Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/vundo Help...


  • This topic is locked This topic is locked
16 replies to this topic

#1 Makou107

Makou107

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 09 April 2008 - 09:31 PM

I have been trying now for hours on end different and various methods and programs to remove this Virtumonde/Vundo virus. Everything seems to have failed because after all methods I would do a scan again with either Spybot or Malwarebytes' Anti-Malware and both always report it back. Spybot usually comes up with Virtumonde with 3 entries and Malwarebytes' Anti-Malware comes up with 8 or 9 entries labeled Vundo. Both I'm told are the same. Here is what I read to post:

Thank you for any help at all.


Deckard's System Scanner v20071014.68
Run by NFA on 2008-04-09 22:21:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
55: 2008-04-10 02:21:40 UTC - RP466 - Deckard's System Scanner Restore Point
54: 2008-04-10 01:36:27 UTC - RP465 - Last known good configuration
53: 2008-04-10 01:36:23 UTC - RP464 - Last known good configuration
52: 2008-04-10 01:36:23 UTC - RP463 - Last known good configuration
51: 2008-04-10 01:36:23 UTC - RP462 - Installed Ad-Aware 2007


-- First Restore Point --
1: 2008-04-10 01:36:16 UTC - RP412 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as NFA.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:40 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Comodo\Firewall\cfp.exe
C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe
D:\FRAPS\FRAPS.EXE
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\NFA\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NFA.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45952B6D-79BE-460A-B0BF-6CA63FC1940C} - D:\WINDOWS\system32\qoMcbyvv.dll (file missing)
O2 - BHO: (no name) - {4F3FD116-A097-4054-93BD-25C78A014EF7} - D:\WINDOWS\system32\fcccdASI.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C660212-6444-48CE-92A4-012B8F3CE325} - D:\WINDOWS\system32\efcDTNEW.dll (file missing)
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad Muncher] "C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [Fraps] D:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax5318.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Games\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7786 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - d:\windows\system32\giveio.sys
R0 speedfan - d:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 lirsgt - d:\windows\system32\drivers\lirsgt.sys
R3 pcouffin (VSO Software pcouffin) - d:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S2 npkcrypt - c:\games\mabinogi\npkcrypt.sys (file missing)
S3 EagleNT - d:\windows\system32\drivers\eaglent.sys <Not Verified; AhnLab, Inc.; AhnLab, Inc.>
S3 ENTECH - d:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 npkcusb - c:\games\mabinogi\npkcusb.sys (file missing)
S3 RivaTuner32 - d:\program files\rivatuner v2.02\rivatuner32.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "d:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "d:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 npkcmsvc - c:\games\mabinogi\npkcmsvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_10DE&DEV_0371&SUBSYS_C55E10DE&REV_A2\3&2411E6FE&0&79
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_10DE&DEV_0371&SUBSYS_C55E10DE&REV_A2\3&2411E6FE&0&79
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&1&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&1&00
Service: NVENETFD


-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 21:38:43 0 d-------- D:\VundoFix Backups
2008-04-09 18:44:19 6494 --ahs---- D:\WINDOWS\system32\xybaJkkj.ini2
2008-04-09 17:37:04 0 d-------- D:\Documents and Settings\NFA\Application Data\Malwarebytes
2008-04-09 17:36:58 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 17:35:55 0 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 13:28:45 14498 --ahs---- D:\WINDOWS\system32\ISAdcccf.ini2
2008-04-05 16:12:17 0 d-------- D:\S
2008-04-05 14:09:24 0 d-------- D:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-04 22:04:44 2048 --a------ D:\WINDOWS\system32\Tr_sttool.dat
2008-04-04 22:04:44 147456 --a------ D:\WINDOWS\system32\bsratwmv.dll
2008-04-04 22:04:44 585728 --a------ D:\WINDOWS\system32\bsratswf.dll
2008-04-04 22:04:28 0 d-------- D:\Program Files\Bulent's Screen Recorder 4
2008-04-04 20:58:17 0 d-------- D:\Documents and Settings\NFA\Contacts
2008-04-04 20:55:32 0 d--hs--c- D:\Program Files\Common Files\WindowsLiveInstaller
2008-04-04 20:55:25 0 d-------- D:\Program Files\Windows Live
2008-04-04 20:55:13 0 d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-28 20:55:52 0 d-------- D:\Program Files\Stunt Playground
2008-03-28 20:42:45 0 d-------- D:\Program Files\Unity
2008-03-25 00:55:02 0 d-------- D:\WINDOWS\system32\URTTEMP
2008-03-24 18:27:40 0 d-------- D:\Documents and Settings\All Users\Application Data\Logitech
2008-03-22 13:31:24 0 d-------- D:\Program Files\DivX
2008-03-20 23:17:29 0 d-------- D:\Documents and Settings\NFA\Application Data\Skype
2008-03-20 23:17:05 0 d-------- D:\Program Files\Skype
2008-03-20 23:16:56 0 d-------- D:\Documents and Settings\All Users\Application Data\Skype
2008-03-12 04:43:59 0 d-------- D:\WINDOWS\system32\AGEIA
2008-03-12 04:43:59 0 d-------- D:\Program Files\AGEIA Technologies
2008-03-11 22:32:56 0 d-------- D:\Documents and Settings\NFA\Application Data\WorldShift Open Beta
2008-03-11 16:13:58 691545 --a------ D:\WINDOWS\unins000.exe
2008-03-11 16:13:58 2537 --a------ D:\WINDOWS\unins000.dat
2008-03-10 19:14:13 0 d-------- D:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-04-09 16:31:21 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 13:46:42 0 d-------- D:\Documents and Settings\NFA\Application Data\uTorrent
2008-04-08 23:36:14 0 d-------- D:\Documents and Settings\NFA\Application Data\Xfire
2008-04-08 21:22:27 0 d---s---- D:\Program Files\Xfire
2008-04-06 22:40:52 0 d-------- D:\Program Files\Replay Converter
2008-04-04 20:55:32 0 d-------- D:\Program Files\Common Files
2008-03-24 23:26:18 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-03-23 03:41:27 0 d-------- D:\Program Files\SpeedFan
2008-03-22 13:31:28 1421 --a------ D:\WINDOWS\mozver.dat
2008-03-10 19:14:24 0 d-------- D:\Program Files\iTunes
2008-03-10 19:13:15 0 d-------- D:\Program Files\QuickTime
2008-03-10 04:53:02 0 d-------- D:\Documents and Settings\NFA\Application Data\Comodo
2008-03-08 03:38:49 0 d-------- D:\Program Files\Common Files\INCA Shared
2008-03-06 16:45:53 0 d-------- D:\Program Files\Phun
2008-03-03 03:00:40 0 d-------- D:\Documents and Settings\NFA\Application Data\Switchball
2008-02-28 23:21:27 80 --ah----- D:\WINDOWS\system32\HsInfo.dat
2008-02-22 23:50:56 0 d-------- D:\Program Files\K-Lite Codec Pack
2008-02-17 05:46:05 280 --a------ D:\WINDOWS\system32\PDBootState
2008-02-13 18:57:11 0 d-------- D:\Program Files\DAEMON Tools Pro
2008-02-04 22:43:59 737280 --a------ D:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45952B6D-79BE-460A-B0BF-6CA63FC1940C}]
D:\WINDOWS\system32\qoMcbyvv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F3FD116-A097-4054-93BD-25C78A014EF7}]
D:\WINDOWS\system32\fcccdASI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C660212-6444-48CE-92A4-012B8F3CE325}]
D:\WINDOWS\system32\efcDTNEW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [05/03/2007 11:40 AM]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 02:41 AM]
"COMODO Firewall Pro"="D:\Program Files\Comodo\Firewall\cfp.exe" [03/10/2008 04:52 AM]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"Ad Muncher"="C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe" [11/03/2007 01:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="D:\FRAPS\FRAPS.EXE" [12/19/2006 09:02 AM]
"DAEMON Tools Pro Agent"="D:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [09/06/2007 09:08 AM]
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= D:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"D:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{938339dc-d47c-11dc-8374-00044b02c600}]
AutoRun\command- G:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7F67F8DD-D049-BFA7-4E4F-8F317C66F7EE}]
D:\WINDOWS\system32:lpr.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 babe.the-killer.bz
127.0.0.1 www.babe.the-killer.bz
127.0.0.1 babe.k-lined.com
127.0.0.1 www.babe.k-lined.com
127.0.0.1 did.i-used.cc
127.0.0.1 www.did.i-used.cc
127.0.0.1 coolwwwsearch.com
127.0.0.1 www.coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 www.coolwebsearch.com

8033 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-09 22:24:53 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6700 @ 2.66GHz
CPU 1: Intel® Core™2 CPU 6700 @ 2.66GHz
Percentage of Memory in Use: 21%
Physical Memory (total/avail): 2046.46 MiB / 1604.32 MiB
Pagefile Memory (total/avail): 3938.67 MiB / 3617.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.2 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 42.21 GiB free.
D: is Fixed (NTFS) - 74.52 GiB total, 45.47 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3250823AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - ST380013AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.
FirewallOverride is set.

FW: COMODO Firewall Pro v3.0 (COMODO)
AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="D:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Torrents and Stuff\\utorrent.exe"="C:\\Torrents and Stuff\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Games\\Battlefield 2\\BF2.exe"="C:\\Games\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Games\\Battlefield 2142\\BF2142.exe"="C:\\Games\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"D:\\WINDOWS\\system32\\pnkbstra.exe"="D:\\WINDOWS\\system32\\pnkbstra.exe:*:Enabled:PnkBstrA"
"D:\\WINDOWS\\system32\\PnkBstrB.exe"="D:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Games\\Quake Wars\\etqwded.exe"="C:\\Games\\Quake Wars\\etqwded.exe:*:Enabled:etqwded.exe"
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"="C:\\Games\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\Games\\Quake Wars\\etqw.exe"="C:\\Games\\Quake Wars\\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars™ "
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"="D:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Games\\Call of Duty 4\\iw3mp.exe"="C:\\Games\\Call of Duty 4\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\\Games\\Frontlines Fuel of War\\Binaries\\FFOW.exe"="C:\\Games\\Frontlines Fuel of War\\Binaries\\FFOW.exe:*:Enabled:Frontlines Game"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Games\\WorldShift Open Beta\\bin\\WorldShift.exe"="C:\\Games\\WorldShift Open Beta\\bin\\WorldShift.exe:*:Enabled:WorldShift"
"D:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"="D:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe:*:Enabled:Orb"
"D:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"="D:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"D:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"="D:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"D:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe"="D:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe:*:Enabled:OrbChannelScan"
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="D:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\NFA\Application Data
CLASSPATH=.;D:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=MYPC
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\NFA
LOGONSERVER=\\MYPC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\wbem;D:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=D:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\NFA\LOCALS~1\Temp
TMP=D:\DOCUME~1\NFA\LOCALS~1\Temp
USERDOMAIN=MYPC
USERNAME=NFA
USERPROFILE=D:\Documents and Settings\NFA
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

