Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Munga_bunga; Removal Help


  • Please log in to reply
19 replies to this topic

#1 Mant!s

Mant!s

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 20 April 2008 - 10:05 PM

Hello all, I'm sad to say that I was hoping never to have to come to one of these forums :thumbsup:
I ran a scan of SpyBot S&D, Kaspersky, and DSS after I experience severe lag in my games, and when I received the SocketXCtl failed to load... and decided to Google it to find out what it meant.

Here are the logs from my scans;

DSS main.txt

Deckard's System Scanner v20071014.68
Run by [------------] on 2008-04-20 20:46:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2008-04-21 00:46:35 UTC - RP17 - Deckard's System Scanner Restore Point
16: 2008-04-21 00:11:26 UTC - RP16 - Installed SUPERAntiSpyware Free Edition
15: 2008-04-20 17:49:33 UTC - RP15 - Removed Call of Duty® 4 - Modern Warfare™
14: 2008-04-20 15:24:50 UTC - RP14 - Installed Microsoft Office Professional Edition 2003
13: 2008-04-19 12:41:14 UTC - RP13 - Installed Battlefront II Version Picker by EML


-- First Restore Point --
1: 2008-04-18 01:45:59 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as [-----------].exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:01 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Isaac Praul\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Isaac Praul.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\EditSysHost.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: OSCust.lnk = C:\WINDOWS\system32\oem\OSCust.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 9292 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\Program Files\AlienGUIse\Themes\Darkstar Icons\Darkstar.icl,41
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\Program Files\AlienGUIse\Themes\Darkstar Icons\Darkstar.icl,33
.txt - txtfile - DefaultIcon - C:\Program Files\AlienGUIse\Themes\Darkstar Icons\Darkstar.icl,35


