 23:40:59 0 d-------- C:\Program Files\HP
2008-03-15 23:40:21 21124 -----n--- C:\WINDOWS\hpomdl07.dat
2008-03-15 23:40:21 112968 --a------ C:\WINDOWS\hpoins07.dat
2008-03-15 23:40:06 0 d-------- C:\Documents and Settings\Owner\Application Data\HP
2008-03-15 23:40:05 21744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys <Not Verified; HP; HP Dot4Usb Windows 2000>
2008-03-15 23:40:05 16496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys <Not Verified; HP; HP Dot4Print>
2008-03-15 23:40:05 51120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys <Not Verified; HP; HP Dot4 Windows 2000>
2008-03-15 23:39:32 98304 --a------ C:\WINDOWS\system32\hpzjsn01.dll <Not Verified; Hewlett Packard Company; HPJZSN01 Dynamic Link Library>
2008-03-15 23:39:32 274432 --a------ C:\WINDOWS\system32\HPZc3212.dll <Not Verified; Hewlett-Packard Co.; hp digital imaging - hp all-in-one series>
2008-03-15 23:39:32 258122 --a------ C:\WINDOWS\system32\hpovst08.dll <Not Verified; Hewlett-Packard Co.; hp digital imaging - hp all-in-one series>
2008-03-15 23:39:32 606208 --a------ C:\WINDOWS\system32\hpotscl.dll <Not Verified; Hewlett-Packard Co.; hp digital imaging - hp all-in-one series>
2008-03-15 23:39:32 278528 --a------ C:\WINDOWS\system32\hpgwiamd.dll <Not Verified; Hewlett-Packard; hpgwiamd.dll>
2008-03-15 23:39:02 393216 --a------ C:\WINDOWS\system32\hpzcon12.dll <Not Verified; Hewlett-Packard Company; HP Printing System for Windows>
2008-03-15 23:39:01 180315 --a------ C:\WINDOWS\system32\hpzsnt12.dll <Not Verified; HP; HP DeskJet>
2008-03-15 23:39:01 196608 --a------ C:\WINDOWS\system32\hpzcoi12.dll <Not Verified; HP; HP DeskJet>
2008-03-15 23:37:47 0 d-------- C:\Temp
2008-03-15 22:47:29 0 d-------- C:\WINDOWS\network diagnostic
2008-03-15 22:37:47 0 d-------- C:\Program Files\Windows Sidebar
2008-03-15 22:37:47 0 d-------- C:\Program Files\Norton AntiVirus
2008-03-15 22:37:31 0 d-------- C:\Program Files\Symantec
2008-03-15 22:37:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-15 22:36:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-15 22:13:18 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-03-15 21:59:13 0 d--hs---- C:\Documents and Settings\Owner\UserData
2008-03-15 21:33:45 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-15 21:30:58 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-15 21:27:36 21504 --a------ C:\WINDOWS\system32\hidserv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-15 21:26:49 25856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-15 21:25:27 31616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:48:04 0 d-------- C:\WINDOWS\system32\Defaults
2008-03-13 16:47:56 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:55 82944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:54 52864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:52 54272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:51 142464 --a------ C:\WINDOWS\system32\drivers\aec.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:50 172416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:49 2944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:48 60800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:47 4992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:47 7552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:45 5376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:37 4096 --a------ C:\WINDOWS\system32\ksuser.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:37 145792 --a------ C:\WINDOWS\system32\drivers\portcls.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:37 60288 --a------ C:\WINDOWS\system32\drivers\drmk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:47:35 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-13 16:47:35 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-03-13 16:47:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Creative
2008-03-13 16:47:30 0 d-------- C:\WINDOWS\system32\Data
2008-03-13 16:47:30 3072 --a------ C:\WINDOWS\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>
2008-03-13 16:47:30 10240 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-03-13 16:47:30 0 d-------- C:\Program Files\Creative
2008-03-13 16:46:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-13 16:43:03 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-13 16:42:38 0 d-------- C:\NVIDIA
2008-03-13 16:42:08 30720 -ra------ C:\WINDOWS\system32\drivers\l251x86.sys <Not Verified; Atheros Communications, Inc.; Atheros L2 Fast Ethernet Controller>
2008-03-13 16:40:38 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-13 16:40:37 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-13 16:40:36 0 d-------- C:\Program Files\Intel
2008-03-13 16:39:46 0 d-------- C:\Intel
2008-03-13 16:39:10 5810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys <Not Verified; ; ATK0110 ACPI Utility>
2008-03-13 16:38:32 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2008-03-13 16:38:27 0 dr------- C:\Documents and Settings\Owner\Favorites
2008-03-13 16:38:27 0 d-------- C:\Documents and Settings\Owner\Desktop
2008-03-13 16:38:27 0 d--hs---- C:\Documents and Settings\Owner\Cookies
2008-03-13 16:38:27 0 d--h----- C:\Documents and Settings\Owner\Application Data
2008-03-13 16:38:26 0 d--h----- C:\Documents and Settings\Owner\Templates
2008-03-13 16:38:26 0 dr------- C:\Documents and Settings\Owner\Start Menu
2008-03-13 16:38:26 0 dr-h----- C:\Documents and Settings\Owner\SendTo
2008-03-13 16:38:26 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-03-13 16:38:26 0 d--h----- C:\Documents and Settings\Owner\PrintHood
2008-03-13 16:38:26 2359296 --ah----- C:\Documents and Settings\Owner\NTUSER.DAT
2008-03-13 16:38:26 0 d--h----- C:\Documents and Settings\Owner\NetHood
2008-03-13 16:38:26 0 dr------- C:\Documents and Settings\Owner\My Documents
2008-03-13 16:38:26 0 d--h----- C:\Documents and Settings\Owner\Local Settings
2008-03-13 16:38:24 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-13 16:38:22 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-13 16:38:22 0 d-------- C:\WINDOWS\Prefetch
2008-03-13 16:38:22 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-13 16:38:22 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-13 16:38:22 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-13 16:38:22 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-13 16:38:21 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-13 16:38:02 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-13 16:38:02 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-13 16:38:02 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-13 16:38:02 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-13 16:38:02 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-13 16:36:24 0 d-------- C:\WINDOWS\system32\xircom
2008-03-13 16:36:24 0 d-------- C:\Program Files\microsoft frontpage
2008-03-13 16:36:23 262144 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-13 16:36:21 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 16:36:12 0 -rahs---- C:\MSDOS.SYS
2008-03-13 16:36:12 0 -rahs---- C:\IO.SYS
2008-03-13 16:36:12 0 --a------ C:\CONFIG.SYS
2008-03-13 16:36:12 0 --a------ C:\AUTOEXEC.BAT
2008-03-13 16:36:02 112128 --a------ C:\WINDOWS\system32\mapi32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:35:39 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-13 16:35:33 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-13 16:35:33 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-13 16:35:27 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-13 16:35:14 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-13 16:34:57 11264 --a------ C:\WINDOWS\system32\atrace.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:48 12288 --a------ C:\WINDOWS\system32\nmevtmsg.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2008-03-13 16:34:47 64512 --a------ C:\WINDOWS\system32\acctres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:44 0 d---s---- C:\WINDOWS\Tasks
2008-03-13 16:34:44 16384 --a------ C:\WINDOWS\system32\icfgnt5.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:43 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-13 16:34:40 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-13 16:34:40 0 d-------- C:\WINDOWS\srchasst