NFA (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "D:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W
--> D:\Documents and Settings\NFA\Local Settings\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe
--> MsiExec /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
--> MsiExec.exe /X{69495273-FCDC-4A86-BCB7-49B504D3FB0E}
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B20EB9BE-3795-47BA-BDD6-889593E8FD55}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B20EB9BE-3795-47BA-BDD6-889593E8FD55}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B5AF6143-E738-4768-A5E6-C07C68A464A4}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B5AF6143-E738-4768-A5E6-C07C68A464A4}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{C229589D-CC1A-43FF-9507-CDED3AB85325}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D8A544F4-AC5F-4B67-9C74-F3E976798797}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
"Faces of War" (Remove Only) --> "C:\Games\Faces of War\unins000.exe" /SILENT
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> D:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> D:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> D:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Conan - Hyborian Adventures --> "C:\Games\Conan General BETA\unins001.exe"
AGEIA PhysX v7.11.13 --> MsiExec.exe /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Audiosurf --> MsiExec.exe /I{6D316D67-DA52-4659-9C98-F479963534D6}
Battlefield 2™ --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "D:\Documents and Settings\NFA\Application Data\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
Battlefield 2: Special Forces --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{50D4CB89-AF34-4978-96DC-C3034062E901}\setup.exe" -l0x9 -removeonly
Battlefield 2142 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x9 -removeonly
Bioshock --> "C:\Games\Steam\steam.exe" steam://uninstall/7670
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Bulent's Screen Recorder 4 --> D:\Program Files\Bulent's Screen Recorder 4\Uninstall Screen Recorder 4.exe
Call of Duty® 4 - Modern Warfare™ --> D:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.4 Patch --> D:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch --> D:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
CamStudio --> D:\Program Files\CamStudio\uninstall.exe
CamStudio Lossless Codec --> rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\system32\DRIVERS\camcodec.inf
CCleaner (remove only) --> "D:\Program Files\CCleaner\uninst.exe"
CMT --> D:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://www.sci.fi/~cfish/cmt.jnlp"
COMODO Firewall Pro --> D:\Program Files\COMODO\Firewall\cfpconfg.exe -u
ConvertXtoDVD 2.2.2.256 --> "D:\Program Files\VSO\ConvertXtoDVD\unins000.exe"
Creative Audio Console --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
CryEngine®2 Sandbox™2 --> MsiExec.exe /I{7E4B7FD9-4ECE-4298-A910-3160B7918059}
Crysis® --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
EA Download Manager --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
Enemy Territory - QUAKE Wars™ --> D:\Program Files\InstallShield Installation Information\{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}\setup.exe -runfromtemp -l0x0409
Enemy Territory - QUAKE Wars™ 1.1 Patch --> D:\Program Files\InstallShield Installation Information\{0C5D0DC4-F5D3-46F9-AE2E-E45C99B4A6B6}\setup.exe -runfromtemp -l0x0409
Enemy Territory - QUAKE Wars™ 1.2 Patch --> D:\Program Files\InstallShield Installation Information\{2EC66D1C-4AF5-4811-BEDE-849D90461AF5}\setup.exe -runfromtemp -l0x0409
Enemy Territory - QUAKE Wars™ 1.4 Patch --> D:\Program Files\InstallShield Installation Information\{BCA71D05-6BC9-4735-BA3F-7218EBE6A023}\setup.exe -runfromtemp -l0x0409
Enemy Territory - QUAKE Wars™ Beta 1.1 Patch --> D:\Program Files\InstallShield Installation Information\{B547451E-9D40-411C-9A18-05A2D997B225}\setup.exe -runfromtemp -l0x0409
Enemy Territory - QUAKE Wars™ Beta 2 1.1 Patch --> D:\Program Files\InstallShield Installation Information\{2FB399BA-E790-4EAE-A82A-37A1B36C2783}\setup.exe -runfromtemp -l0x0409
EVEREST Home Edition v2.20 --> "D:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
First Strike Mod --> C:\Games\Battlefield 2142\Mods\FirstStrike\Uninst.exe
Forgotten Hope 2 --> C:\Games\Battlefield 2\Mods\FH2\uninst.exe
Fraps (remove only) --> "D:\Fraps\uninstall.exe"
Frontlines: Fuel of War --> "D:\Program Files\InstallShield Installation Information\{C711E88C-9DC2-4254-A989-D6E017844DDF}\setup.exe" -runfromtemp -l0x0009 -removeonly
Futuremark Measurement Services Client --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\msc3.inf,DefaultUninstall,5
Half-Life 2 --> "C:\Games\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Episode One --> "C:\Games\Steam\steam.exe" steam://uninstall/380
Hard to be a God --> "C:\Games\Hard to be a God\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "D:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel® Processor ID Utility --> MsiExec.exe /X{A92A4DB0-CD37-42D1-BE1D-603D53C24328}
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Codec Pack 3.7.5 Standard --> "D:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware --> "D:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medieval II Total War --> D:\Program Files\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{20DEB77C-21D6-4D22-BB47-233E47613D57}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1 --> "D:\WINDOWS\$NtUninstallWdf01001$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
MobMap 1.56 --> "C:\Games\World of Warcraft\MobMapUpdater\unins000.exe"
Mount&Blade --> C:\Games\Mount&Blade\uninstall.exe
Mozilla Firefox (2.0.0.13) --> D:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NOD32 antivirus system --> D:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "D:\Program Files\Eset\unins000.exe"
NVIDIA Drivers --> D:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA System Update --> D:\Program Files\InstallShield Installation Information\{035186F3-D2D5-46A0-BB90-0956B98E5A4B}\setup.exe -runfromtemp -l0x0409
Oblivion - Construction Set --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{23D683DD-93C6-48E6-B84E-78B57778F126}\setup.exe" -l0x9 -removeonly
OpenAL --> "D:\Program Files\OpenAL\oalinst.exe" /U
OpenOffice.org 2.3 --> MsiExec.exe /I{54C93A8C-A15A-4439-BE64-2342202D4FF0}
Overlord --> D:\Program Files\InstallShield Installation Information\{259A8A5E-2886-4BED-9EF1-D5485282CCC3}\Setup.exe -runfromtemp -l0x0009 -removeonly
Peggle Extreme --> "C:\Games\Steam\steam.exe" steam://uninstall/3483
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
PoE:2 2.1.0.0 --> C:\Games\Battlefield 2\mods\poe2\uninstall.exe
Project Reality 0.708 Core --> "C:\Games\Battlefield 2\unins000.exe"
Project Reality 0.708 Levels --> "C:\Games\Battlefield 2\unins001.exe"
PunkBuster Services --> D:\WINDOWS\system32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Replay Converter 2.8 --> D:\WINDOWS\iun6002.exe "D:\Program Files\Replay Converter\iruninRCV.ini"
RivaTuner v2.02 --> "D:\Program Files\RivaTuner v2.02\uninstall.exe"
Savage 2 - A Tortured Soul --> C:\Games\Savage 2\uninstall.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shadowgrounds Survivor --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{1DBF869D-6B07-4041-94C7-90E32D3CDD01}\SETUP.EXE" -l0x9 -removeonly
SharpKeys --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B6685367-A8AD-4414-A2A3-10B40EC5CF30}\setup.exe" SharpKeys
Skypeā„¢ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sound Blaster X-Fi --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\SETUP.EXE" -l0x9 /remove
SpeedFan (remove only) --> "D:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "D:\WINDOWS\unins000.exe"
Switchball --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{57FC4A5A-D05C-EFAD-89E8-1B4131B4C725}\setup.exe" -l0x9 -removeonly
System Requirements Lab --> D:\Program Files\SystemRequirementsLab\Uninstall.exe
Team Fortress 2 --> "C:\Games\Steam\steam.exe" steam://uninstall/440
Two Worlds --> C:\Games\TWOWOR~1\Unwise.exe /U C:\Games\TWOWOR~1\install.log
Unity Web Player --> D:\Program Files\Unity\WebPlayer\Uninstall.exe
Update 1.04.1 for "Faces of War" --> "C:\Games\Faces of War\unins000.exe" /SILENT
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Windows Imaging Component --> "D:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
WorldShift Open Beta --> C:\Games\WorldShift Open Beta\uninstall.exe
WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil
Xfire (remove only) --> "D:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type4165 / Error
Event Submitted/Written: 04/09/2008 03:36:39 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application LSUpdateManager.exe, version 7.0.2.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4159 / Error
Event Submitted/Written: 04/09/2008 02:18:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.31114, faulting module fcccdasi.dll, version 0.0.0.0, fault address 0x000366ac.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type4142 / Error
Event Submitted/Written: 04/08/2008 01:28:36 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application AgeOfConan.exe, version 1.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4141 / Error
Event Submitted/Written: 04/08/2008 01:26:03 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ageofconan.exe, version 1.0.0.0, faulting module d3d9.dll, version 5.3.2600.2180, fault address 0x0008798b.
Processing media-specific event for [ageofconan.exe!ws!]

Event Record #/Type4140 / Error
Event Submitted/Written: 04/08/2008 00:28:09 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ageofconan.exe, version 1.0.0.0, faulting module ageofconan.exe, version 1.0.0.0, fault address 0x0062d968.
Processing media-specific event for [ageofconan.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12102 / Error
Event Submitted/Written: 04/09/2008 10:15:40 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%3

Event Record #/Type12098 / Error
Event Submitted/Written: 04/09/2008 10:14:25 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type12097 / Error
Event Submitted/Written: 04/09/2008 10:13:49 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type12094 / Error
Event Submitted/Written: 04/09/2008 10:13:39 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type12088 / Warning
Event Submitted/Written: 04/09/2008 10:09:04 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-04-09 22:24:53 ------------

Edited by Makou107, 09 April 2008 - 10:48 PM.


BC AdBot (Login to Remove)

 


#2 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 10 April 2008 - 12:47 PM

Can anyone please help me?

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:40 AM

Posted 10 April 2008 - 06:04 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 10 April 2008 - 07:54 PM

Hi and thank you for the reply. Here is the ComboFix log:





ComboFix 08-04-10.5 - NFA 2008-04-10 20:45:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1543 [GMT -4:00]
Running from: D:\Documents and Settings\NFA\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\NFA\Application Data\inst.exe
D:\WINDOWS\system32\ISAdcccf.ini
D:\WINDOWS\system32\ISAdcccf.ini2
D:\WINDOWS\system32\xybaJkkj.ini
D:\WINDOWS\system32\xybaJkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 22:20 . 2008-04-09 22:20 <DIR> d-------- D:\Deckard
2008-04-09 21:38 . 2008-04-09 21:38 <DIR> d-------- D:\VundoFix Backups
2008-04-09 17:37 . 2008-04-09 17:37 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\Malwarebytes
2008-04-09 17:36 . 2008-04-09 17:36 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 17:35 . 2008-04-09 17:37 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 14:20 . 2008-04-09 21:27 378 --a------ D:\WINDOWS\wininit.ini
2008-04-09 13:23 . 2008-04-09 13:23 36,352 --a------ D:\WINDOWS\system32\jkkIYqop.dll.vir
2008-04-05 16:12 . 2008-04-10 20:35 <DIR> d-------- D:\S
2008-04-05 14:09 . 2008-04-05 14:09 <DIR> d-------- D:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-05 13:54 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
2008-04-05 13:54 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll
2008-04-05 13:54 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
2008-04-04 22:04 . 2008-04-05 16:14 <DIR> d-------- D:\Program Files\Bulent's Screen Recorder 4
2008-04-04 22:04 . 2008-04-04 22:04 585,728 --a------ D:\WINDOWS\system32\bsratswf.dll
2008-04-04 22:04 . 2008-04-04 22:04 147,456 --a------ D:\WINDOWS\system32\bsratwmv.dll
2008-04-04 22:04 . 2008-04-10 20:35 2,048 --a------ D:\WINDOWS\system32\Tr_sttool.dat
2008-04-04 20:58 . 2008-04-04 21:56 <DIR> d-------- D:\Documents and Settings\NFA\Contacts
2008-04-04 20:55 . 2008-04-04 20:57 <DIR> d-------- D:\Program Files\Windows Live
2008-04-04 20:55 . 2008-04-04 20:57 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
2008-04-04 20:55 . 2008-04-04 20:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ D:\WINDOWS\system32\xfcodec.dll
2008-04-01 05:12 . 2008-04-10 18:56 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-04-01 05:12 . 2008-04-01 05:12 1,409 --a------ D:\WINDOWS\QTFont.for
2008-03-28 20:55 . 2008-03-28 21:53 <DIR> d-------- D:\Program Files\Stunt Playground
2008-03-28 20:42 . 2008-03-28 20:42 <DIR> d-------- D:\Program Files\Unity
2008-03-25 00:55 . 2008-03-25 00:55 <DIR> d-------- D:\WINDOWS\system32\URTTEMP
2008-03-24 18:27 . 2008-03-24 18:27 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Logitech
2008-03-22 13:31 . 2008-03-22 13:41 <DIR> d-------- D:\Program Files\DivX
2008-03-20 23:17 . 2008-03-20 23:17 <DIR> d-------- D:\Program Files\Skype
2008-03-20 23:17 . 2008-04-04 21:48 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\Skype
2008-03-20 23:16 . 2008-03-20 23:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype
2008-03-12 04:43 . 2008-03-12 04:43 <DIR> d-------- D:\WINDOWS\system32\AGEIA
2008-03-12 04:43 . 2008-03-12 04:44 <DIR> d-------- D:\Program Files\AGEIA Technologies
2008-03-11 22:32 . 2008-03-24 16:54 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\WorldShift Open Beta
2008-03-11 16:13 . 2008-03-11 16:13 691,545 --a------ D:\WINDOWS\unins000.exe
2008-03-11 16:13 . 2008-03-11 16:14 2,537 --a------ D:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 00:48 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 00:44 --------- d-----w D:\Documents and Settings\NFA\Application Data\Xfire
2008-04-11 00:37 --------- d-s---w D:\Program Files\Xfire
2008-04-10 23:02 --------- d-----w D:\Documents and Settings\NFA\Application Data\uTorrent
2008-04-10 02:57 --------- d-----w D:\Program Files\Replay Converter
2008-04-09 20:31 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 04:45 22,328 ----a-w D:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-25 03:26 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-03-23 07:41 --------- d-----w D:\Program Files\SpeedFan
2008-03-11 20:20 --------- d-----w D:\Program Files\Spybot - Search & Destroy
2008-03-10 23:14 --------- d-----w D:\Program Files\iTunes
2008-03-10 23:14 --------- d-----w D:\Program Files\iPod
2008-03-10 23:13 --------- d-----w D:\Program Files\QuickTime
2008-03-10 09:34 --------- d-----w D:\Documents and Settings\All Users\Application Data\Comodo
2008-03-10 08:53 84,856 ----a-w D:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-10 08:53 23,800 ----a-w D:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-10 08:53 --------- d-----w D:\Documents and Settings\NFA\Application Data\Comodo
2008-03-08 07:38 --------- d-----w D:\Program Files\Common Files\INCA Shared
2008-03-06 20:45 --------- d-----w D:\Program Files\Phun
2008-03-03 07:00 --------- d-----w D:\Documents and Settings\NFA\Application Data\Switchball
2008-03-01 22:00 --------- d-----w D:\Program Files\Eset
2008-02-29 05:11 448,384 ----a-w D:\WINDOWS\system32\drivers\EagleNt.sys
2008-02-23 03:50 --------- d-----w D:\Program Files\K-Lite Codec Pack
2008-02-13 22:57 --------- d-----w D:\Program Files\DAEMON Tools Pro
2008-02-13 22:48 --------- d-----w D:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-13 19:09 685,816 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2008-02-05 02:43 737,280 ----a-w D:\WINDOWS\iun6002.exe
2007-11-16 02:09 22,328 ----a-w D:\Documents and Settings\NFA\Application Data\PnkBstrK.sys
2007-06-17 21:16 47,360 ----a-w D:\Documents and Settings\NFA\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45952B6D-79BE-460A-B0BF-6CA63FC1940C}]
D:\WINDOWS\system32\qoMcbyvv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F3FD116-A097-4054-93BD-25C78A014EF7}]
D:\WINDOWS\system32\fcccdASI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C660212-6444-48CE-92A4-012B8F3CE325}]
D:\WINDOWS\system32\efcDTNEW.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="D:\FRAPS\FRAPS.EXE" [2006-12-19 09:02 2842624]
"DAEMON Tools Pro Agent"="D:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 09:08 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2007-05-03 11:40 949376]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"COMODO Firewall Pro"="D:\Program Files\Comodo\Firewall\cfp.exe" [2008-03-10 04:52 1502976]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Ad Muncher"="C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe" [2007-11-03 13:48 779776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-17 11:32 17920 D:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-17 11:32 18944 D:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Torrents and Stuff\\utorrent.exe"=
"C:\\Games\\Battlefield 2\\BF2.exe"=
"C:\\Games\\Battlefield 2142\\BF2142.exe"=
"D:\\WINDOWS\\system32\\pnkbstra.exe"=
"D:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Games\\Quake Wars\\etqwded.exe"=
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Games\\Quake Wars\\etqw.exe"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Games\\Call of Duty 4\\iw3mp.exe"=
"C:\\Games\\Frontlines Fuel of War\\Binaries\\FFOW.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Games\\WorldShift Open Beta\\bin\\WorldShift.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-10 04:53]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-10 04:53]
R2 NVR0FLASHDev;NVR0FLASHDev;D:\WINDOWS\nvflash.sys [2007-03-28 16:36]
R3 ha20x2k;Creative 20X HAL Driver;D:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
S2 npkcmsvc;npkcmsvc;C:\Games\Mabinogi\npkcmsvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{938339dc-d47c-11dc-8374-00044b02c600}]
\Shell\AutoRun\command - G:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7F67F8DD-D049-BFA7-4E4F-8F317C66F7EE}]
D:\WINDOWS\system32:lpr.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 20:49:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: D:\WINDOWS\system32

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\explorer.exe
-> C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AM28140.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
D:\WINDOWS\system32\pnkbstra.exe
D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
D:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-10 20:51:08 - machine was rebooted [NFA]
ComboFix-quarantined-files.txt 2008-04-11 00:50:14
Pre-Run: 47,666,941,952 bytes free
Post-Run: 47,569,838,080 bytes free
.
2008-04-08 17:36:46 --- E O F ---

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:40 AM

Posted 11 April 2008 - 12:33 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
D:\VundoFix Backups

File::
D:\WINDOWS\system32\jkkIYqop.dll.vir

Dirlook::
D:\S

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45952B6D-79BE-460A-B0BF-6CA63FC1940C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F3FD116-A097-4054-93BD-25C78A014EF7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C660212-6444-48CE-92A4-012B8F3CE325}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


=====================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 April 2008 - 03:18 AM

I am in the process of running the online scanner. It seems to be taking a while so I will let this run overnight and post the logs then. Thanks again for the reply and helping me out.

Edited by Makou107, 11 April 2008 - 03:01 PM.


#7 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 April 2008 - 11:50 AM

Here are the logs in the order listed above:






ComboFix 08-04-10.5 - NFA 2008-04-11 1:40:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1584 [GMT -4:00]
Running from: D:\Documents and Settings\NFA\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\NFA\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
D:\WINDOWS\system32\jkkIYqop.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\VundoFix Backups
D:\WINDOWS\system32\jkkIYqop.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 22:20 . 2008-04-09 22:20 <DIR> d-------- D:\Deckard
2008-04-09 17:37 . 2008-04-09 17:37 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\Malwarebytes
2008-04-09 17:36 . 2008-04-09 17:36 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 17:35 . 2008-04-09 17:37 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 14:20 . 2008-04-09 21:27 378 --a------ D:\WINDOWS\wininit.ini
2008-04-05 16:12 . 2008-04-10 20:35 <DIR> d-------- D:\S
2008-04-05 14:09 . 2008-04-05 14:09 <DIR> d-------- D:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-05 13:54 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
2008-04-05 13:54 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll
2008-04-05 13:54 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
2008-04-04 22:04 . 2008-04-05 16:14 <DIR> d-------- D:\Program Files\Bulent's Screen Recorder 4
2008-04-04 22:04 . 2008-04-04 22:04 585,728 --a------ D:\WINDOWS\system32\bsratswf.dll
2008-04-04 22:04 . 2008-04-04 22:04 147,456 --a------ D:\WINDOWS\system32\bsratwmv.dll
2008-04-04 22:04 . 2008-04-10 20:35 2,048 --a------ D:\WINDOWS\system32\Tr_sttool.dat
2008-04-04 20:58 . 2008-04-04 21:56 <DIR> d-------- D:\Documents and Settings\NFA\Contacts
2008-04-04 20:55 . 2008-04-04 20:57 <DIR> d-------- D:\Program Files\Windows Live
2008-04-04 20:55 . 2008-04-04 20:57 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
2008-04-04 20:55 . 2008-04-04 20:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ D:\WINDOWS\system32\xfcodec.dll
2008-04-01 05:12 . 2008-04-10 20:55 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-04-01 05:12 . 2008-04-01 05:12 1,409 --a------ D:\WINDOWS\QTFont.for
2008-03-28 20:55 . 2008-03-28 21:53 <DIR> d-------- D:\Program Files\Stunt Playground
2008-03-28 20:42 . 2008-03-28 20:42 <DIR> d-------- D:\Program Files\Unity
2008-03-25 00:55 . 2008-03-25 00:55 <DIR> d-------- D:\WINDOWS\system32\URTTEMP
2008-03-24 18:27 . 2008-03-24 18:27 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Logitech
2008-03-22 13:31 . 2008-03-22 13:41 <DIR> d-------- D:\Program Files\DivX
2008-03-20 23:17 . 2008-03-20 23:17 <DIR> d-------- D:\Program Files\Skype
2008-03-20 23:17 . 2008-04-04 21:48 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\Skype
2008-03-20 23:16 . 2008-03-20 23:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype
2008-03-12 04:43 . 2008-03-12 04:43 <DIR> d-------- D:\WINDOWS\system32\AGEIA
2008-03-12 04:43 . 2008-03-12 04:44 <DIR> d-------- D:\Program Files\AGEIA Technologies
2008-03-11 22:32 . 2008-03-24 16:54 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\WorldShift Open Beta
2008-03-11 16:13 . 2008-03-11 16:13 691,545 --a------ D:\WINDOWS\unins000.exe
2008-03-11 16:13 . 2008-03-11 16:14 2,537 --a------ D:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 05:34 --------- d-----w D:\Documents and Settings\NFA\Application Data\Xfire
2008-04-11 01:01 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 00:56 85,752 ----a-w D:\WINDOWS\system32\drivers\cmdguard.sys
2008-04-11 00:56 23,800 ----a-w D:\WINDOWS\system32\drivers\cmdhlp.sys
2008-04-11 00:56 139,008 ----a-w D:\WINDOWS\system32\guard32.dll
2008-04-11 00:37 --------- d-s---w D:\Program Files\Xfire
2008-04-10 23:02 --------- d-----w D:\Documents and Settings\NFA\Application Data\uTorrent
2008-04-10 02:57 --------- d-----w D:\Program Files\Replay Converter
2008-04-09 20:31 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 04:45 22,328 ----a-w D:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-07 04:45 107,832 ----a-w D:\WINDOWS\system32\PnkBstrB.exe
2008-03-25 03:26 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-03-23 07:41 --------- d-----w D:\Program Files\SpeedFan
2008-03-19 09:47 1,845,248 ----a-w D:\WINDOWS\system32\win32k.sys
2008-03-11 20:20 --------- d-----w D:\Program Files\Spybot - Search & Destroy
2008-03-10 23:14 --------- d-----w D:\Program Files\iTunes
2008-03-10 23:14 --------- d-----w D:\Program Files\iPod
2008-03-10 23:13 --------- d-----w D:\Program Files\QuickTime
2008-03-10 09:34 --------- d-----w D:\Documents and Settings\All Users\Application Data\Comodo
2008-03-10 08:53 --------- d-----w D:\Documents and Settings\NFA\Application Data\Comodo
2008-03-08 07:38 --------- d-----w D:\Program Files\Common Files\INCA Shared
2008-03-06 20:45 --------- d-----w D:\Program Files\Phun
2008-03-03 07:00 --------- d-----w D:\Documents and Settings\NFA\Application Data\Switchball
2008-03-01 22:00 --------- d-----w D:\Program Files\Eset
2008-03-01 13:06 826,368 ----a-w D:\WINDOWS\system32\wininet.dll
2008-02-29 05:11 448,384 ----a-w D:\WINDOWS\system32\drivers\EagleNt.sys
2008-02-23 03:50 --------- d-----w D:\Program Files\K-Lite Codec Pack
2008-02-20 06:51 282,624 ----a-w D:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w D:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 22:57 --------- d-----w D:\Program Files\DAEMON Tools Pro
2008-02-13 22:48 --------- d-----w D:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-13 19:09 685,816 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2008-02-05 02:43 737,280 ----a-w D:\WINDOWS\iun6002.exe
2008-01-25 23:56 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2008-01-25 23:54 418,480 ----a-w D:\WINDOWS\system32\wrap_oal.dll
2008-01-25 23:54 115,432 ----a-w D:\WINDOWS\system32\OpenAL32.dll
2007-11-16 02:09 22,328 ----a-w D:\Documents and Settings\NFA\Application Data\PnkBstrK.sys
2007-06-17 21:16 47,360 ----a-w D:\Documents and Settings\NFA\Application Data\pcouffin.sys
2007-03-09 08:12 27,648 --sha-w D:\WINDOWS\system32\AVSredirect.dll
2007-05-04 03:41 5 --sha-w D:\WINDOWS\system32\bddbffbbbebdd_g.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of D:\S ----