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 vncdrv - c:\windows\system32\drivers\vncdrv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-20 20:28:01 270 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2007-12-20 10:18:53 366 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2007-12-20 10:18:52 368 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-20 20:26:43 0 d-------- C:\Program Files\Trend Micro
2008-04-20 20:15:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 20:11:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-20 20:11:30 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-20 20:11:30 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\SUPERAntiSpyware.com
2008-04-20 13:10:41 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-20 13:09:59 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-04-20 13:09:56 0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-04-20 13:09:52 0 d--h----- C:\Program Files\CanonBJ
2008-04-20 13:08:34 0 d-------- C:\Program Files\Canon
2008-04-20 11:26:15 0 d-------- C:\Program Files\Common Files\L&H
2008-04-20 11:26:03 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-20 11:25:34 0 d-------- C:\Program Files\Microsoft Works
2008-04-20 11:25:10 0 d-------- C:\WINDOWS\SHELLNEW
2008-04-20 11:24:55 0 d-------- C:\Program Files\Microsoft.NET
2008-04-19 15:44:46 0 d-------- C:\Program Files\CoD RconTool
2008-04-19 11:01:19 0 d-------- C:\Program Files\DNA
2008-04-19 11:01:18 0 d-------- C:\Program Files\BitTorrent
2008-04-19 11:01:18 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\DNA
2008-04-19 08:41:15 0 d-------- C:\Program Files\EML
2008-04-18 22:15:31 0 d-------- C:\reslists
2008-04-18 22:15:31 0 d-------- C:\platform
2008-04-18 22:15:31 0 d-------- C:\bin
2008-04-18 21:15:09 0 d-------- C:\Program Files\hl2
2008-04-18 21:14:24 106496 --a------ C:\Program Files\hl2.exe
2008-04-18 21:14:23 118784 --a------ C:\Program Files\vstdlib.dll
2008-04-18 21:14:23 61440 --a------ C:\Program Files\steam_api.dll
2008-04-18 21:14:23 955392 --a------ C:\Program Files\Launcher.exe
2008-04-18 21:14:22 229376 --a------ C:\Program Files\vstdlib_s.dll <Not Verified; Valve Corporation; Steam>
2008-04-18 21:14:22 241664 --a------ C:\Program Files\tier0_s.dll <Not Verified; ; tier0_s Dynamic Link Library>
2008-04-18 21:14:22 208896 --a------ C:\Program Files\tier0.dll
2008-04-18 21:14:21 839680 --a------ C:\Program Files\steamclient.dll <Not Verified; Valve Corporation; Steam>
2008-04-18 21:14:13 0 d-------- C:\Program Files\reslists
2008-04-18 21:14:13 0 d-------- C:\Program Files\platform
2008-04-18 21:14:13 0 d-------- C:\Program Files\garrysmod
2008-04-18 21:14:13 0 d-------- C:\Program Files\bin
2008-04-18 21:13:47 0 d-------- C:\Program Files\New Folder
2008-04-18 16:31:40 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Ventrilo
2008-04-18 16:31:29 0 d-------- C:\Program Files\Ventrilo
2008-04-18 16:31:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 16:20:19 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\SiteAdvisor
2008-04-18 15:34:58 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:34:41 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:22:55 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-04-18 15:22:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-18 15:22:51 0 d-------- C:\Program Files\SiteAdvisor
2008-04-18 15:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-18 15:18:38 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-04-18 15:15:26 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\WinRAR
2008-04-18 15:15:23 13277 --a------ C:\WINDOWS\snsys.dll
2008-04-18 15:15:23 38982 --a------ C:\WINDOWS\rsczsys.dll
2008-04-18 15:15:23 12558 --a------ C:\WINDOWS\gstcore.dll
2008-04-18 15:15:23 6017 --a------ C:\WINDOWS\assys.dll
2008-04-18 15:15:22 30559 --a------ C:\WINDOWS\mfnsys.dll
2008-04-18 15:15:22 40177 --a------ C:\WINDOWS\ffnsys.dll
2008-04-18 15:15:15 227851 --a------ C:\WINDOWS\uawin.dll
2008-04-18 15:15:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 15:15:04 1648016 -r-h----- C:\WINDOWS\EditSysHost.exe <Not Verified; ; DNS>
2008-04-17 23:14:20 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-17 23:10:54 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-17 23:10:52 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Mozilla
2008-04-17 23:10:00 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Xfire
2008-04-17 23:09:59 0 d-------- C:\Program Files\Xfire
2008-04-17 23:06:36 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-17 23:04:56 0 d-------- C:\Program Files\Activision
2008-04-17 23:01:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-17 22:55:54 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-17 22:48:14 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-04-17 22:48:14 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-04-17 22:48:14 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2008-04-17 22:48:13 147456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-04-17 22:48:13 651264 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-17 22:48:13 1396831 --a------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2008-04-17 22:48:12 0 d-------- C:\Program Files\Linksys Wireless-G Wireless Network Monitor
2008-04-17 22:47:36 0 d-------- C:\Linksys Driver
2008-04-17 22:24:32 0 d-------- C:\Program Files\uTorrent
2008-04-17 22:24:29 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\uTorrent
2008-04-17 22:19:26 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Macromedia
2008-04-17 22:19:26 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Adobe
2008-04-17 22:19:24 1339 --a------ C:\WINDOWS\mozver.dat
2008-04-17 22:18:39 0 d-------- C:\Program Files\LucasArts
2008-04-17 22:13:56 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-17 22:13:02 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\teamspeak2
2008-04-17 22:12:53 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\Templates <TEMPLA~1>
2008-04-17 21:51:42 0 dr------- C:\Documents and Settings\Isaac Praul\Start Menu <STARTM~1>
2008-04-17 21:51:42 0 dr-h----- C:\Documents and Settings\Isaac Praul\SendTo
2008-04-17 21:51:42 0 d---s---- C:\Documents and Settings\Isaac Praul\Recent
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\PrintHood <PRINTH~1>
2008-04-17 21:51:42 2097152 --ah----- C:\Documents and Settings\Isaac Praul\NTUSER.DAT
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\NetHood
2008-04-17 21:51:42 0 dr------- C:\Documents and Settings\Isaac Praul\My Documents <MYDOCU~1>
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\Local Settings <LOCALS~1>
2008-04-17 21:51:42 0 d---s---- C:\Documents and Settings\Isaac Praul\Favorites <FAVORI~1>
2008-04-17 21:51:42 0 d-------- C:\Documents and Settings\Isaac Praul\Desktop
2008-04-17 21:51:42 0 d---s---- C:\Documents and Settings\Isaac Praul\Cookies
2008-04-17 21:51:42 0 dr-h----- C:\Documents and Settings\Isaac Praul\Application Data <APPLIC~1>
2008-04-17 21:51:42 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Identities
2008-04-17 21:51:42 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Ahead
2008-04-17 21:45:56 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-04-17 21:45:54 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-04-17 21:45:54 0 d-------- C:\Documents and Settings\Default User\Application Data\Ahead