2008-03-13 16:34:37 6656 --a------ C:\WINDOWS\system32\wuauserv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:37 183296 --a------ C:\WINDOWS\system32\wuaueng1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:37 165888 --a------ C:\WINDOWS\system32\wuauclt1.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:36 18944 --a------ C:\WINDOWS\system32\qmgrprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:36 382464 --a------ C:\WINDOWS\system32\qmgr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:36 7168 --a------ C:\WINDOWS\system32\bitsprx3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:36 8192 --a------ C:\WINDOWS\system32\bitsprx2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:33 0 d-------- C:\Program Files\Movie Maker
2008-03-13 16:34:29 45568 --a------ C:\WINDOWS\system32\safrslv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:29 29696 --a------ C:\WINDOWS\system32\safrdm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:29 43520 --a------ C:\WINDOWS\system32\safrcdlg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:29 43520 --a------ C:\WINDOWS\system32\racpldlg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:27 23040 --a------ C:\WINDOWS\system32\fltmc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:27 16896 --a------ C:\WINDOWS\system32\fltlib.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:27 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:26 170496 --a------ C:\WINDOWS\system32\srsvc.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:26 239104 --a------ C:\WINDOWS\system32\srrstr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:26 67584 --a------ C:\WINDOWS\system32\srclient.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:26 0 d-------- C:\WINDOWS\system32\Restore
2008-03-13 16:34:26 81920 --a------ C:\WINDOWS\system32\ils.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2008-03-13 16:34:26 73472 --a------ C:\WINDOWS\system32\drivers\sr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:25 28672 --a------ C:\WINDOWS\system32\nmmkcert.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2008-03-13 16:34:25 69632 --a------ C:\WINDOWS\system32\msconf.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2008-03-13 16:34:25 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2008-03-13 16:34:25 34560 --a------ C:\WINDOWS\system32\mnmdd.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2008-03-13 16:34:25 32768 --a------ C:\WINDOWS\system32\isrdbg32.dll <Not Verified; Intel Corporation; ISRDBG32.DLL>
2008-03-13 16:34:22 105984 --a------ C:\WINDOWS\system32\msoert2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:22 252928 --a------ C:\WINDOWS\system32\msoeacct.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:22 48128 --a------ C:\WINDOWS\system32\inetres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:21 683520 --a------ C:\WINDOWS\system32\inetcomm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:20 190976 --a------ C:\WINDOWS\system32\schedsvc.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:20 12288 --a------ C:\WINDOWS\system32\mstinit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:20 274944 --a------ C:\WINDOWS\system32\mstask.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:19 81920 --a------ C:\WINDOWS\system32\isign32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:19 274432 --a------ C:\WINDOWS\system32\inetcfg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:19 65536 --a------ C:\WINDOWS\system32\icwphbk.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:19 73728 --a------ C:\WINDOWS\system32\icwdial.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:34:12 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-13 16:34:00 0 d-------- C:\WINDOWS\Registration
2008-03-13 16:33:43 0 d-------- C:\Program Files\Online Services
2008-03-13 16:33:40 0 d-------- C:\Program Files\Messenger
2008-03-13 16:33:36 5632 --a------ C:\WINDOWS\system32\write.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:36 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-13 16:33:30 138752 --a------ C:\WINDOWS\system32\sndvol32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:29 35328 --a------ C:\WINDOWS\system32\winchat.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:29 44544 --a------ C:\WINDOWS\system32\hticons.dll <Not Verified; Hilgraeve, Inc.; Microsoft® Windows® Operating System>
2008-03-13 16:33:29 73216 --a------ C:\WINDOWS\system32\avwav.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:29 227840 --a------ C:\WINDOWS\system32\avtapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:29 16384 --a------ C:\WINDOWS\system32\avmeter.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:23 56832 --a------ C:\WINDOWS\system32\sol.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:23 605696 --a------ C:\WINDOWS\system32\getuname.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:23 80384 --a------ C:\WINDOWS\system32\charmap.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:23 114688 --a------ C:\WINDOWS\system32\calc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 119808 --a------ C:\WINDOWS\system32\winmine.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 1161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2008-03-13 16:33:22 16896 --a------ C:\WINDOWS\system32\tsshutdn.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 16384 --a------ C:\WINDOWS\system32\tskill.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 14848 --a------ C:\WINDOWS\system32\tsdiscon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 14848 --a------ C:\WINDOWS\system32\tscon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 9728 --a------ C:\WINDOWS\system32\reset.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 126976 --a------ C:\WINDOWS\system32\mshearts.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:22 55296 --a------ C:\WINDOWS\system32\freecell.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 14848 --a------ C:\WINDOWS\system32\shadow.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 15872 --a------ C:\WINDOWS\system32\rwinsta.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 33792 --a------ C:\WINDOWS\system32\regini.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 4096 --a------ C:\WINDOWS\system32\rdpcfgex.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 22016 --a------ C:\WINDOWS\system32\qwinsta.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 16896 --a------ C:\WINDOWS\system32\qappsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 20992 --a------ C:\WINDOWS\system32\msg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 15360 --a------ C:\WINDOWS\system32\logoff.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:21 15872 --a------ C:\WINDOWS\system32\cdmodem.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:20 25088 --a------ C:\WINDOWS\system32\mtxlegih.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:20 4096 --a------ C:\WINDOWS\system32\mtxex.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:20 20480 --a------ C:\WINDOWS\system32\mtxdm.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:20 5120 --a------ C:\WINDOWS\system32\dcomcnfg.exe <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:20 97792 --a------ C:\WINDOWS\system32\comrepl.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:20 25600 --a------ C:\WINDOWS\system32\comaddin.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:19 54272 --a------ C:\WINDOWS\system32\stclient.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:19 147456 --a------ C:\WINDOWS\system32\comsnap.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:06 131584 --a------ C:\WINDOWS\system32\sndrec32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:06 123392 --a------ C:\WINDOWS\system32\mplay32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:06 347136 --a------ C:\WINDOWS\system32\hypertrm.dll <Not Verified; Hilgraeve, Inc.; Microsoft® Windows® Operating System>