2008-04-10 20:35 468419584 --a------ D:\S\srectmp2.avi
2008-04-10 20:32 1620527104 --a------ D:\S\srectmp1.avi
2008-04-05 15:01 453789696 --a------ D:\S\cute boy.avi
2008-04-05 14:51 412134400 --a------ D:\S\s2.avi
2008-04-05 14:42 107385856 --a------ D:\S\cute smile.avi
2008-04-05 14:38 116591616 --a------ D:\S\stinky.avi


((((((((((((((((((((((((((((( snapshot@2008-04-10_20.50.05.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-10 08:53:00 78,712 ----a-w D:\WINDOWS\system32\drivers\inspect.sys
+ 2008-04-11 00:56:01 79,224 ----a-w D:\WINDOWS\system32\drivers\inspect.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="D:\FRAPS\FRAPS.EXE" [2006-12-19 09:02 2842624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2007-05-03 11:40 949376]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"COMODO Firewall Pro"="D:\Program Files\Comodo\Firewall\cfp.exe" [2008-04-10 20:55 1503488]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Ad Muncher"="C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe" [2007-11-03 13:48 779776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-17 11:32 17920 D:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-17 11:32 18944 D:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Torrents and Stuff\\utorrent.exe"=
"C:\\Games\\Battlefield 2\\BF2.exe"=
"C:\\Games\\Battlefield 2142\\BF2142.exe"=
"D:\\WINDOWS\\system32\\pnkbstra.exe"=
"D:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Games\\Quake Wars\\etqwded.exe"=
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Games\\Quake Wars\\etqw.exe"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Games\\Call of Duty 4\\iw3mp.exe"=
"C:\\Games\\Frontlines Fuel of War\\Binaries\\FFOW.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Games\\WorldShift Open Beta\\bin\\WorldShift.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-10 20:56]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-10 20:56]
R2 NVR0FLASHDev;NVR0FLASHDev;D:\WINDOWS\nvflash.sys [2007-03-28 16:36]
R3 ha20x2k;Creative 20X HAL Driver;D:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
S2 npkcmsvc;npkcmsvc;C:\Games\Mabinogi\npkcmsvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{938339dc-d47c-11dc-8374-00044b02c600}]
\Shell\AutoRun\command - G:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7F67F8DD-D049-BFA7-4E4F-8F317C66F7EE}]
D:\WINDOWS\system32:lpr.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 01:41:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\system32\guard32.dll

PROCESS: D:\WINDOWS\system32\lsass.exe
-> D:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-04-11 1:42:20
ComboFix-quarantined-files.txt 2008-04-11 05:42:10
ComboFix2.txt 2008-04-11 00:51:09
Pre-Run: 46,193,393,664 bytes free
Post-Run: 46,174,666,752 bytes free
.
2008-04-08 17:36:46 --- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:17 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe
D:\FRAPS\FRAPS.EXE
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad Muncher] "C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [Fraps] D:\FRAPS\FRAPS.EXE
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax5318.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Games\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7044 bytes









-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 12:48:57 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 696917
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 149844
Number of viruses found: 6
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 02:08:32

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BB6B19A7-2DEF-4A82-AE44-88079C9DBA7A}\RP423\A0080532.exe Infected: Trojan.Win32.Agent.amg skipped
C:\System Volume Information\_restore{BB6B19A7-2DEF-4A82-AE44-88079C9DBA7A}\RP468\change.log Object is locked skipped
C:\WINDOWS\system32\drivers\etc\service.exe Infected: Trojan.Win32.Agent.amg skipped
D:\Documents and Settings\All Users\Application Data\Comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NFA\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\NFA\Desktop\wowmodelview-0.5.08\wowmodelview.exe Infected: not-a-virus:AdWare.Win32.AdMedia.ay skipped
D:\Documents and Settings\NFA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NFA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NFA\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NFA\Local Settings\History\History.IE5\MSHist012008041120080412\index.dat Object is locked skipped
D:\Documents and Settings\NFA\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Documents and Settings\NFA\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NFA\My Documents\My Games\faces of war\log\facesofwar.log Object is locked skipped
D:\Documents and Settings\NFA\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NFA\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Eset\cache\CACHE.NDB Object is locked skipped
D:\Program Files\Eset\logs\virlog.dat Object is locked skipped
D:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\jkkIYqop.dll.vir.vir Infected: Packed.Win32.Monder.gen skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{BB6B19A7-2DEF-4A82-AE44-88079C9DBA7A}\RP462\A0093122.exe Infected: Trojan.Win32.Pakes.cgn skipped
D:\System Volume Information\_restore{BB6B19A7-2DEF-4A82-AE44-88079C9DBA7A}\RP462\A0093124.exe Infected: Trojan-Downloader.Win32.Small.tzu skipped
D:\System Volume Information\_restore{BB6B19A7-2DEF-4A82-AE44-88079C9DBA7A}\RP465\A0093769.dll Infected: Packed.Win32.Monder.gen skipped
D:\System Volume Information\_restore{BB6B19A7-2DEF-4A82-AE44-88079C9DBA7A}\RP466\A0094251.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\System Volume Information\_restore{BB6B19A7-2DEF-4A82-AE44-88079C9DBA7A}\RP468\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\EventCache\{14A8E82B-7DC6-44C0-9347-81AC1A740F75}.bin Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:40 AM

Posted 12 April 2008 - 06:37 AM

Please delete this file.

C:\WINDOWS\system32\drivers\etc\service.exe


How is your computer running now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 April 2008 - 02:13 PM

Its acting normal I guess but I'm concerned about the viruses that were found using the online scanner. That service.exe wasn't in there but there was a file without called service but without any file extension for some odd reason. How should I go about getting rid of all the viruses?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:40 AM

Posted 12 April 2008 - 04:25 PM

Almost everything in your Kaspersky log was either already quarantined or in your system restore files. We'll clean up those areas easily at the end, but there were just a couple files that were still active that we need to kill first.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\drivers\etc\service.exe
D:\Documents and Settings\NFA\Desktop\wowmodelview-0.5.08\wowmodelview.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 April 2008 - 08:13 PM

Why did we delete the WoW Model Viewer? Here is the log:






ComboFix 08-04-10.5 - NFA 2008-04-12 21:09:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1509 [GMT -4:00]
Running from: D:\Documents and Settings\NFA\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\NFA\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\etc\service.exe
D:\Documents and Settings\NFA\Desktop\wowmodelview-0.5.08\wowmodelview.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\etc\service.exe
D:\Documents and Settings\NFA\Desktop\wowmodelview-0.5.08\wowmodelview.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 15:32 . 2008-04-12 15:32 54,928 --a------ D:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-0000000A-00001102-00000005-00231102}.rfx
2008-04-12 15:32 . 2008-04-12 15:32 54,928 --a------ D:\WINDOWS\system32\BMXState-{00000002-00000000-0000000A-00001102-00000005-00231102}.rfx
2008-04-12 15:32 . 2008-04-12 15:32 788 --a------ D:\WINDOWS\system32\DVCState-{00000002-00000000-0000000A-00001102-00000005-00231102}.rfx
2008-04-12 15:30 . 2007-02-26 15:24 94,208 --a------ D:\WINDOWS\system32\cttele32.dll
2008-04-11 13:25 . 2008-04-11 13:25 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\Ubisoft
2008-04-11 13:24 . 2008-04-11 13:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-11 01:48 . 2008-04-11 01:48 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-04-11 01:48 . 2008-04-11 01:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-09 22:20 . 2008-04-09 22:20 <DIR> d-------- D:\Deckard
2008-04-09 17:37 . 2008-04-09 17:37 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\Malwarebytes
2008-04-09 17:36 . 2008-04-09 17:36 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 17:35 . 2008-04-09 17:37 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 14:20 . 2008-04-09 21:27 378 --a------ D:\WINDOWS\wininit.ini
2008-04-05 16:12 . 2008-04-10 20:35 <DIR> d-------- D:\S
2008-04-05 14:09 . 2008-04-05 14:09 <DIR> d-------- D:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-05 13:54 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
2008-04-05 13:54 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll
2008-04-05 13:54 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
2008-04-04 22:04 . 2008-04-05 16:14 <DIR> d-------- D:\Program Files\Bulent's Screen Recorder 4
2008-04-04 22:04 . 2008-04-04 22:04 585,728 --a------ D:\WINDOWS\system32\bsratswf.dll
2008-04-04 22:04 . 2008-04-04 22:04 147,456 --a------ D:\WINDOWS\system32\bsratwmv.dll
2008-04-04 22:04 . 2008-04-10 20:35 2,048 --a------ D:\WINDOWS\system32\Tr_sttool.dat
2008-04-04 20:58 . 2008-04-04 21:56 <DIR> d-------- D:\Documents and Settings\NFA\Contacts
2008-04-04 20:55 . 2008-04-04 20:57 <DIR> d-------- D:\Program Files\Windows Live
2008-04-04 20:55 . 2008-04-04 20:57 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
2008-04-04 20:55 . 2008-04-04 20:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ D:\WINDOWS\system32\xfcodec.dll
2008-04-01 05:12 . 2008-04-12 21:02 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-04-01 05:12 . 2008-04-01 05:12 1,409 --a------ D:\WINDOWS\QTFont.for
2008-03-28 20:55 . 2008-03-28 21:53 <DIR> d-------- D:\Program Files\Stunt Playground
2008-03-28 20:42 . 2008-03-28 20:42 <DIR> d-------- D:\Program Files\Unity
2008-03-25 00:55 . 2008-03-25 00:55 <DIR> d-------- D:\WINDOWS\system32\URTTEMP
2008-03-24 18:27 . 2008-03-24 18:27 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Logitech
2008-03-22 13:31 . 2008-03-22 13:41 <DIR> d-------- D:\Program Files\DivX
2008-03-20 23:17 . 2008-03-20 23:17 <DIR> d-------- D:\Program Files\Skype
2008-03-20 23:17 . 2008-04-04 21:48 <DIR> d-------- D:\Documents and Settings\NFA\Application Data\Skype
2008-03-20 23:16 . 2008-03-20 23:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 19:34 --------- d-----w D:\Documents and Settings\All Users\Application Data\Creative
2008-04-12 19:33 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 19:30 413,696 ----a-w D:\WINDOWS\system32\wrap_oal.dll
2008-04-12 19:30 110,592 ----a-w D:\WINDOWS\system32\OpenAL32.dll
2008-04-12 19:29 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-04-12 19:29 --------- d-----w D:\Documents and Settings\NFA\Application Data\Creative
2008-04-12 19:27 --------- d-----w D:\Documents and Settings\NFA\Application Data\uTorrent
2008-04-12 07:11 --------- d-----w D:\Documents and Settings\NFA\Application Data\Xfire
2008-04-11 00:56 85,752 ----a-w D:\WINDOWS\system32\drivers\cmdguard.sys
2008-04-11 00:56 23,800 ----a-w D:\WINDOWS\system32\drivers\cmdhlp.sys
2008-04-11 00:56 139,008 ----a-w D:\WINDOWS\system32\guard32.dll
2008-04-11 00:37 --------- d-s---w D:\Program Files\Xfire
2008-04-10 02:57 --------- d-----w D:\Program Files\Replay Converter
2008-04-09 20:31 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 04:45 22,328 ----a-w D:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-07 04:45 107,832 ----a-w D:\WINDOWS\system32\PnkBstrB.exe
2008-03-24 20:54 --------- d-----w D:\Documents and Settings\NFA\Application Data\WorldShift Open Beta
2008-03-23 07:41 --------- d-----w D:\Program Files\SpeedFan
2008-03-19 09:47 1,845,248 ----a-w D:\WINDOWS\system32\win32k.sys
2008-03-12 08:44 --------- d-----w D:\Program Files\AGEIA Technologies
2008-03-11 20:20 --------- d-----w D:\Program Files\Spybot - Search & Destroy
2008-03-11 20:13 691,545 ----a-w D:\WINDOWS\unins000.exe
2008-03-10 23:14 --------- d-----w D:\Program Files\iTunes
2008-03-10 23:14 --------- d-----w D:\Program Files\iPod
2008-03-10 23:13 --------- d-----w D:\Program Files\QuickTime
2008-03-10 09:34 --------- d-----w D:\Documents and Settings\All Users\Application Data\Comodo
2008-03-10 08:53 --------- d-----w D:\Documents and Settings\NFA\Application Data\Comodo
2008-03-08 07:38 --------- d-----w D:\Program Files\Common Files\INCA Shared
2008-03-06 20:45 --------- d-----w D:\Program Files\Phun
2008-03-03 07:00 --------- d-----w D:\Documents and Settings\NFA\Application Data\Switchball
2008-03-01 22:00 --------- d-----w D:\Program Files\Eset
2008-03-01 13:06 826,368 ----a-w D:\WINDOWS\system32\wininet.dll
2008-02-29 05:11 448,384 ----a-w D:\WINDOWS\system32\drivers\EagleNt.sys
2008-02-25 13:45 189,464 ----a-w D:\WINDOWS\system32\drivers\haP17v2k.sys
2008-02-25 13:45 15,896 ----a-w D:\WINDOWS\system32\drivers\pfmodnt.sys
2008-02-25 13:44 92,696 ----a-w D:\WINDOWS\system32\drivers\emupia2k.sys
2008-02-25 13:44 797,720 ----a-w D:\WINDOWS\system32\drivers\ha10kx2k.sys
2008-02-25 13:44 162,840 ----a-w D:\WINDOWS\system32\drivers\haP16v2k.sys
2008-02-25 13:44 157,208 ----a-w D:\WINDOWS\system32\drivers\ctsfm2k.sys
2008-02-25 13:44 14,360 ----a-w D:\WINDOWS\system32\drivers\ctprxy2k.sys
2008-02-25 13:44 1,172,504 ----a-w D:\WINDOWS\system32\drivers\ha20x2k.sys
2008-02-25 13:43 524,312 ----a-w D:\WINDOWS\system32\drivers\ctaud2k.sys
2008-02-25 13:43 511,000 ----a-w D:\WINDOWS\system32\drivers\ctac32k.sys
2008-02-25 13:43 346,856 ----a-w D:\WINDOWS\system32\drivers\ctdvda2k.sys
2008-02-25 13:43 18,840 ----a-w D:\WINDOWS\system32\drivers\CTGAME.SYS
2008-02-25 13:43 127,000 ----a-w D:\WINDOWS\system32\drivers\ctoss2k.sys
2008-02-25 13:43 1,372,568 ----a-w D:\WINDOWS\system32\drivers\CTMMFILT.SYS
2008-02-25 13:43 1,366,424 ----a-w D:\WINDOWS\system32\drivers\CT0531FL.SYS
2008-02-25 13:41 72,728 ----a-w D:\WINDOWS\system32\CTHWIUT.DLL
2008-02-25 13:41 566,296 ----a-w D:\WINDOWS\system32\CTSBLFX.DLL
2008-02-25 13:41 329,240 ----a-w D:\WINDOWS\system32\CTEDSPSY.DLL
2008-02-25 13:41 286,232 ----a-w D:\WINDOWS\system32\CTEDSPFX.DLL
2008-02-25 13:41 174,104 ----a-w D:\WINDOWS\system32\CTEAPSFX.DLL
2008-02-25 13:41 170,520 ----a-w D:\WINDOWS\system32\CT20XUT.DLL
2008-02-25 13:41 134,680 ----a-w D:\WINDOWS\system32\CTEDSPIO.DLL
2008-02-25 13:41 100,888 ----a-w D:\WINDOWS\system32\CTERFXFX.DLL
2008-02-25 13:41 1,323,544 ----a-w D:\WINDOWS\system32\CTEXFIFX.DLL
2008-02-25 13:40 98,328 ----a-w D:\WINDOWS\system32\COMMONFX.DLL
2008-02-25 13:40 551,960 ----a-w D:\WINDOWS\system32\CTAUDFX.DLL
2008-02-23 03:50 --------- d-----w D:\Program Files\K-Lite Codec Pack
2008-02-21 01:00 43,520 ----a-w D:\WINDOWS\system32\CTBurst.dll
2008-02-21 00:59 86,016 ----a-w D:\WINDOWS\system32\ctcoinst.dll
2008-02-21 00:59 34,816 ----a-w D:\WINDOWS\system32\a3d.dll
2008-02-21 00:59 27,648 ----a-w D:\WINDOWS\system32\ac3api.dll
2008-02-21 00:59 163,840 ----a-w D:\WINDOWS\system32\ctdvinst.dll
2008-02-21 00:59 11,776 ----a-w D:\WINDOWS\INRES.DLL
2008-02-21 00:55 969,216 ----a-w D:\WINDOWS\system32\CTxfispi.exe
2008-02-21 00:55 43,520 ----a-w D:\WINDOWS\system32\Ctxfireg.exe
2008-02-21 00:55 10,752 ----a-w D:\WINDOWS\system32\Ct20xspi.dll
2008-02-21 00:49 110,080 ----a-w D:\WINDOWS\system32\ctemupia.dll
2008-02-21 00:47 49,152 ----a-w D:\WINDOWS\system32\ctdproxy.dll
2008-02-21 00:47 46,592 ----a-w D:\WINDOWS\system32\ctasio.dll
2008-02-21 00:47 174,592 ----a-w D:\WINDOWS\system32\ct_oal.dll
2008-02-21 00:47 17,920 ----a-w D:\WINDOWS\system32\ctedasio.dll
2008-02-21 00:46 69,120 ----a-w D:\WINDOWS\system32\ctosuser.dll
2008-02-21 00:46 64,512 ----a-w D:\WINDOWS\system32\piaproxy.dll
2008-02-21 00:46 6,144 ----a-w D:\WINDOWS\system32\sfman32.dll
2008-02-21 00:46 13,312 ----a-w D:\WINDOWS\system32\regplib.exe
2008-02-21 00:46 104,448 ----a-w D:\WINDOWS\system32\sfms32.dll
2008-02-21 00:44 5,120 ----a-w D:\WINDOWS\system32\enlocstr.exe
2008-02-21 00:44 10,240 ----a-w D:\WINDOWS\system32\killapps.exe
2008-02-21 00:43 32,768 ----a-w D:\WINDOWS\system32\devreg.dll
2008-02-21 00:43 28,672 ----a-w D:\WINDOWS\system32\mididef.exe
2008-02-20 06:51 282,624 ----a-w D:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w D:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 22:57 --------- d-----w D:\Program Files\DAEMON Tools Pro
2008-02-13 22:48 --------- d-----w D:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-13 19:09 685,816 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2008-02-05 02:43 737,280 ----a-w D:\WINDOWS\iun6002.exe
2008-01-25 23:56 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2007-11-16 02:09 22,328 ----a-w D:\Documents and Settings\NFA\Application Data\PnkBstrK.sys
2007-06-17 21:16 47,360 ----a-w D:\Documents and Settings\NFA\Application Data\pcouffin.sys
2007-03-09 08:12 27,648 --sha-w D:\WINDOWS\system32\AVSredirect.dll
2007-05-04 03:41 5 --sha-w D:\WINDOWS\system32\bddbffbbbebdd_g.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-10_20.50.05.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-25 04:55:59 53,248 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-04-11 17:23:55 53,248 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-03-25 04:55:59 12,800 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-04-11 17:23:55 12,800 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-03-25 04:55:59 473,600 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-04-11 17:23:55 473,600 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-03-25 03:36:34 2,676,224 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:46 2,676,224 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:35 2,846,720 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:48 2,846,720 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:35 563,712 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:49 563,712 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:35 567,296 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:50 567,296 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:35 576,000 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:51 576,000 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:36 577,024 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:51 577,024 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:36 577,536 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:52 577,536 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:36 577,536 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:52 577,536 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 03:36:36 578,560 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:53 578,560 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 04:55:59 578,560 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-11 17:23:56 578,560 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-03-25 04:56:00 145,920 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-04-11 17:23:56 145,920 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-03-25 04:56:00 159,232 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-04-11 17:23:56 159,232 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-03-25 04:56:00 364,544 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-04-11 17:23:56 364,544 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-03-25 04:56:00 178,176 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-04-11 17:23:56 178,176 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-03-25 04:55:59 223,232 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-11 17:23:54 223,232 ----a-w D:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2006-08-17 15:31:42 10,240 ----a-w D:\WINDOWS\CTDCRES.DLL