-- Find3M Report ---------------------------------------------------------------

2008-04-20 11:26:15 0 d-------- C:\Program Files\Common Files
2008-04-18 17:54:32 0 d-------- C:\Program Files\McAfee
2008-04-18 16:24:20 0 d-------- C:\Program Files\AlienGUIse
2008-04-17 23:14:17 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 01:56 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/19/2007 12:09 PM]
"RTHDCPL"="RTHDCPL.EXE" [02/27/2006 05:28 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/23/2006 04:10 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [12/05/2006 11:55 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM]
"DSS"="C:\WINDOWS\EditSysHost.exe" [08/31/2007 11:11 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [03/30/2007 11:42 AM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [12/04/2005 08:38 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 08:39 PM]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [03/21/2006 09:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 08:04 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [04/19/2008 11:01 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/28/2005 12:03 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Isaac Praul\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [4/4/2008 5:30:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
OSCust.lnk - C:\WINDOWS\system32\oem\OSCust.exe [8/17/2007 4:53:44 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 12/21/2001 12:34 AM 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3cdc2eb-0ce8-11dd-895a-806d6172696f}]
AutoRun\command- D:\LaunchBFII.exe

*Newly Created Service* - OSE
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL



-- End of Deckard's System Scanner: finished at 2008-04-20 20:47:32 ------------

DSS extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 6000+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 6000+
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 2047.48 MiB / 1202.48 MiB
Pagefile Memory (total/avail): 3940.15 MiB / 3271.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.29 MiB

C: is Fixed (NTFS) - 465.76 GiB total, 434.77 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST3500630AS - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.76 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
AUState says computer is ready and waiting.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Isaac Praul\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-515A28DAC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Isaac Praul
LOGONSERVER=\\OWNER-515A28DAC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4303
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ISAACP~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ISAACP~1\LOCALS~1\Temp
USERDOMAIN=OWNER-515A28DAC
USERNAME=Isaac Praul
USERPROFILE=C:\Documents and Settings\Isaac Praul
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
[---------] (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AlienGUIse Theme Manager --> C:\PROGRA~1\ALIENG~1\thememgr.exe /uninstallwise
Battlefront II Version Picker by EML --> MsiExec.exe /I{769E7389-2907-4951-BF63-7A8E583D9450}
BitTorrent --> C:\Program Files\BitTorrent\uninst.exe
Call of Duty® 4 - Modern Warfare™ --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch --> C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Canon iP4300 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300 /L0x0009
Canon iP4300 User Registration --> C:\Program Files\Canon\IJEREG\iP4300\UNINST.EXE
Canon My Printer --> C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Setup Utility 2.3 --> "C:\Program Files\Canon\Canon Setup Utility 2.3\Maint.exe" /Uninstall C:\Program Files\Canon\Canon Setup Utility 2.3\uninst.ini
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
CoD RconTool 9.1 --> C:\Program Files\CoD RconTool\Uninstal.exe
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{8A64032F-FF5E-4AC9-ADF7-84E548B7C2B4}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Linksys Wireless-G PCI Network Adapter with SpeedBooster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{2BB34316-5C68-45C0-9656-64DF7F34F6BA}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee SiteAdvisor --> C:\Program Files\SiteAdvisor\6253\uninstall.exe
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Essentials --> MsiExec.exe /I{18039280-98B7-4C5E-AAC0-10EBC9731033}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerStrip 3 (remove only) --> C:\Program Files\PowerStrip\uninstal.exe
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{7B59BE72-68EF-400B-B08A-2860283A4FE3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Star Wars Battlefront II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D374523-CFDE-461A-827E-2A102E2AB365}\Setup.exe" -l0x9 -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_9EA6D2FA46FEFFB7011ED0B6015B626D07F1EEF7\amdk8.inf
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Driver Package - AMD System (04/06/2006 1.0.1.0) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\amdaway_6BBB63755B7B133065E435E51557E416289081C4\amdaway.inf
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}
Windows Live Toolbar --> MsiExec.exe /X{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{EE614F8D-267D-49CC-805B-FC08D94EDFE5}
Windows XP Media Center Edition 2005 KB888316 -->
Windows XP Media Center Edition 2005 KB908250 --> "C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type185 / Warning
Event Submitted/Written: 04/20/2008 11:26:31 AM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type184 / Warning
Event Submitted/Written: 04/20/2008 11:26:31 AM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type161 / Error
Event Submitted/Written: 04/19/2008 07:33:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hl2.exe, version 0.0.0.0, faulting module datacache.dll, version 0.0.0.0, fault address 0x0000b413.
Processing media-specific event for [hl2.exe!ws!]