2008-03-13 16:33:06 183808 --a------ C:\WINDOWS\system32\accwiz.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:05 538624 --a------ C:\WINDOWS\system32\spider.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:05 343040 --a------ C:\WINDOWS\system32\mspaint.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:05 21896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:05 12040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:05 139528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:05 102912 --a------ C:\WINDOWS\system32\clipbrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:05 0 d-------- C:\Program Files\Windows NT
2008-03-13 16:33:04 44544 --a------ C:\WINDOWS\system32\tscupgrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 93696 --a------ C:\WINDOWS\system32\tscfgwmi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 140800 --a------ C:\WINDOWS\system32\sessmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 60416 --a------ C:\WINDOWS\system32\remotepg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 67072 --a------ C:\WINDOWS\system32\rdshost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 13824 --a------ C:\WINDOWS\system32\rdsaddin.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 147968 --a------ C:\WINDOWS\system32\rdchost.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 655360 --a------ C:\WINDOWS\system32\mstscax.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:04 407552 --a------ C:\WINDOWS\system32\mstsc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:03 295424 --a------ C:\WINDOWS\system32\termsrv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:03 87176 --a------ C:\WINDOWS\system32\rdpwsx.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:03 19968 --a------ C:\WINDOWS\system32\rdpsnd.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:03 62464 --a------ C:\WINDOWS\system32\rdpclip.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:03 20480 --a------ C:\WINDOWS\system32\qprocess.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:03 91136 --a------ C:\WINDOWS\system32\mtxoci.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:03 161280 --a------ C:\WINDOWS\system32\msdtcuiu.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-03-13 16:33:03 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-13 16:33:03 11264 --a------ C:\WINDOWS\system32\icaapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:03 38912 --a------ C:\WINDOWS\system32\cfgbkend.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:33:02 11776 --a------ C:\WINDOWS\system32\xolehlp.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-03-13 16:33:02 956416 --a------ C:\WINDOWS\system32\msdtctm.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-03-13 16:33:02 426496 --a------ C:\WINDOWS\system32\msdtcprx.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-03-13 16:33:02 58880 --a------ C:\WINDOWS\system32\msdtclog.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-03-13 16:33:02 6144 --a------ C:\WINDOWS\system32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-03-13 16:33:01 1267200 --a------ C:\WINDOWS\system32\comsvcs.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:01 0 d-------- C:\WINDOWS\system32\Com
2008-03-13 16:33:01 60416 --a------ C:\WINDOWS\system32\colbact.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:01 110080 --a------ C:\WINDOWS\system32\clbcatex.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:01 625152 --a------ C:\WINDOWS\system32\catsrvut.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:01 85504 --a------ C:\WINDOWS\system32\catsrvps.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:01 225792 --a------ C:\WINDOWS\system32\catsrv.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:00 540160 --a------ C:\WINDOWS\system32\comuid.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:33:00 498688 --a------ C:\WINDOWS\system32\clbcatq.dll <Not Verified; Microsoft Corporation; COM Services>
2008-03-13 16:32:56 56320 --a------ C:\WINDOWS\system32\servdeps.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:32:56 17408 --a------ C:\WINDOWS\system32\mmfutil.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:32:56 58880 --a------ C:\WINDOWS\system32\licwmi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:32:56 185344 --a------ C:\WINDOWS\system32\cmprops.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:32:51 40840 --a------ C:\WINDOWS\system32\drivers\termdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-13 16:32:51 196864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:24:10 3072 --a------ C:\WINDOWS\system32\drivers\audstub.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:23:45 57472 --a------ C:\WINDOWS\system32\drivers\redbook.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:23:07 74240 --a------ C:\WINDOWS\system32\usbui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:23 0 d--hs---- C:\WINDOWS\Installer
2008-03-12 23:22:23 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-12 23:22:20 0 dr------- C:\Program Files
2008-03-12 23:22:20 0 d-------- C:\Program Files\Common Files
2008-03-12 23:22:20 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-12 23:22:18 6144 -ra------ C:\WINDOWS\system32\kbdtuq.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:18 6144 -ra------ C:\WINDOWS\system32\kbdtuf.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:18 5632 -ra------ C:\WINDOWS\system32\kbdazel.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:16 5632 -ra------ C:\WINDOWS\system32\kbdmon.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:16 5632 -ra------ C:\WINDOWS\system32\kbdkyr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:15 8192 -ra------ C:\WINDOWS\system32\kbdhept.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:15 6656 -ra------ C:\WINDOWS\system32\kbdhela3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:15 6144 -ra------ C:\WINDOWS\system32\kbdhela2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:15 5632 -ra------ C:\WINDOWS\system32\kbdhe319.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:15 5632 -ra------ C:\WINDOWS\system32\kbdhe220.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:15 6144 -ra------ C:\WINDOWS\system32\kbdgkl.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:14 5632 -ra------ C:\WINDOWS\system32\kbdhe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:13 6144 -ra------ C:\WINDOWS\system32\kbdlv1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:13 6144 -ra------ C:\WINDOWS\system32\kbdlv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:13 5632 -ra------ C:\WINDOWS\system32\kbdlt1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:13 5632 -ra------ C:\WINDOWS\system32\kbdlt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:13 6144 -ra------ C:\WINDOWS\system32\kbdest.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 6656 -ra------ C:\WINDOWS\system32\kbdsl1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 6656 -ra------ C:\WINDOWS\system32\kbdsl.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 5632 -ra------ C:\WINDOWS\system32\kbdro.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 5632 -ra------ C:\WINDOWS\system32\kbdpl1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 6656 -ra------ C:\WINDOWS\system32\kbdpl.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 5632 -ra------ C:\WINDOWS\system32\kbdhu1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 6656 -ra------ C:\WINDOWS\system32\kbdhu.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:12 6656 -ra------ C:\WINDOWS\system32\kbdcz2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:11 6656 -ra------ C:\WINDOWS\system32\kbdycl.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:11 6656 -ra------ C:\WINDOWS\system32\kbdcz1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:11 7168 -ra------ C:\WINDOWS\system32\kbdcz.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:11 6656 -ra------ C:\WINDOWS\system32\kbdcr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:11 6656 -ra------ C:\WINDOWS\system32\KBDAL.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:10 13312 --a------ C:\WINDOWS\system32\irclass.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:10 85020 --a------ C:\WINDOWS\system32\dgsetup.dll <Not Verified; Digi International; DGSETUP Dynamic Link Library>