+ 2008-02-21 00:58:22 10,240 ----a-w D:\WINDOWS\CTDCRES.DLL
- 2005-10-29 11:31:09 3,072 ----a-w D:\WINDOWS\CTXFIRES.DLL
+ 2008-02-21 00:58:50 3,072 ----a-w D:\WINDOWS\CTXFIRES.DLL
+ 2006-12-05 18:52:40 48,400 ----a-w D:\WINDOWS\system32\AddCat.exe
- 2006-08-17 15:32:04 7,168 ----a-w D:\WINDOWS\system32\CTAGENT.DLL
+ 2008-02-21 00:58:42 8,704 ----a-w D:\WINDOWS\system32\ctagent.dll
+ 2007-03-19 15:05:56 512,000 ----a-w D:\WINDOWS\system32\CTAPO32.dll
- 2006-08-17 15:14:06 140,643 ----a-w D:\WINDOWS\system32\CTBAS2W.DAT
+ 2008-02-21 00:46:20 149,838 ----a-w D:\WINDOWS\system32\CTBAS2W.DAT
- 2006-08-17 15:11:38 113,221 ----a-w D:\WINDOWS\system32\CTBASICW.DAT
+ 2008-02-21 00:44:26 115,166 ----a-w D:\WINDOWS\system32\CTBASICW.DAT
- 2006-08-17 15:11:10 53,932 ----a-w D:\WINDOWS\system32\ctdaught.dat
+ 2008-02-21 00:44:10 53,932 ----a-w D:\WINDOWS\system32\ctdaught.dat
- 2006-08-17 15:31:42 190,976 ----a-w D:\WINDOWS\system32\CTDC0000.DLL
+ 2008-02-21 00:58:22 227,840 ----a-w D:\WINDOWS\system32\ctdc0000.dll
- 2006-08-17 15:31:44 286,208 ----a-w D:\WINDOWS\system32\CTDC0001.DLL
+ 2008-02-21 00:58:22 335,360 ----a-w D:\WINDOWS\system32\ctdc0001.dll
- 2006-08-17 15:31:46 129,536 ----a-w D:\WINDOWS\system32\CTDCIFCE.DLL
+ 2008-02-21 00:58:24 131,072 ----a-w D:\WINDOWS\system32\ctdcifce.dll
+ 2008-02-21 00:58:22 10,240 ----a-w D:\WINDOWS\system32\ctdcres.dll
- 2006-08-17 15:22:58 323,640 ----a-w D:\WINDOWS\system32\ctdlang.dat
+ 2008-02-21 00:49:46 321,512 ----a-w D:\WINDOWS\system32\ctdlang.dat
- 2006-08-17 15:22:58 44,567 ----a-w D:\WINDOWS\system32\ctdnlstr.dat
+ 2008-02-21 00:49:46 56,509 ----a-w D:\WINDOWS\system32\ctdnlstr.dat
+ 2008-02-21 00:58:44 19,456 ----a-w D:\WINDOWS\system32\CtHelper.exe
- 2005-06-08 01:10:50 70,656 ----a-w D:\WINDOWS\system32\CTMMACTL.DLL
+ 2007-08-14 00:45:02 77,824 ----a-w D:\WINDOWS\system32\ctmmactl.dll
- 2006-08-17 15:31:58 11,776 ----a-w D:\WINDOWS\system32\CTMMEP.DLL
+ 2008-02-21 00:58:40 12,800 ----a-w D:\WINDOWS\system32\ctmmep.dll
- 2006-08-17 15:32:00 30,208 ----a-w D:\WINDOWS\system32\CTPCMCIA.DLL
+ 2008-02-21 00:58:42 56,832 ----a-w D:\WINDOWS\system32\CTpcmcia.dll
+ 2007-03-19 15:06:16 45,568 ----a-w D:\WINDOWS\system32\ctppld.dll
- 2006-08-17 15:31:48 9,216 ----a-w D:\WINDOWS\system32\CTPRES.DLL
+ 2008-02-21 00:58:28 9,216 ----a-w D:\WINDOWS\system32\ctpres.dll
+ 2007-03-13 14:32:14 89,336 ----a-w D:\WINDOWS\system32\ctpxst32.exe
- 2006-08-17 15:11:52 264,526 ----a-w D:\WINDOWS\system32\CTSBAS2W.DAT
+ 2008-02-21 00:44:34 274,587 ----a-w D:\WINDOWS\system32\CTSBAS2W.DAT
- 2006-08-17 15:11:38 231,281 ----a-w D:\WINDOWS\system32\CTSBASW.DAT
+ 2008-02-21 00:44:26 241,084 ----a-w D:\WINDOWS\system32\CTSBASW.DAT
- 2006-08-17 15:31:46 75,264 ----a-w D:\WINDOWS\system32\CTSCAL.DLL
+ 2008-02-21 00:58:26 78,336 ----a-w D:\WINDOWS\system32\ctscal.dll
- 2006-08-17 15:32:02 23,040 ----a-w D:\WINDOWS\system32\CTSPKHLP.DLL
+ 2008-02-21 00:58:42 43,520 ----a-w D:\WINDOWS\system32\ctspkhlp.dll
- 2006-08-17 15:11:10 313,207 ----a-w D:\WINDOWS\system32\ctstatic.dat
+ 2008-02-21 00:44:10 313,207 ----a-w D:\WINDOWS\system32\ctstatic.dat
- 2006-08-17 15:31:48 64,000 ----a-w D:\WINDOWS\system32\CTTHXCAL.DLL
+ 2008-02-21 00:58:26 69,632 ----a-w D:\WINDOWS\system32\ctthxcal.dll
- 2006-08-17 15:32:14 26,112 ----a-w D:\WINDOWS\system32\CTXFIBTN.DLL
+ 2008-02-21 00:58:50 35,840 ----a-w D:\WINDOWS\system32\CTxfiBtn.dll
- 2006-08-17 15:32:10 18,944 ----a-w D:\WINDOWS\system32\CTXFIHLP.EXE
+ 2008-02-21 00:58:46 19,968 ----a-w D:\WINDOWS\system32\Ctxfihlp.exe
- 2006-08-17 15:32:12 25,600 ----a-w D:\WINDOWS\system32\CTXFISPK.DLL
+ 2008-02-21 00:58:48 45,056 ----a-w D:\WINDOWS\system32\CTxfiSpk.dll
- 2006-08-17 15:11:24 232,847 ----a-w D:\WINDOWS\system32\Data\CT0060W.DAT
+ 2008-02-21 00:44:18 235,142 ----a-w D:\WINDOWS\system32\Data\CT0060W.DAT
- 2006-08-17 15:11:10 15,899 ----a-w D:\WINDOWS\system32\Data\ctd20x.dat
+ 2008-02-21 00:44:10 26,919 ----a-w D:\WINDOWS\system32\Data\ctd20x.dat
- 2006-08-17 15:11:38 199,465 ----a-w D:\WINDOWS\system32\Data\CTEAPSW.DAT
+ 2008-02-21 00:44:26 201,502 ----a-w D:\WINDOWS\system32\Data\CTEAPSW.DAT
- 2006-08-17 15:12:24 364,238 ----a-w D:\WINDOWS\system32\Data\CTEDSP2W.DAT
+ 2008-02-21 00:44:52 374,041 ----a-w D:\WINDOWS\system32\Data\CTEDSP2W.DAT
- 2006-08-17 15:12:28 338,622 ----a-w D:\WINDOWS\system32\Data\CTEDSPHW.DAT
+ 2008-02-21 00:44:54 348,425 ----a-w D:\WINDOWS\system32\Data\CTEDSPHW.DAT
- 2006-08-17 15:12:24 284,972 ----a-w D:\WINDOWS\system32\Data\CTEDSPKW.DAT
+ 2008-02-21 00:44:50 294,775 ----a-w D:\WINDOWS\system32\Data\CTEDSPKW.DAT
- 2006-08-17 15:12:22 284,972 ----a-w D:\WINDOWS\system32\Data\CTEDSPLW.DAT
+ 2008-02-21 00:44:50 294,775 ----a-w D:\WINDOWS\system32\Data\CTEDSPLW.DAT
- 2006-08-17 15:12:26 320,862 ----a-w D:\WINDOWS\system32\Data\CTEDSPPW.DAT
+ 2008-02-21 00:44:52 330,665 ----a-w D:\WINDOWS\system32\Data\CTEDSPPW.DAT
- 2006-08-17 15:12:26 261,124 ----a-w D:\WINDOWS\system32\Data\CTEDSPTW.DAT
+ 2008-02-21 00:44:52 270,927 ----a-w D:\WINDOWS\system32\Data\CTEDSPTW.DAT
- 2006-08-17 15:12:26 261,124 ----a-w D:\WINDOWS\system32\Data\CTEDSPUW.DAT
+ 2008-02-21 00:44:52 270,927 ----a-w D:\WINDOWS\system32\Data\CTEDSPUW.DAT
- 2006-08-17 15:12:04 364,238 ----a-w D:\WINDOWS\system32\Data\CTEDSPW.DAT
+ 2008-02-21 00:44:42 374,041 ----a-w D:\WINDOWS\system32\Data\CTEDSPW.DAT
- 2006-08-17 15:11:24 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0060W.DAT
+ 2008-02-21 00:44:18 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0060W.DAT
- 2006-08-17 15:11:26 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0061W.DAT
+ 2008-02-21 00:44:20 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0061W.DAT
- 2006-08-17 15:11:42 279,348 ----a-w D:\WINDOWS\system32\Data\CTP0070W.DAT
+ 2008-02-21 00:44:28 289,409 ----a-w D:\WINDOWS\system32\Data\CTP0070W.DAT
- 2006-08-17 15:11:42 279,348 ----a-w D:\WINDOWS\system32\Data\CTP0073W.DAT
+ 2008-02-21 00:44:28 289,409 ----a-w D:\WINDOWS\system32\Data\CTP0073W.DAT
- 2006-08-17 15:11:42 266,677 ----a-w D:\WINDOWS\system32\Data\CTP0090W.DAT
+ 2008-02-21 00:44:28 276,738 ----a-w D:\WINDOWS\system32\Data\CTP0090W.DAT
- 2006-08-17 15:11:50 265,108 ----a-w D:\WINDOWS\system32\Data\CTP0091W.DAT
+ 2008-02-21 00:44:34 275,169 ----a-w D:\WINDOWS\system32\Data\CTP0091W.DAT
- 2006-08-17 15:11:46 266,677 ----a-w D:\WINDOWS\system32\Data\CTP0092W.DAT
+ 2008-02-21 00:44:32 276,738 ----a-w D:\WINDOWS\system32\Data\CTP0092W.DAT
- 2006-08-17 15:11:52 264,526 ----a-w D:\WINDOWS\system32\Data\CTP0095W.DAT
+ 2008-02-21 00:44:34 274,587 ----a-w D:\WINDOWS\system32\Data\CTP0095W.DAT
- 2006-08-17 15:11:24 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0100W.DAT
+ 2008-02-21 00:44:20 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0100W.DAT
- 2006-08-17 15:11:28 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0101W.DAT
+ 2008-02-21 00:44:20 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0101W.DAT
- 2006-08-17 15:11:26 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0102W.DAT
+ 2008-02-21 00:44:20 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0102W.DAT
- 2006-08-17 15:11:30 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0103W.DAT
+ 2008-02-21 00:44:22 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0103W.DAT
- 2006-08-17 15:11:30 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0105W.DAT
+ 2008-02-21 00:44:22 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0105W.DAT
- 2006-08-17 15:11:20 229,863 ----a-w D:\WINDOWS\system32\Data\CTP0150W.DAT
+ 2008-02-21 00:44:16 232,158 ----a-w D:\WINDOWS\system32\Data\CTP0150W.DAT
- 2006-08-17 15:11:46 265,366 ----a-w D:\WINDOWS\system32\Data\CTP0161W.DAT
+ 2008-02-21 00:44:30 275,427 ----a-w D:\WINDOWS\system32\Data\CTP0161W.DAT
- 2006-08-17 15:11:44 266,677 ----a-w D:\WINDOWS\system32\Data\CTP0162W.DAT
+ 2008-02-21 00:44:30 276,738 ----a-w D:\WINDOWS\system32\Data\CTP0162W.DAT
- 2006-08-17 15:11:32 232,964 ----a-w D:\WINDOWS\system32\Data\CTP0170W.DAT
+ 2008-02-21 00:44:22 235,259 ----a-w D:\WINDOWS\system32\Data\CTP0170W.DAT
- 2006-08-17 15:11:32 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017AW.DAT
+ 2008-02-21 00:44:22 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017AW.DAT
- 2006-08-17 15:11:34 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017BW.DAT
+ 2008-02-21 00:44:24 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017BW.DAT
- 2006-08-17 15:11:34 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017CW.DAT
+ 2008-02-21 00:44:24 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017CW.DAT
- 2006-08-17 15:11:34 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017DW.DAT
+ 2008-02-21 00:44:24 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017DW.DAT
- 2006-08-17 15:11:36 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017EW.DAT
+ 2008-02-21 00:44:24 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017EW.DAT
- 2006-08-17 15:11:36 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017FW.DAT
+ 2008-02-21 00:44:24 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017FW.DAT
- 2006-08-17 15:11:36 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017GW.DAT
+ 2008-02-21 00:44:26 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017GW.DAT
- 2006-08-17 15:11:38 232,847 ----a-w D:\WINDOWS\system32\Data\CTP017HW.DAT
+ 2008-02-21 00:44:26 235,142 ----a-w D:\WINDOWS\system32\Data\CTP017HW.DAT
- 2006-08-17 15:11:46 265,108 ----a-w D:\WINDOWS\system32\Data\CTP0191W.DAT
+ 2008-02-21 00:44:30 275,169 ----a-w D:\WINDOWS\system32\Data\CTP0191W.DAT
- 2006-08-17 15:11:44 266,677 ----a-w D:\WINDOWS\system32\Data\CTP0192W.DAT
+ 2008-02-21 00:44:30 276,738 ----a-w D:\WINDOWS\system32\Data\CTP0192W.DAT
- 2006-08-17 15:11:28 233,894 ----a-w D:\WINDOWS\system32\Data\CTP0221W.DAT
+ 2008-02-21 00:44:22 236,189 ----a-w D:\WINDOWS\system32\Data\CTP0221W.DAT
- 2006-08-17 15:11:28 233,894 ----a-w D:\WINDOWS\system32\Data\CTP0222W.DAT
+ 2008-02-21 00:44:22 236,189 ----a-w D:\WINDOWS\system32\Data\CTP0222W.DAT
- 2006-08-17 15:11:50 267,098 ----a-w D:\WINDOWS\system32\Data\CTP0230W.DAT
+ 2008-02-21 00:44:32 277,159 ----a-w D:\WINDOWS\system32\Data\CTP0230W.DAT
- 2006-08-17 15:11:48 265,755 ----a-w D:\WINDOWS\system32\Data\CTP0231W.DAT
+ 2008-02-21 00:44:32 275,816 ----a-w D:\WINDOWS\system32\Data\CTP0231W.DAT
- 2006-08-17 15:11:48 267,098 ----a-w D:\WINDOWS\system32\Data\CTP0232W.DAT
+ 2008-02-21 00:44:32 277,159 ----a-w D:\WINDOWS\system32\Data\CTP0232W.DAT
- 2006-08-17 15:11:50 265,456 ----a-w D:\WINDOWS\system32\Data\CTP0238W.DAT
+ 2008-02-21 00:44:32 275,517 ----a-w D:\WINDOWS\system32\Data\CTP0238W.DAT
- 2006-08-17 15:11:54 309,009 ----a-w D:\WINDOWS\system32\Data\CTP0240W.DAT
+ 2008-02-21 00:44:36 319,070 ----a-w D:\WINDOWS\system32\Data\CTP0240W.DAT
- 2006-08-17 15:11:56 309,669 ----a-w D:\WINDOWS\system32\Data\CTP0242W.DAT
+ 2008-02-21 00:44:36 319,730 ----a-w D:\WINDOWS\system32\Data\CTP0242W.DAT
- 2006-08-17 15:11:58 308,739 ----a-w D:\WINDOWS\system32\Data\CTP0243W.DAT
+ 2008-02-21 00:44:38 318,800 ----a-w D:\WINDOWS\system32\Data\CTP0243W.DAT
- 2006-08-17 15:11:56 309,669 ----a-w D:\WINDOWS\system32\Data\CTP0244W.DAT
+ 2008-02-21 00:44:36 319,730 ----a-w D:\WINDOWS\system32\Data\CTP0244W.DAT
- 2006-08-17 15:12:00 308,193 ----a-w D:\WINDOWS\system32\Data\CTP0245W.DAT
+ 2008-02-21 00:44:38 318,254 ----a-w D:\WINDOWS\system32\Data\CTP0245W.DAT
- 2006-08-17 15:12:02 309,669 ----a-w D:\WINDOWS\system32\Data\CTP0246W.DAT
+ 2008-02-21 00:44:38 319,730 ----a-w D:\WINDOWS\system32\Data\CTP0246W.DAT
- 2006-08-17 15:12:02 308,280 ----a-w D:\WINDOWS\system32\Data\CTP0249W.DAT
+ 2008-02-21 00:44:40 318,341 ----a-w D:\WINDOWS\system32\Data\CTP0249W.DAT
- 2006-08-17 15:12:02 308,193 ----a-w D:\WINDOWS\system32\Data\CTP0280W.DAT
+ 2008-02-21 00:44:40 318,254 ----a-w D:\WINDOWS\system32\Data\CTP0280W.DAT
- 2006-08-17 15:12:04 308,193 ----a-w D:\WINDOWS\system32\Data\CTP0320W.DAT
+ 2008-02-21 00:44:40 318,254 ----a-w D:\WINDOWS\system32\Data\CTP0320W.DAT
- 2006-08-17 15:12:06 313,579 ----a-w D:\WINDOWS\system32\Data\CTP0350W.DAT
+ 2008-02-21 00:44:42 323,640 ----a-w D:\WINDOWS\system32\Data\CTP0350W.DAT
- 2006-08-17 15:12:06 311,468 ----a-w D:\WINDOWS\system32\Data\CTP0352W.DAT
+ 2008-02-21 00:44:42 321,529 ----a-w D:\WINDOWS\system32\Data\CTP0352W.DAT
- 2006-08-17 15:12:12 312,133 ----a-w D:\WINDOWS\system32\Data\CTP0355W.DAT
+ 2008-02-21 00:44:44 322,194 ----a-w D:\WINDOWS\system32\Data\CTP0355W.DAT
- 2006-08-17 15:12:08 311,491 ----a-w D:\WINDOWS\system32\Data\CTP0358W.DAT
+ 2008-02-21 00:44:44 321,552 ----a-w D:\WINDOWS\system32\Data\CTP0358W.DAT
- 2006-08-17 15:12:10 310,561 ----a-w D:\WINDOWS\system32\Data\CTP0359W.DAT
+ 2008-02-21 00:44:44 320,622 ----a-w D:\WINDOWS\system32\Data\CTP0359W.DAT