Event Record #/Type157 / Error
Event Submitted/Written: 04/19/2008 07:28:10 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hl2.exe, version 0.0.0.0, faulting module datacache.dll, version 0.0.0.0, fault address 0x0000b413.
Processing media-specific event for [hl2.exe!ws!]

Event Record #/Type156 / Error
Event Submitted/Written: 04/19/2008 07:09:55 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hl2.exe, version 0.0.0.0, faulting module datacache.dll, version 0.0.0.0, fault address 0x0000b413.
Processing media-specific event for [hl2.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1156 / Warning
Event Submitted/Written: 04/20/2008 02:11:36 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1063 / Warning
Event Submitted/Written: 04/20/2008 01:11:41 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Canon iP4300 for Windows NT x86 Version-3 was added or updated. Files:- CNMDR86.DLL, CNMUI86.DLL, CNMCP86.DLL, CNMMH86.CHM, CNMLR86.DLL, CNMCB86.DLL, CNMD586.DLL, CNMUR86.DLL, CNMSR86.DLL, CNMIN86.INI, CNMPI86.DLL, CNMSM86.DLL, CNMSS86.SMR, CNMSD86.DLL, CNMSQ86.DLL, CNMSH86.CHM, CNMUB86.DLL, CNMOP86.DLL, CNMSB86.DLL, CNB_2940.TBL, CNMP086.DAT, CNMP186.DAT, CNMP286.DAT, CNMFU86.DLL, CNMLH86.DLL, CNMPV86.DLL, CNMSE86.EXE, CNMVS86.DLL, CNMW386.DLL, CNMLR860.411, CNMUR860.411, CNMSR860.411, CNMMH860.411, CNMSH860.411.

Event Record #/Type1062 / Warning
Event Submitted/Written: 04/20/2008 01:09:59 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Canon iP4300 for Windows NT x86 Version-3 was added or updated. Files:- CNMDR86.DLL, CNMUI86.DLL, CNMCP86.DLL, CNMMH86.CHM, CNMLR86.DLL, CNMCB86.DLL, CNMD586.DLL, CNMUR86.DLL, CNMSR86.DLL, CNMIN86.INI, CNMPI86.DLL, CNMSM86.DLL, CNMSS86.SMR, CNMSD86.DLL, CNMSQ86.DLL, CNMSH86.CHM, CNMUB86.DLL, CNMOP86.DLL, CNMSB86.DLL, CNB_2940.TBL, CNMP086.DAT, CNMP186.DAT, CNMP286.DAT, CNMFU86.DLL, CNMLH86.DLL, CNMPV86.DLL, CNMSE86.EXE, CNMVS86.DLL, CNMW386.DLL, CNMLR860.411, CNMUR860.411, CNMSR860.411, CNMMH860.411, CNMSH860.411.