2008-03-12 23:22:10 176157 --a------ C:\WINDOWS\system32\dgrpsetu.dll <Not Verified; Digi International, Inc.; Digi RealPort® Driver>
2008-03-12 23:22:09 24661 --a------ C:\WINDOWS\system32\spxcoins.dll <Not Verified; Perle Systems Ltd.; Specialix Multi-port Serial Device Class CoInstaller>
2008-03-12 23:22:09 103424 --a------ C:\WINDOWS\system32\EqnClass.Dll <Not Verified; Equinox Systems Inc.; Equinox Multiport Serial Coinstaller>
2008-03-12 23:22:09 9008 --a------ C:\WINDOWS\system\VER.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-12 23:22:09 19200 --a------ C:\WINDOWS\system\TAPI.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-12 23:22:09 5120 --a------ C:\WINDOWS\system\SHELL.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-12 23:22:09 24064 --a------ C:\WINDOWS\system\OLESVR.DLL <Not Verified; Microsoft Corporation; Microsoft Object Linking and Embedding Libraries for Window>
2008-03-12 23:22:09 82944 --a------ C:\WINDOWS\system\OLECLI.DLL <Not Verified; Microsoft Corporation; Microsoft Object Linking and Embedding Libraries for Windows>
2008-03-12 23:22:08 15360 --a------ C:\WINDOWS\TASKMAN.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:08 126912 --a------ C:\WINDOWS\system\MSVIDEO.DLL <Not Verified; Microsoft Corporation; Microsoft Video for Windows>
2008-03-12 23:22:08 9936 --a------ C:\WINDOWS\system\LZEXPAND.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-12 23:22:08 32816 --a------ C:\WINDOWS\system\COMMDLG.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-12 23:22:08 109456 --a------ C:\WINDOWS\system\AVIFILE.DLL <Not Verified; Microsoft Corporation; Microsoft Windows>
2008-03-12 23:22:08 69584 --a------ C:\WINDOWS\system\AVICAP.DLL <Not Verified; Microsoft Corporation; Microsoft Video for Windows>
2008-03-12 23:22:07 11264 --a------ C:\WINDOWS\system32\drivers\irenum.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:07 8704 --a------ C:\WINDOWS\system32\batt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:07 68768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-12 23:22:06 74752 --a------ C:\WINDOWS\system32\storprop.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:06 69120 --a------ C:\WINDOWS\NOTEPAD.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-12 23:22:00 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-12 23:22:00 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-12 23:22:00 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-12 23:22:00 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-12 23:22:00 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-12 23:22:00 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-12 23:22:00 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-12 23:22:00 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-12 23:22:00 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-12 23:22:00 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-12 23:22:00 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-12 23:22:00 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-12 23:22:00 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-12 23:22:00 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-12 23:22:00 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-12 23:22:00 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-12 23:21:51 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-12 23:21:51 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-12 23:21:45 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-12 23:21:45 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-12 23:21:45 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-12 23:21:45 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-12 23:21:24 0 d--hs---- C:\System Volume Information
2008-03-12 23:21:24 0 d-------- C:\Documents and Settings
2008-03-12 23:16:25 0 d-------- C:\WINDOWS
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\WinSxS
2008-03-12 23:16:25 0 dr------- C:\WINDOWS\Web
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\twain_32
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\wins
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\wbem
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\usmt
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\spool
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\Setup
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\ras
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\oobe
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\npp
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\mui
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\IME
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\ias
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\export
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\drivers
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-12 23:16:25 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\config
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\3076
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\2052
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1054
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1042
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1041
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1037
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1033
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1031
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1028
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system32\1025
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\system
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\security
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Resources
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\repair
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Provisioning
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\PeerNet
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\pchealth
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\mui
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\msapps
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\msagent
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Media
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\java
2008-03-12 23:16:25 0 d--h----- C:\WINDOWS\inf
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\ime
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Help
2008-03-12 23:16:25 0 dr--s---- C:\WINDOWS\Fonts
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Driver Cache
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Debug
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Cursors
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\Config
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\AppPatch
2008-03-12 23:16:25 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-03-12 23:22:00 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2008-01-14 07:52:00 81920 --a------ C:\WINDOWS\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
03/15/2008 10:38 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [08/11/2006 02:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 02:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 08:47 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [02/07/2008 01:49 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 10:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 07:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/15/2008 11:48:31 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 10:23:26 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckBoot"= {b9ccc692-50b9-49ff-9758-0bf725105bbd} - C:\WINDOWS\Resources\CheckBoot.dll [04/09/2008 10:25 AM 12330]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setup\rsrc\Autorun.exe
dinstall\command- D:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f56fae2-f0b4-11dc-ab6f-806d6172696f}]
AutoRun\command- D:\setup\rsrc\Autorun.exe
dinstall\command- D:\Directx\dxsetup.exe