- 2006-08-17 15:12:10 310,015 ----a-w D:\WINDOWS\system32\Data\CTP0360W.DAT
+ 2008-02-21 00:44:44 320,076 ----a-w D:\WINDOWS\system32\Data\CTP0360W.DAT
- 2006-08-17 15:12:14 310,015 ----a-w D:\WINDOWS\system32\Data\CTP0380W.DAT
+ 2008-02-21 00:44:46 320,076 ----a-w D:\WINDOWS\system32\Data\CTP0380W.DAT
- 2006-08-17 15:12:16 310,046 ----a-w D:\WINDOWS\system32\Data\CTP0400W.DAT
+ 2008-02-21 00:44:48 319,757 ----a-w D:\WINDOWS\system32\Data\CTP0400W.DAT
- 2006-08-17 15:14:10 245,093 ----a-w D:\WINDOWS\system32\Data\CTP0460W.DAT
+ 2008-02-21 00:46:20 276,658 ----a-w D:\WINDOWS\system32\Data\CTP0460W.DAT
- 2006-08-17 15:14:12 245,093 ----a-w D:\WINDOWS\system32\Data\CTP0462W.DAT
+ 2008-02-21 00:46:24 276,658 ----a-w D:\WINDOWS\system32\Data\CTP0462W.DAT
- 2006-08-17 15:14:12 244,765 ----a-w D:\WINDOWS\system32\Data\CTP0463W.DAT
+ 2008-02-21 00:46:22 277,104 ----a-w D:\WINDOWS\system32\Data\CTP0463W.DAT
- 2006-08-17 15:14:14 245,093 ----a-w D:\WINDOWS\system32\Data\CTP0464W.DAT
+ 2008-02-21 00:46:22 276,658 ----a-w D:\WINDOWS\system32\Data\CTP0464W.DAT
- 2006-08-17 15:14:14 245,093 ----a-w D:\WINDOWS\system32\Data\CTP0465W.DAT
+ 2008-02-21 00:46:22 276,658 ----a-w D:\WINDOWS\system32\Data\CTP0465W.DAT
- 2006-08-17 15:14:12 245,093 ----a-w D:\WINDOWS\system32\Data\CTP0466W.DAT
+ 2008-02-21 00:46:22 276,658 ----a-w D:\WINDOWS\system32\Data\CTP0466W.DAT
- 2006-08-17 15:14:14 245,093 ----a-w D:\WINDOWS\system32\Data\CTP0468W.DAT
+ 2008-02-21 00:46:22 276,658 ----a-w D:\WINDOWS\system32\Data\CTP0468W.DAT
- 2006-08-17 15:14:14 245,093 ----a-w D:\WINDOWS\system32\Data\CTP0469W.DAT
+ 2008-02-21 00:46:22 276,658 ----a-w D:\WINDOWS\system32\Data\CTP0469W.DAT
- 2006-08-17 15:14:16 244,765 ----a-w D:\WINDOWS\system32\Data\CTP046AW.DAT
+ 2008-02-21 00:46:24 276,330 ----a-w D:\WINDOWS\system32\Data\CTP046AW.DAT
- 2006-08-17 15:14:16 244,765 ----a-w D:\WINDOWS\system32\Data\CTP046BW.DAT
+ 2008-02-21 00:46:24 276,330 ----a-w D:\WINDOWS\system32\Data\CTP046BW.DAT
- 2006-08-17 15:14:16 244,765 ----a-w D:\WINDOWS\system32\Data\CTP046CW.DAT
+ 2008-02-21 00:46:24 276,330 ----a-w D:\WINDOWS\system32\Data\CTP046CW.DAT
- 2006-08-17 15:13:18 222,944 ----a-w D:\WINDOWS\system32\Data\CTP0530L.DAT
+ 2008-02-21 00:45:36 232,116 ----a-w D:\WINDOWS\system32\Data\CTP0530L.DAT
- 2006-08-17 15:12:30 311,666 ----a-w D:\WINDOWS\system32\Data\CTP0530W.DAT
+ 2008-02-21 00:44:54 321,377 ----a-w D:\WINDOWS\system32\Data\CTP0530W.DAT
- 2006-08-17 15:14:06 222,944 ----a-w D:\WINDOWS\system32\Data\CTP0531L.DAT
+ 2008-02-21 00:46:20 232,116 ----a-w D:\WINDOWS\system32\Data\CTP0531L.DAT
- 2006-08-17 15:13:18 311,666 ----a-w D:\WINDOWS\system32\Data\CTP0531W.DAT
+ 2008-02-21 00:45:38 321,377 ----a-w D:\WINDOWS\system32\Data\CTP0531W.DAT
- 2006-08-17 15:14:14 245,351 ----a-w D:\WINDOWS\system32\Data\CTP0550W.DAT
+ 2008-02-21 00:46:22 276,916 ----a-w D:\WINDOWS\system32\Data\CTP0550W.DAT
- 2006-08-17 15:14:16 245,023 ----a-w D:\WINDOWS\system32\Data\CTP055AW.DAT
+ 2008-02-21 00:46:24 276,588 ----a-w D:\WINDOWS\system32\Data\CTP055AW.DAT
- 2006-08-17 15:12:18 310,046 ----a-w D:\WINDOWS\system32\Data\CTP0600W.DAT
+ 2008-02-21 00:44:48 319,757 ----a-w D:\WINDOWS\system32\Data\CTP0600W.DAT
- 2006-08-17 15:12:20 310,046 ----a-w D:\WINDOWS\system32\Data\CTP0610W.DAT
+ 2008-02-21 00:44:48 319,757 ----a-w D:\WINDOWS\system32\Data\CTP0610W.DAT
- 2006-08-17 15:12:22 310,046 ----a-w D:\WINDOWS\system32\Data\CTP0669W.DAT
+ 2008-02-21 00:44:50 319,757 ----a-w D:\WINDOWS\system32\Data\CTP0669W.DAT
+ 2008-02-21 00:46:26 358,805 ----a-w D:\WINDOWS\system32\Data\CTP0678W.DAT
- 2006-08-17 15:14:12 326,466 ----a-w D:\WINDOWS\system32\Data\CTP0679W.DAT
+ 2008-02-21 00:46:22 358,805 ----a-w D:\WINDOWS\system32\Data\CTP0679W.DAT
- 2006-08-17 15:14:14 245,847 ----a-w D:\WINDOWS\system32\Data\CTP0730W.DAT
+ 2008-02-21 00:46:24 278,510 ----a-w D:\WINDOWS\system32\Data\CTP0730W.DAT
- 2006-08-17 15:14:16 245,847 ----a-w D:\WINDOWS\system32\Data\CTP073AW.DAT
+ 2008-02-21 00:46:24 278,510 ----a-w D:\WINDOWS\system32\Data\CTP073AW.DAT
+ 2008-02-21 00:46:24 276,079 ----a-w D:\WINDOWS\system32\Data\CTP0760W.DAT
+ 2008-02-21 00:46:26 278,572 ----a-w D:\WINDOWS\system32\Data\CTP0772W.DAT
+ 2008-02-21 00:46:26 278,572 ----a-w D:\WINDOWS\system32\Data\CTP0773W.DAT
+ 2008-02-21 00:46:26 278,572 ----a-w D:\WINDOWS\system32\Data\CTP0776W.DAT
+ 2008-02-21 00:46:26 278,572 ----a-w D:\WINDOWS\system32\Data\CTP0779W.DAT
- 2006-08-17 15:11:12 231,389 ----a-w D:\WINDOWS\system32\Data\CTP1140W.DAT
+ 2008-02-21 00:44:12 233,684 ----a-w D:\WINDOWS\system32\Data\CTP1140W.DAT
- 2006-08-17 15:11:12 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4620W.DAT
+ 2008-02-21 00:44:10 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4620W.DAT
- 2006-08-17 15:11:14 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4670W.DAT
+ 2008-02-21 00:44:12 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4670W.DAT
- 2006-08-17 15:11:12 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4760W.DAT
+ 2008-02-21 00:44:12 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4760W.DAT
- 2006-08-17 15:11:16 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4780W.DAT
+ 2008-02-21 00:44:14 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4780W.DAT
- 2006-08-17 15:11:20 229,863 ----a-w D:\WINDOWS\system32\Data\CTP4790W.DAT
+ 2008-02-21 00:44:16 232,158 ----a-w D:\WINDOWS\system32\Data\CTP4790W.DAT
- 2006-08-17 15:11:40 257,538 ----a-w D:\WINDOWS\system32\Data\CTP4820W.DAT
+ 2008-02-21 00:44:28 267,599 ----a-w D:\WINDOWS\system32\Data\CTP4820W.DAT
- 2006-08-17 15:11:18 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4830W.DAT
+ 2008-02-21 00:44:16 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4830W.DAT
- 2006-08-17 15:11:18 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4831W.DAT
+ 2008-02-21 00:44:14 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4831W.DAT
- 2006-08-17 15:11:18 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4832W.DAT
+ 2008-02-21 00:44:16 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4832W.DAT
- 2006-08-17 15:11:20 229,863 ----a-w D:\WINDOWS\system32\Data\CTP4840W.DAT
+ 2008-02-21 00:44:16 232,158 ----a-w D:\WINDOWS\system32\Data\CTP4840W.DAT
- 2006-08-17 15:11:14 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4850W.DAT
+ 2008-02-21 00:44:12 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4850W.DAT
- 2006-08-17 15:11:14 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4870W.DAT
+ 2008-02-21 00:44:12 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4870W.DAT
- 2006-08-17 15:11:16 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4871W.DAT
+ 2008-02-21 00:44:14 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4871W.DAT
- 2006-08-17 15:11:16 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4872W.DAT
+ 2008-02-21 00:44:14 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4872W.DAT
- 2006-08-17 15:11:14 230,729 ----a-w D:\WINDOWS\system32\Data\CTP4875W.DAT
+ 2008-02-21 00:44:14 233,024 ----a-w D:\WINDOWS\system32\Data\CTP4875W.DAT
- 2006-08-17 15:11:22 229,863 ----a-w D:\WINDOWS\system32\Data\CTP4890W.DAT
+ 2008-02-21 00:44:18 232,158 ----a-w D:\WINDOWS\system32\Data\CTP4890W.DAT
- 2006-08-17 15:11:22 229,863 ----a-w D:\WINDOWS\system32\Data\CTP4891W.DAT
+ 2008-02-21 00:44:18 232,158 ----a-w D:\WINDOWS\system32\Data\CTP4891W.DAT
- 2006-08-17 15:11:22 229,863 ----a-w D:\WINDOWS\system32\Data\CTP4893W.DAT
+ 2008-02-21 00:44:18 232,158 ----a-w D:\WINDOWS\system32\Data\CTP4893W.DAT
- 2006-08-17 15:11:26 232,847 ----a-w D:\WINDOWS\system32\Data\CTPDXW.DAT
+ 2008-02-21 00:44:20 235,142 ----a-w D:\WINDOWS\system32\Data\CTPDXW.DAT
- 2006-08-17 15:11:12 231,389 ----a-w D:\WINDOWS\system32\Data\CTPM002W.DAT
+ 2008-02-21 00:44:12 233,684 ----a-w D:\WINDOWS\system32\Data\CTPM002W.DAT
- 2006-08-17 15:32:46 33,792 -c--a-w D:\WINDOWS\system32\dllcache\a3d.dll
+ 2008-02-21 00:59:14 34,816 -c--a-w D:\WINDOWS\system32\dllcache\a3d.dll
- 2004-08-04 03:08:00 60,288 -c--a-w D:\WINDOWS\system32\dllcache\drmk.sys
+ 2007-12-19 23:33:58 60,288 -c--a-w D:\WINDOWS\system32\dllcache\drmk.sys
- 2004-08-04 03:15:22 140,928 -c--a-w D:\WINDOWS\system32\dllcache\ks.sys
+ 2007-12-19 23:34:00 140,928 -c--a-w D:\WINDOWS\system32\dllcache\ks.sys
- 2004-08-04 04:56:44 4,096 -c--a-w D:\WINDOWS\system32\dllcache\ksuser.dll
+ 2007-12-19 23:34:00 4,096 -c--a-w D:\WINDOWS\system32\dllcache\ksuser.dll
- 2004-08-04 03:15:50 145,792 -c--a-w D:\WINDOWS\system32\dllcache\portcls.sys
+ 2007-12-19 23:34:06 145,792 -c--a-w D:\WINDOWS\system32\dllcache\portcls.sys
- 2004-08-04 03:08:04 48,640 -c--a-w D:\WINDOWS\system32\dllcache\stream.sys
+ 2007-12-19 23:34:08 48,640 -c--a-w D:\WINDOWS\system32\dllcache\stream.sys
- 2004-08-04 04:56:58 23,552 -c--a-w D:\WINDOWS\system32\dllcache\wdmaud.drv
+ 2007-12-19 23:34:10 23,552 -c--a-w D:\WINDOWS\system32\dllcache\wdmaud.drv
- 2004-08-04 03:08:00 60,288 ----a-w D:\WINDOWS\system32\drivers\drmk.sys
+ 2007-12-19 23:33:58 60,288 ----a-w D:\WINDOWS\system32\drivers\drmk.sys
- 2008-03-10 08:53:00 78,712 ----a-w D:\WINDOWS\system32\drivers\inspect.sys
+ 2008-04-11 00:56:01 79,224 ----a-w D:\WINDOWS\system32\drivers\inspect.sys
- 2004-08-04 03:15:22 140,928 ----a-w D:\WINDOWS\system32\drivers\ks.sys
+ 2007-12-19 23:34:00 140,928 ----a-w D:\WINDOWS\system32\drivers\ks.sys
- 2004-08-04 03:15:50 145,792 ----a-w D:\WINDOWS\system32\drivers\portcls.sys
+ 2007-12-19 23:34:06 145,792 ----a-w D:\WINDOWS\system32\drivers\portcls.sys
- 2004-08-04 03:08:04 48,640 ----a-w D:\WINDOWS\system32\drivers\stream.sys
+ 2007-12-19 23:34:08 48,640 ----a-w D:\WINDOWS\system32\drivers\stream.sys
+ 2005-05-24 16:27:16 213,048 ----a-w D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2004-08-04 04:56:44 4,096 ----a-w D:\WINDOWS\system32\ksuser.dll
+ 2007-12-19 23:34:00 4,096 ----a-w D:\WINDOWS\system32\ksuser.dll
- 2006-08-24 17:47:34 749,568 ----a-w D:\WINDOWS\system32\OALInst.exe
+ 2007-07-11 06:30:34 782,336 ----a-w D:\WINDOWS\system32\OALInst.exe
+ 2008-02-21 00:58:46 37,888 ----a-w D:\WINDOWS\system32\psconv.exe
+ 2008-02-21 00:58:52 38,400 ----a-w D:\WINDOWS\system32\readreg.exe
- 2004-08-04 04:56:58 23,552 ----a-w D:\WINDOWS\system32\wdmaud.drv
+ 2007-12-19 23:34:10 23,552 ----a-w D:\WINDOWS\system32\wdmaud.drv
+ 2008-02-25 13:45:26 2,190,872 ----a-w D:\WINDOWS\TEMP\CRF000\Drivers\SBXF\wdm\win2k_xp\amd64\ct0531fl.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="D:\FRAPS\FRAPS.EXE" [2006-12-19 09:02 2842624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2007-05-03 11:40 949376]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"COMODO Firewall Pro"="D:\Program Files\Comodo\Firewall\cfp.exe" [2008-04-10 20:55 1503488]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Ad Muncher"="C:\Torrents and Stuff\Ad Muncher v4.71 Build 28140 (1782) - CRACKED\Ad Muncher\AdMunch.exe" [2007-11-03 13:48 779776]
"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 D:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 D:\WINDOWS\system32\Ctxfihlp.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 D:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2008-02-20 20:58 19456 D:\WINDOWS\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2008-02-20 20:58 19968 D:\WINDOWS\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Torrents and Stuff\\utorrent.exe"=
"C:\\Games\\Battlefield 2\\BF2.exe"=
"C:\\Games\\Battlefield 2142\\BF2142.exe"=
"D:\\WINDOWS\\system32\\pnkbstra.exe"=
"D:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Games\\Quake Wars\\etqwded.exe"=
"C:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Games\\Quake Wars\\etqw.exe"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Games\\Call of Duty 4\\iw3mp.exe"=
"C:\\Games\\Frontlines Fuel of War\\Binaries\\FFOW.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Games\\WorldShift Open Beta\\bin\\WorldShift.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Games\\Assassins Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Games\\Assassins Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Games\\Assassins Creed\\AssassinsCreed_Launcher.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-10 20:56]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-10 20:56]
R2 CTAudSvcService;Creative Audio Service;D:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 19:24]
R2 NVR0FLASHDev;NVR0FLASHDev;D:\WINDOWS\nvflash.sys [2007-03-28 16:36]
R3 ha20x2k;Creative 20X HAL Driver;D:\WINDOWS\system32\drivers\ha20x2k.sys [2008-02-25 09:44]
S2 npkcmsvc;npkcmsvc;C:\Games\Mabinogi\npkcmsvc.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{938339dc-d47c-11dc-8374-00044b02c600}]
\Shell\AutoRun\command - G:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7F67F8DD-D049-BFA7-4E4F-8F317C66F7EE}]
D:\WINDOWS\system32:lpr.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 21:11:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\system32\guard32.dll