Event Record #/Type1044 / Warning
Event Submitted/Written: 04/20/2008 11:26:56 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type1034 / Warning
Event Submitted/Written: 04/20/2008 11:07:22 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-04-20 20:47:32 ------------

Spybot S&D

AdRevolver --- 1 entries
DoubleClick --- 2 entries
Hitbox --- 2 entries
MediaPlex --- 1 entries
Microsoft.WindowsSecurityCenter.AntivirusOverride --- 1 entries
Microsoft.WindowsSecurityCenter.FirewallOverride --- 1 entries
Munga_Bunga --- 9 entries
Statcounter --- 1 entries
WebTrends live --- 1 entries

Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 20, 2008 11:02:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/04/2008
Kaspersky Anti-Virus database records: 717772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 98612
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:44:18

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\ISAACP~1\LOCALS~1\Temp\RarSFX0\_WinRAR.exe Infected: Backdoor.Win32.DSSdoor.d skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{137CEC32-5021-4E34-A3BF-E4D429F289E3}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\cert8.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\history.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\key3.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\parent.lock Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-20-2008( 20-11-35 ).LOG Object is locked skipped
C:\Documents and Settings\Isaac Praul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Temp\~DF9642.tmp Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Isaac Praul\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Teamspeak2_RC2\TSClient.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A92E69F7-EE8B-4AA2-89B9-6EABD3D173BF}\RP17\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\EditSysHost.exe Infected: Backdoor.Win32.DSSdoor.d skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B126C09D-5926-4672-A0CA-B88F94B8434A}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{FFD28E47-4881-4065-8B95-D7B70688B196}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_EOLmSl3rLzC0wDk Object is locked skipped
C:\WINDOWS\Temp\mcafee_evtmFpSisKmT5pm Object is locked skipped
C:\WINDOWS\Temp\mcmsc_1cBWwaqrtDOIkZB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_E7ahNhCwBvQxbZx Object is locked skipped
C:\WINDOWS\Temp\mcmsc_gLyvJFgtSKPraa1 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_N90DcbAmUnKrMAJ Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_204.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by Mant!s, 20 April 2008 - 11:03 PM.


BC AdBot (Login to Remove)

 


#2 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:03:08 PM

Posted 06 May 2008 - 11:46 AM

Hello Mant!s

Welcome to Bleeping Computer!

Sorry about the delay. We're all volunteers here, and it's been very busy.

If you still need help, please post a new DSS.scan report to make sure nothing has changed. Please post only the main.txt report.


And I'll be happy to take a look at it for you.

Thanks, for your patience.

#3 Mant!s

Mant!s
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 06 May 2008 - 06:15 PM

Ok.

Deckard's System Scanner v20071014.68
Run by Isaac Praul on 2008-05-06 19:15:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Isaac Praul.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:09 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Isaac Praul\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ISAACP~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\EditSysHost.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Documents and Settings\Isaac Praul\Desktop\Alcohol 120\Alcohol.120% 1.9.6.5429\crack\axcmd.exe" /automount
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: OSCust.lnk = C:\WINDOWS\system32\oem\OSCust.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 10028 bytes