-- End of Deckard's System Scanner: finished at 2008-04-09 16:07:16 ------------

----------------
DSS EXTRA REPORT
---------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU E6850 @ 3.00GHz
CPU 1: Intel® Core™2 Duo CPU E6850 @ 3.00GHz
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 2943.17 MiB / 2431.7 MiB
Pagefile Memory (total/avail): 4830.2 MiB / 4444.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.82 MiB

C: is Fixed (NTFS) - 465.75 GiB total, 426.74 GiB free.
D: is CDROM (UDF)
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WL500GSA1672 - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.75 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Norton AntiVirus v15.5.0.23 (Symantec Corporation)
AV: Norton AntiVirus v15.5.0.23 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"="C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe:*:Enabled:Medal of Honor Airborne"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-F3DEB9BFD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-F3DEB9BFD
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-F3DEB9BFD
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> MsiExec /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AGEIA PhysX v7.07.09 --> MsiExec.exe /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Call of Duty® 4 - Modern Warfare™ --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch --> C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
End It All --> C:\PROGRA~1\EndItAll\UNWISE.EXE C:\PROGRA~1\EndItAll\INSTALL.LOG
FirePower for Microsoft Combat Flight Simulator 3 --> C:\PROGRA~1\MICROS~2\COMBAT~1\UNWISE.EXE C:\PROGRA~1\MICROS~2\COMBAT~1\INSTALL.LOG
Fraps --> "C:\Fraps\uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Medal of Honor Airborne --> MsiExec.exe /X{25F28E39-FDBB-11DB-8314-0800200C9A66}
Medal of Honor Allied Assault --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
Microsoft Combat Flight Simulator 3.1 --> "C:\Program Files\Microsoft Games\Combat Flight Simulator 3\UNINSTAL.EXE" /runtemp /addremove
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_5_0_23\Setup.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TeamSpeak Overlay BETA 2 (#63) --> "C:\Program Files\TSO\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1399 / Error
Event Submitted/Written: 04/09/2008 03:46:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type1398 / Error
Event Submitted/Written: 04/09/2008 03:44:35 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type1355 / Warning
Event Submitted/Written: 04/09/2008 01:16:34 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1215 / Warning
Event Submitted/Written: 04/09/2008 10:57:30 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1190 / Error
Event Submitted/Written: 04/09/2008 10:29:17 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2638 / Warning
Event Submitted/Written: 04/09/2008 02:32:20 PM
Event ID/Source: 2510 / Server
Event Description:
The server service was unable to map error code 998.

Event Record #/Type2637 / Error
Event Submitted/Written: 04/09/2008 02:32:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type2636 / Error
Event Submitted/Written: 04/09/2008 02:32:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service iPod Service with arguments ""
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Event Record #/Type2635 / Error
Event Submitted/Written: 04/09/2008 02:32:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type2567 / Error
Event Submitted/Written: 04/09/2008 00:06:09 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
eeCtrl
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SPBBCDrv
SRTSPX
SYMTDI
Tcpip



-- End of Deckard's System Scanner: finished at 2008-04-09 16:07:16 ------------

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:55 PM

Posted 10 April 2008 - 06:02 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 GdanskZog

GdanskZog
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 10 April 2008 - 09:23 PM

Thanks, Sam.
I was in the process of reading about the ctfmon.exe problems out there when I discovered I got a reply here. I will let the expert handle it from here :thumbsup:
----------------------------------------------------------------------------