PROCESS: D:\WINDOWS\system32\lsass.exe
-> D:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-04-12 21:11:33
ComboFix-quarantined-files.txt 2008-04-13 01:11:23
ComboFix2.txt 2008-04-11 05:42:21
ComboFix3.txt 2008-04-11 00:51:09
Pre-Run: 45,723,185,152 bytes free
Post-Run: 45,850,140,672 bytes free
.
2008-04-08 17:36:46 --- E O F ---

#12 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 April 2008 - 08:21 PM

Also here is what keeps coming up on Malwarebytes' Anti-Malware scanner:



Malwarebytes' Anti-Malware 1.11
Database version: 617

Scan type: Quick Scan
Objects scanned: 29702
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{43e7b8b8-0c4a-45a9-b94c-5f5b078d68d8} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vnbptxlf.1 (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Makou107, 12 April 2008 - 08:42 PM.


#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:40 AM

Posted 13 April 2008 - 09:02 AM

Why did we delete the WoW Model Viewer?

It shows in your Kaspersky scan as an infected file.

D:\Documents and Settings\NFA\Desktop\wowmodelview-0.5.08\wowmodelview.exe Infected: not-a-virus:AdWare.Win32.AdMedia.ay

==============



Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_CLASSES_ROOT\Typelib\{43e7b8b8-0c4a-45a9-b94c-5f5b078d68d8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vnbptxlf.1]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.



Reboot your computer and run Malwarebytes' Anti-Malware scanner again. It should come up clean.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Makou107

Makou107
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 13 April 2008 - 04:45 PM

Thank you so much for your help and patience. I appreciate you taking the time and helping me with this. The scan came up clean and everything seems back to normal.

Edited by Makou107, 13 April 2008 - 04:46 PM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:40 AM

Posted 14 April 2008 - 06:00 AM

Excellent!
Just a few last things and you should be good to go! :blink:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.
http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/


===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :wacko:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users