-- Files created between 2008-04-06 and 2008-05-06 -----------------------------

2008-05-05 18:52:12 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\InstallShield
2008-05-03 19:20:19 0 d-------- C:\Program Files\Bethesda Softworks
2008-05-03 17:03:02 0 d-------- C:\Program Files\PowerISO
2008-05-03 16:59:19 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-05-03 16:03:21 0 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-03 15:45:39 0 d-------- C:\Program Files\TmNationsForever
2008-05-02 21:51:58 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\MySpace
2008-05-02 21:51:55 0 d-------- C:\Program Files\MySpace
2008-05-02 16:46:43 0 d-------- C:\Program Files\TrackMania Sunrise
2008-04-29 19:06:04 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Petroglyph
2008-04-29 18:48:40 0 d-------- C:\Program Files\Alcohol Soft
2008-04-28 16:29:18 0 d-------- C:\BF2_ModTools
2008-04-26 15:21:45 0 d-------- C:\Program Files\hl2
2008-04-26 15:20:59 106496 --a------ C:\Program Files\hl2.exe
2008-04-26 15:20:58 955392 --a------ C:\Program Files\Launcher.exe
2008-04-26 15:20:57 118784 --a------ C:\Program Files\vstdlib.dll
2008-04-26 15:20:57 61440 --a------ C:\Program Files\steam_api.dll
2008-04-26 15:20:55 229376 --a------ C:\Program Files\vstdlib_s.dll <Not Verified; Valve Corporation; Steam>
2008-04-26 15:20:55 241664 --a------ C:\Program Files\tier0_s.dll <Not Verified; ; tier0_s Dynamic Link Library>
2008-04-26 15:20:55 208896 --a------ C:\Program Files\tier0.dll
2008-04-26 15:20:54 839680 --a------ C:\Program Files\steamclient.dll <Not Verified; Valve Corporation; Steam>
2008-04-26 15:20:44 0 d-------- C:\Program Files\garrysmod
2008-04-26 15:06:06 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-26 15:06:03 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\DAEMON Tools
2008-04-25 11:35:09 103424 --a------ C:\WINDOWS\system32\SwitchBlade_nat.dll <Not Verified; Blue Orb; SwitchBlade>
2008-04-25 11:34:20 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-04-25 11:29:35 0 d-------- C:\Program Files\SwitchBlade
2008-04-25 11:29:07 0 d-------- C:\Program Files\Microsoft Xbox 360 Accessories
2008-04-23 16:30:59 73728 --a------ C:\WINDOWS\system32\GkSui18.EXE
2008-04-23 16:30:59 69632 --a------ C:\WINDOWS\system32\Copy of GkSui18.EXE
2008-04-23 16:30:59 0 d-------- C:\Program Files\Folding@Home
2008-04-20 20:48:35 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-20 20:48:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-20 20:26:43 0 d-------- C:\Program Files\Trend Micro
2008-04-20 20:15:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 20:11:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-20 20:11:30 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-20 20:11:30 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\SUPERAntiSpyware.com
2008-04-20 13:10:41 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-20 13:09:59 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-04-20 13:09:56 0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-04-20 13:09:52 0 d--h----- C:\Program Files\CanonBJ
2008-04-20 13:08:34 0 d-------- C:\Program Files\Canon
2008-04-20 11:26:15 0 d-------- C:\Program Files\Common Files\L&H
2008-04-20 11:26:03 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-20 11:25:34 0 d-------- C:\Program Files\Microsoft Works
2008-04-20 11:25:10 0 d-------- C:\WINDOWS\SHELLNEW
2008-04-20 11:24:55 0 d-------- C:\Program Files\Microsoft.NET
2008-04-19 15:44:46 0 d-------- C:\Program Files\CoD RconTool
2008-04-19 11:01:19 0 d-------- C:\Program Files\DNA
2008-04-19 11:01:18 0 d-------- C:\Program Files\BitTorrent
2008-04-19 11:01:18 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\DNA
2008-04-19 08:41:15 0 d-------- C:\Program Files\EML
2008-04-18 22:15:31 0 d-------- C:\reslists
2008-04-18 22:15:31 0 d-------- C:\platform
2008-04-18 22:15:31 0 d-------- C:\bin
2008-04-18 21:14:13 0 d-------- C:\Program Files\reslists
2008-04-18 21:14:13 0 d-------- C:\Program Files\platform
2008-04-18 21:14:13 0 d-------- C:\Program Files\bin
2008-04-18 21:13:47 0 d-------- C:\Program Files\New Folder
2008-04-18 16:31:40 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Ventrilo
2008-04-18 16:31:29 0 d-------- C:\Program Files\Ventrilo
2008-04-18 16:31:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 16:20:19 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\SiteAdvisor