ComboFix 08-04-10.7 - Owner 2008-04-10 21:01:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2516 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-10 19:34 . 2008-04-10 19:34 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-09 22:42 . 2008-04-09 22:42 88 --a------ C:\WINDOWS\wininit.ini
2008-04-09 22:25 . 2008-04-09 22:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 22:25 . 2008-04-09 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 15:43 . 2008-04-09 15:43 <DIR> d-------- C:\Deckard
2008-04-09 15:17 . 2008-04-09 16:05 <DIR> d-------- C:\Program Files\Panda Security
2008-04-09 14:03 . 2008-04-09 14:08 <DIR> d-------- C:\Program Files\EndItAll
2008-04-09 13:09 . 2008-04-09 13:09 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 13:09 . 2008-04-09 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 11:50 . 2008-04-09 11:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 11:20 . 2008-04-09 11:20 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 11:01 . 2008-04-09 11:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-09 10:57 . 2008-04-10 17:32 <DIR> d-------- C:\SDFix
2008-04-09 10:25 . 2008-04-09 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ojqryzgj
2008-04-06 15:05 . 2008-04-07 21:16 <DIR> d-------- C:\MUSIC
2008-04-06 15:05 . 1995-06-19 22:02 17,632 --a------ C:\WINDOWS\system\ctl3d.dll
2008-04-06 13:18 . 2008-04-06 14:13 <DIR> d-------- C:\Program Files\Aldo's Pianito
2008-04-06 12:47 . 2008-04-08 14:58 309 --a------ C:\WINDOWS\WGPLAYER.INI
2008-04-06 12:46 . 2008-04-08 14:58 320 --a------ C:\WINDOWS\WINGROOV.PSF
2008-04-06 12:45 . 2008-04-06 12:46 <DIR> d-------- C:\WINGROOV
2008-04-06 12:45 . 2008-04-06 12:45 <DIR> d-------- C:\WG09E.TMP
2008-04-06 12:39 . 2008-04-08 11:45 886 --a------ C:\WINDOWS\WINGROOV.INI
2008-04-06 12:38 . 2008-04-06 12:43 <DIR> d-------- C:\WG0A4.TMP
2008-04-01 15:53 . 2004-11-15 02:36 60,716 --a------ C:\ZephyrScriptFLF.ttf
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\iPod
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\Bonjour
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-01 12:59 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\QuickTime
2008-04-01 12:59 . 2008-04-01 12:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-01 12:59 . 2008-04-01 12:59 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-01 12:59 . 2008-04-01 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-01 12:59 . 2008-04-01 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-01 12:46 . 2008-04-01 12:46 <DIR> d-------- C:\WINDOWS\Sun
2008-03-29 11:58 . 2008-03-30 16:18 <DIR> d-------- C:\Program Files\Google
2008-03-24 21:40 . 2008-03-24 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-24 21:39 . 2008-03-24 21:39 <DIR> d-------- C:\WINDOWS\nview
2008-03-24 21:39 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-24 21:39 . 2008-03-24 21:49 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-24 21:39 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-24 21:38 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-24 15:58 . 2008-03-24 21:49 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-03-19 20:01 . 2008-03-19 20:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-19 20:00 . 2008-03-21 20:10 <DIR> d-------- C:\Program Files\Java
2008-03-19 20:00 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-19 19:59 . 2008-03-19 19:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-19 19:58 . 2008-03-19 20:00 <DIR> d-------- C:\Program Files\LimeWire
2008-03-18 18:53 . 2008-04-03 21:49 <DIR> d-------- C:\Fraps
2008-03-18 18:53 . 2008-03-19 20:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 00:42 . 2008-03-18 00:42 <DIR> d-------- C:\Program Files\FirePower
2008-03-18 00:36 . 2008-03-18 00:36 <DIR> d-------- C:\Program Files\Microsoft Games
2008-03-17 03:01 . 2008-03-17 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-16 22:33 . 2008-03-16 22:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\teamspeak2
2008-03-16 19:52 . 2008-04-08 23:28 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-03-16 19:52 . 2008-03-16 22:18 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-03-16 19:52 . 2008-04-08 23:29 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-16 19:52 . 2008-03-16 19:52 22,328 --a------ C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2008-03-16 19:52 . 2008-03-16 19:52 319 --a------ C:\WINDOWS\game.ini
2008-03-16 19:38 . 2008-03-16 19:38 <DIR> d-------- C:\Program Files\Activision
2008-03-16 19:36 . 2008-03-16 19:36 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-16 18:55 . 2008-03-16 18:55 <DIR> d-------- C:\Program Files\TSO
2008-03-16 18:55 . 2008-03-16 22:33 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-03-16 18:55 . 2008-03-16 18:55 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-03-16 15:21 . 2008-03-16 15:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Image Zone Express
2008-03-16 01:24 . 2008-03-16 19:57 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-16 00:58 . 2008-03-16 00:58 <DIR> d-------- C:\Program Files\EA GAMES
2008-03-16 00:51 . 2008-03-16 00:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-16 00:32 . 2008-03-16 00:32 <DIR> d-------- C:\Program Files\Electronic Arts
2008-03-16 00:32 . 2006-09-28 15:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-03-16 00:32 . 2007-04-04 17:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-03-16 00:31 . 2008-03-16 00:31 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-03-16 00:31 . 2008-04-09 13:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 00:31 . 2008-03-16 00:31 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-03-15 23:48 . 2008-03-29 12:01 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-15 23:43 . 2008-03-15 23:43 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-15 23:43 . 2008-03-15 23:43 <DIR> d-------- C:\Program Files\Common Files\HP
2008-03-15 23:43 . 2008-03-15 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-03-15 23:42 . 2008-03-15 23:42 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-15 23:41 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-15 23:41 . 2004-09-29 11:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-03-15 23:41 . 2004-09-29 11:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-03-15 23:41 . 2004-09-29 11:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-03-15 23:41 . 2004-09-29 11:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-03-15 23:41 . 2004-09-29 11:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-03-15 23:41 . 2004-09-29 11:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-03-15 23:41 . 2004-08-03 21:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-15 23:41 . 2004-08-03 21:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-15 23:40 . 2008-03-15 23:43 <DIR> d-------- C:\Program Files\HP
2008-03-15 23:40 . 2008-03-16 15:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HP
2008-03-15 23:40 . 2008-03-15 23:44 112,968 --a------ C:\WINDOWS\hpoins07.dat
2008-03-15 23:40 . 2005-12-16 17:17 51,120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-03-15 23:40 . 2004-08-03 22:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-15 23:40 . 2005-12-16 17:17 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-03-15 23:40 . 2005-12-16 17:17 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-03-15 23:40 . 2005-12-16 17:17 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-03-15 23:39 . 2005-12-16 17:17 606,208 --a------ C:\WINDOWS\system32\hpotscl.dll
2008-03-15 23:39 . 2005-12-16 17:17 393,216 --a------ C:\WINDOWS\system32\hpzcon12.dll
2008-03-15 23:39 . 2005-12-16 17:17 278,528 --a------ C:\WINDOWS\system32\hpgwiamd.dll
2008-03-15 23:39 . 2005-12-16 17:17 274,432 --a------ C:\WINDOWS\system32\HPZc3212.dll
2008-03-15 23:39 . 2005-12-16 17:17 258,122 --a------ C:\WINDOWS\system32\hpovst08.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 00:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 05:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-13 21:48 --------- d-----w C:\Program Files\Creative
2008-03-13 21:47 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-13 21:47 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-13 21:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\Creative
2008-03-13 21:40 --------- d-----w C:\Program Files\Intel
2008-03-13 21:36 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 21:43 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-06 21:43 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-01-14 12:52 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
.

------- Sigcheck -------

2006-02-28 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2006-02-28 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2006-02-28 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2006-02-28 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2006-02-28 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-02-28 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys

2006-02-28 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2006-02-28 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2006-02-28 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2006-02-28 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2006-02-28 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2006-02-28 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-28 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2006-02-28 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2006-02-28 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-15 22:38 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 20:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-07 01:49 718704]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-15 23:48:31 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckBoot"= {b9ccc692-50b9-49ff-9758-0bf725105bbd} - C:\WINDOWS\Resources\CheckBoot.dll [2008-04-09 10:25 12330]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-10-17 07:12]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - D:\Directx\dxsetup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 20:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-08 01:23:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 21:02:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 21:03:11
ComboFix-quarantined-files.txt 2008-04-11 02:03:01
Pre-Run: 458,183,385,088 bytes free
Post-Run: 458,231,603,200 bytes free
.
2008-04-09 16:20:47 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:55 PM

Posted 11 April 2008 - 12:56 AM

It doesn't look as bad as your first log. You must have been busy cleaning it up. :thumbsup:

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32smp
C:\Documents and Settings\All Users\Application Data\ojqryzgj
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


==================



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 GdanskZog

GdanskZog
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 11 April 2008 - 08:34 PM

ComboFix didn't ask for a reboot, so I did the reboot per your instructions. (At least I think it didn't).

COMBO FIX LOG
-------------------------
ComboFix 08-04-10.7 - Owner 2008-04-11 19:49:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2501 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ojqryzgj
C:\Documents and Settings\All Users\Application Data\ojqryzgj\mnypqvax.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-11 19:26 . 2008-04-11 19:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-11 19:26 . 2008-04-11 19:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 19:34 . 2008-04-10 19:34 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-09 22:42 . 2008-04-09 22:42 88 --a------ C:\WINDOWS\wininit.ini
2008-04-09 22:25 . 2008-04-09 22:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 22:25 . 2008-04-09 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 15:43 . 2008-04-09 15:43 <DIR> d-------- C:\Deckard
2008-04-09 15:17 . 2008-04-09 16:05 <DIR> d-------- C:\Program Files\Panda Security
2008-04-09 14:03 . 2008-04-09 14:08 <DIR> d-------- C:\Program Files\EndItAll
2008-04-09 13:09 . 2008-04-09 13:09 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-09 13:09 . 2008-04-09 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 11:50 . 2008-04-09 11:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 11:20 . 2008-04-09 11:20 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 11:01 . 2008-04-09 11:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-09 10:57 . 2008-04-10 17:32 <DIR> d-------- C:\SDFix
2008-04-06 15:05 . 2008-04-07 21:16 <DIR> d-------- C:\MUSIC
2008-04-06 15:05 . 1995-06-19 22:02 17,632 --a------ C:\WINDOWS\system\ctl3d.dll
2008-04-06 13:18 . 2008-04-06 14:13 <DIR> d-------- C:\Program Files\Aldo's Pianito
2008-04-06 12:47 . 2008-04-08 14:58 309 --a------ C:\WINDOWS\WGPLAYER.INI
2008-04-06 12:46 . 2008-04-08 14:58 320 --a------ C:\WINDOWS\WINGROOV.PSF
2008-04-06 12:45 . 2008-04-06 12:46 <DIR> d-------- C:\WINGROOV
2008-04-06 12:45 . 2008-04-06 12:45 <DIR> d-------- C:\WG09E.TMP
2008-04-06 12:39 . 2008-04-08 11:45 886 --a------ C:\WINDOWS\WINGROOV.INI
2008-04-06 12:38 . 2008-04-06 12:43 <DIR> d-------- C:\WG0A4.TMP
2008-04-01 15:53 . 2004-11-15 02:36 60,716 --a------ C:\ZephyrScriptFLF.ttf
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\iPod
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\Bonjour
2008-04-01 13:00 . 2008-04-01 13:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-01 12:59 . 2008-04-01 13:00 <DIR> d-------- C:\Program Files\QuickTime
2008-04-01 12:59 . 2008-04-01 12:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-01 12:59 . 2008-04-01 12:59 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-01 12:59 . 2008-04-01 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-01 12:59 . 2008-04-01 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-01 12:46 . 2008-04-01 12:46 <DIR> d-------- C:\WINDOWS\Sun
2008-03-29 11:58 . 2008-03-30 16:18 <DIR> d-------- C:\Program Files\Google
2008-03-24 21:40 . 2008-03-24 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-24 21:39 . 2008-03-24 21:39 <DIR> d-------- C:\WINDOWS\nview
2008-03-24 21:39 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-24 21:39 . 2008-03-24 21:49 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-24 21:39 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-24 21:38 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-24 15:58 . 2008-03-24 21:49 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-03-19 20:01 . 2008-03-19 20:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-03-19 20:00 . 2008-03-21 20:10 <DIR> d-------- C:\Program Files\Java
2008-03-19 20:00 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-19 19:59 . 2008-03-19 19:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-19 19:58 . 2008-03-19 20:00 <DIR> d-------- C:\Program Files\LimeWire
2008-03-18 18:53 . 2008-04-03 21:49 <DIR> d-------- C:\Fraps
2008-03-18 18:53 . 2008-03-19 20:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 00:42 . 2008-03-18 00:42 <DIR> d-------- C:\Program Files\FirePower
2008-03-18 00:36 . 2008-03-18 00:36 <DIR> d-------- C:\Program Files\Microsoft Games
2008-03-17 03:01 . 2008-03-17 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-16 22:33 . 2008-03-16 22:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\teamspeak2
2008-03-16 19:52 . 2008-04-08 23:28 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-03-16 19:52 . 2008-03-16 22:18 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-03-16 19:52 . 2008-04-08 23:29 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-16 19:52 . 2008-03-16 19:52 22,328 --a------ C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2008-03-16 19:52 . 2008-03-16 19:52 319 --a------ C:\WINDOWS\game.ini
2008-03-16 19:38 . 2008-03-16 19:38 <DIR> d-------- C:\Program Files\Activision
2008-03-16 19:36 . 2008-03-16 19:36 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-03-16 18:55 . 2008-03-16 18:55 <DIR> d-------- C:\Program Files\TSO
2008-03-16 18:55 . 2008-03-16 22:33 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-03-16 18:55 . 2008-03-16 18:55 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-03-16 15:21 . 2008-03-16 15:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Image Zone Express
2008-03-16 01:24 . 2008-03-16 19:57 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-16 00:58 . 2008-03-16 00:58 <DIR> d-------- C:\Program Files\EA GAMES
2008-03-16 00:51 . 2008-03-16 00:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-16 00:32 . 2008-03-16 00:32 <DIR> d-------- C:\Program Files\Electronic Arts
2008-03-16 00:32 . 2006-09-28 15:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-03-16 00:32 . 2007-04-04 17:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-03-16 00:31 . 2008-03-16 00:31 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-03-16 00:31 . 2008-04-09 13:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 00:31 . 2008-03-16 00:31 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-03-15 23:48 . 2008-03-29 12:01 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-15 23:43 . 2008-03-15 23:43 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-15 23:43 . 2008-03-15 23:43 <DIR> d-------- C:\Program Files\Common Files\HP
2008-03-15 23:43 . 2008-03-15 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-03-15 23:42 . 2008-03-15 23:42 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-15 23:41 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-15 23:41 . 2004-09-29 11:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-03-15 23:41 . 2004-09-29 11:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-03-15 23:41 . 2004-09-29 11:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-03-15 23:41 . 2004-09-29 11:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-03-15 23:41 . 2004-09-29 11:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-03-15 23:41 . 2004-09-29 11:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-03-15 23:41 . 2004-08-03 21:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-15 23:41 . 2004-08-03 21:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-15 23:40 . 2008-03-15 23:43 <DIR> d-------- C:\Program Files\HP
2008-03-15 23:40 . 2008-03-16 15:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HP
2008-03-15 23:40 . 2008-03-15 23:44 112,968 --a------ C:\WINDOWS\hpoins07.dat
2008-03-15 23:40 . 2005-12-16 17:17 51,120 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-03-15 23:40 . 2004-08-03 22:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-15 23:40 . 2005-12-16 17:17 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-03-15 23:40 . 2005-12-16 17:17 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-03-15 23:40 . 2005-12-16 17:17 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-03-15 23:39 . 2005-12-16 17:17 606,208 --a------ C:\WINDOWS\system32\hpotscl.dll
2008-03-15 23:39 . 2005-12-16 17:17 393,216 --a------ C:\WINDOWS\system32\hpzcon12.dll
2008-03-15 23:39 . 2005-12-16 17:17 278,528 --a------ C:\WINDOWS\system32\hpgwiamd.dll
2008-03-15 23:39 . 2005-12-16 17:17 274,432 --a------ C:\WINDOWS\system32\HPZc3212.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 00:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 05:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-13 21:48 --------- d-----w C:\Program Files\Creative
2008-03-13 21:47 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-13 21:47 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-13 21:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\Creative
2008-03-13 21:40 --------- d-----w C:\Program Files\Intel
2008-03-13 21:36 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 21:43 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-06 21:43 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-01-14 12:52 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
.