2008-04-18 15:34:58 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:34:41 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:22:55 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-04-18 15:22:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-18 15:22:51 0 d-------- C:\Program Files\SiteAdvisor
2008-04-18 15:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-18 15:18:38 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-04-18 15:15:26 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\WinRAR
2008-04-18 15:15:23 13277 --a------ C:\WINDOWS\snsys.dll
2008-04-18 15:15:23 38982 --a------ C:\WINDOWS\rsczsys.dll
2008-04-18 15:15:23 12558 --a------ C:\WINDOWS\gstcore.dll
2008-04-18 15:15:23 6017 --a------ C:\WINDOWS\assys.dll
2008-04-18 15:15:22 30559 --a------ C:\WINDOWS\mfnsys.dll
2008-04-18 15:15:22 40177 --a------ C:\WINDOWS\ffnsys.dll
2008-04-18 15:15:15 227851 --a------ C:\WINDOWS\uawin.dll
2008-04-18 15:15:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 15:15:04 1648016 -r-h----- C:\WINDOWS\EditSysHost.exe <Not Verified; ; DNS>
2008-04-17 23:14:20 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-17 23:10:54 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-17 23:10:52 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Mozilla
2008-04-17 23:10:00 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Xfire
2008-04-17 23:09:59 0 d-------- C:\Program Files\Xfire
2008-04-17 23:06:36 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-17 23:04:56 0 d-------- C:\Program Files\Activision
2008-04-17 23:01:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-17 22:55:54 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-17 22:48:14 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-04-17 22:48:14 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-04-17 22:48:14 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2008-04-17 22:48:13 147456 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-04-17 22:48:13 651264 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-17 22:48:13 1396831 --a------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2008-04-17 22:48:12 0 d-------- C:\Program Files\Linksys Wireless-G Wireless Network Monitor
2008-04-17 22:47:36 0 d-------- C:\Linksys Driver
2008-04-17 22:24:32 0 d-------- C:\Program Files\uTorrent
2008-04-17 22:24:29 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\uTorrent
2008-04-17 22:19:26 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Macromedia
2008-04-17 22:19:26 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Adobe
2008-04-17 22:19:24 1339 --a------ C:\WINDOWS\mozver.dat
2008-04-17 22:18:39 0 d-------- C:\Program Files\LucasArts
2008-04-17 22:13:56 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-17 22:13:02 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\teamspeak2
2008-04-17 22:12:53 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\Templates
2008-04-17 21:51:42 0 dr------- C:\Documents and Settings\Isaac Praul\Start Menu
2008-04-17 21:51:42 0 dr-h----- C:\Documents and Settings\Isaac Praul\SendTo
2008-04-17 21:51:42 0 d---s---- C:\Documents and Settings\Isaac Praul\Recent
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\PrintHood
2008-04-17 21:51:42 3145728 --ah----- C:\Documents and Settings\Isaac Praul\NTUSER.DAT
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\NetHood
2008-04-17 21:51:42 0 dr------- C:\Documents and Settings\Isaac Praul\My Documents
2008-04-17 21:51:42 0 d--h----- C:\Documents and Settings\Isaac Praul\Local Settings
2008-04-17 21:51:42 0 d---s---- C:\Documents and Settings\Isaac Praul\Favorites
2008-04-17 21:51:42 0 d-------- C:\Documents and Settings\Isaac Praul\Desktop
2008-04-17 21:51:42 0 d---s---- C:\Documents and Settings\Isaac Praul\Cookies
2008-04-17 21:51:42 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data
2008-04-17 21:51:42 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Identities
2008-04-17 21:51:42 0 d-------- C:\Documents and Settings\Isaac Praul\Application Data\Ahead
2008-04-17 21:45:56 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-04-17 21:45:54 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-04-17 21:45:54 0 d-------- C:\Documents and Settings\Default User\Application Data\Ahead