------- Sigcheck -------

2006-02-28 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2006-02-28 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2006-02-28 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2006-02-28 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2006-02-28 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-02-28 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys

2006-02-28 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2006-02-28 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2006-02-28 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2006-02-28 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2006-02-28 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2006-02-28 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-28 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2006-02-28 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2006-02-28 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-10_21.02.57.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-11 01:58:34 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-12 00:30:18 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-11 01:58:34 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-12 00:30:18 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-15 22:38 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 20:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-07 01:49 718704]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-15 23:48:31 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckBoot"= {b9ccc692-50b9-49ff-9758-0bf725105bbd} - C:\WINDOWS\Resources\CheckBoot.dll [2008-04-09 10:25 12330]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-10-17 07:12]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - D:\Directx\dxsetup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 20:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-08 01:23:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 19:50:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 19:50:41
ComboFix-quarantined-files.txt 2008-04-12 00:50:31
ComboFix2.txt 2008-04-11 02:03:11
Pre-Run: 459,921,448,960 bytes free
Post-Run: 459,910,979,584 bytes free
.
2008-04-09 16:20:47 --- E O F ---



HIJACKTHIS LOG
---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:01 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O21 - SSODL: CheckBoot - {b9ccc692-50b9-49ff-9758-0bf725105bbd} - C:\WINDOWS\Resources\CheckBoot.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6531 bytes

F-SECURE REPORT
---------------------------------
Scanning Report
Friday, April 11, 2008 20:10:00 - 20:30:31
Computer name: OWNER-F3DEB9BFD
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 3 malware found
Tracking Cookie (spyware)
System
Trojan.Win32.Agent (virus)
System
Trojan.Win32.Agent.jqa (virus)
C:\WINDOWS\RESOURCES\CHECKBOOT.DLL

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28084
System: 2813
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{CEA209B7-0F9E-4C95-BA66-563B7026B7DA}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.64
F-Secure Hydra: 2.8.8110, 2008-04-11
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure AVP: 7.0.171, 2008-04-11
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:55 PM

Posted 12 April 2008 - 03:56 PM

Run this script through combofix just as you have previously.

File::
C:\WINDOWS\RESOURCES\CHECKBOOT.DLL



Run Hijackthis again, click scan, and Put a checkmark next to the line listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O21 - SSODL: CheckBoot - {b9ccc692-50b9-49ff-9758-0bf725105bbd} - C:\WINDOWS\Resources\CheckBoot.dll



Reboot and post a new hijackthis log.
How is your computer running now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 GdanskZog

GdanskZog
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 12 April 2008 - 06:36 PM

Thanks for all your help so far.

The symptom of having my active window deselect (or unfocus) itself seems to have gone away.

But I am curious about something else. After every restart, my Spybot S&D Resident gives me the following message.

"...Registry Change Denied. Identified as: user decision. Resident denied the change of ctfmon.exe (category system startup user entry) based on your blacklist."

I had run a scan of Spybot S&D several days ago (before you started helping me). It had found several problems. After the problems were "fixed", and upon reboot, I got notification that the registry was trying to change and to accept or deny the changes. I was unclear if Spybot was changing the reg. or if something else was . I had the option to remember the decision, so I thought I could always go back and try again. Actually I accepted at first, and still had the symptoms. Then I denied the change (as it is now) and still had the symptoms at that time.

That's when you came in. Now the symptoms are gone and Spybot S&D keeps notifying me of this. So I was wondering what I should do about that? Is it safe to undo that. Trying to remember if I know how...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:51 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6590 bytes

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:55 PM

Posted 13 April 2008 - 08:48 AM

Spybot's Teatimer function will notify you of registry changes and that's all that it's doing. To get past it you can just disable Teatimer, reboot and let the change happen, then enable Teatimer again.

Here's how to disable Teatimer.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

There's nothing malicious about it and that should get you past the annoying notifications.
Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 GdanskZog

GdanskZog
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 13 April 2008 - 09:44 PM

That didn't seem to do the trick. After turning off the TeaTimer and rebooting, and turning TeaTimer back on, and then rebooting again, the message came back up again as before.

Is there a way to see and manage this so-called "black list"?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:55 PM

Posted 14 April 2008 - 06:22 AM

It's not a blacklist. It's any registry change.
Your next option is to either run without Teatimer enabled (which is what I do) or uninstall Spybot completely and then reinstall it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 GdanskZog

GdanskZog
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 14 April 2008 - 06:39 PM

Ok, Not a problem. I think I'm all set. Everyting seems to be running fine these past few days.

Thanks for all your help, once again. I found my experience at bleepingcomputer.com to be very productive. I'll keep this site in mind if I experience future problems and recommend it to friends and family whenever I can.

Cheers!!

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:55 PM

Posted 14 April 2008 - 09:16 PM

Glad I could help out!
Just a few last things and you should be good to go! :blink:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :wacko:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:55 PM

Posted 13 May 2008 - 09:25 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users