-- Find3M Report ---------------------------------------------------------------

2008-05-05 18:53:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-20 11:26:15 0 d-------- C:\Program Files\Common Files
2008-04-18 17:54:32 0 d-------- C:\Program Files\McAfee
2008-04-18 16:24:20 0 d-------- C:\Program Files\AlienGUIse


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 01:56 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/19/2007 12:09 PM]
"RTHDCPL"="RTHDCPL.EXE" [02/27/2006 05:28 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/23/2006 04:10 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [12/05/2006 11:55 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM]
"DSS"="C:\WINDOWS\EditSysHost.exe" [08/31/2007 11:11 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [03/30/2007 11:42 AM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [12/04/2005 08:38 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 08:39 PM]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [03/21/2006 09:30 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [09/26/2007 06:05 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [03/14/2008 07:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 08:04 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [04/19/2008 11:01 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/28/2005 12:03 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"AlcoholAutomount"="C:\Documents and Settings\Isaac Praul\Desktop\Alcohol 120\Alcohol.120% 1.9.6.5429\crack\axcmd.exe" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [04/17/2008 07:27 PM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 05:39 AM]

C:\Documents and Settings\Isaac Praul\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [4/22/2008 6:29:52 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
OSCust.lnk - C:\WINDOWS\system32\oem\OSCust.exe [8/17/2007 4:53:44 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 12/21/2001 12:34 AM 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3cdc2eb-0ce8-11dd-895a-806d6172696f}]
AutoRun\command- D:\LaunchBFII.exe




-- End of Deckard's System Scanner: finished at 2008-05-06 19:15:32 ------------

#4 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:03:08 PM

Posted 07 May 2008 - 01:25 PM

Hi Mant!s

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\snsys.dll
    C:\WINDOWS\rsczsys.dll
    C:\WINDOWS\gstcore.dll
    C:\WINDOWS\assys.dll
    C:\WINDOWS\mfnsys.dll
    C:\WINDOWS\ffnsys.dll
    C:\WINDOWS\uawin.dll
    C:\WINDOWS\EditSysHost.exe



  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe



Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be promted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post back

The OTMoveIt report
The SDFix Report.txt
The Kaspersky log

#5 Mant!s

Mant!s
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 07 May 2008 - 03:31 PM

Here ya go!
In order of
OTMoveIt
SDFix
Kaspersky
TM

LoadLibrary failed for C:\WINDOWS\snsys.dll
C:\WINDOWS\snsys.dll NOT unregistered.
C:\WINDOWS\snsys.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\rsczsys.dll
C:\WINDOWS\rsczsys.dll NOT unregistered.
C:\WINDOWS\rsczsys.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\gstcore.dll
C:\WINDOWS\gstcore.dll NOT unregistered.
C:\WINDOWS\gstcore.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\assys.dll
C:\WINDOWS\assys.dll NOT unregistered.
C:\WINDOWS\assys.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mfnsys.dll
C:\WINDOWS\mfnsys.dll NOT unregistered.
C:\WINDOWS\mfnsys.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ffnsys.dll
C:\WINDOWS\ffnsys.dll NOT unregistered.
C:\WINDOWS\ffnsys.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\uawin.dll
C:\WINDOWS\uawin.dll NOT unregistered.
C:\WINDOWS\uawin.dll moved successfully.
C:\WINDOWS\EditSysHost.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05072008_152021







SDFix: Version 1.180
Run by Isaac Praul on Wed 05/07/2008 at 03:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 15:33:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:14,49,1e,36,ca,86,2b,74,a7,40,df,97,99,95,49,f7,e7,cc,60,58,bc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:f9,e6,31,60,9f,36,0a,68,6f,45,fc,65,55,bf,c8,12,03,80,4d,15,0b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,58,b6,b1,a6,18,b7,a3,c5,58,7d,e6,95,dc,d3,03,af,7e,..
"khjeh"=hex:6a,7e,1d,78,f9,0c,a0,24,27,d3,c3,27,68,c6,28,c2,99,fd,e9,9e,bd,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:06,bd,a2,b1,ed,dd,fb,4e,d3,d0,68,e3,c2,d8,0e,78,f8,7d,03,1c,a7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:14,49,1e,36,ca,86,2b,74,a7,40,df,97,99,95,49,f7,e7,cc,60,58,bc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:f9,e6,31,60,9f,36,0a,68,6f,45,fc,65,55,bf,c8,12,03,80,4d,15,0b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,58,b6,b1,a6,18,b7,a3,c5,58,7d,e6,95,dc,d3,03,af,7e,..
"khjeh"=hex:6a,7e,1d,78,f9,0c,a0,24,27,d3,c3,27,68,c6,28,c2,99,fd,e9,9e,bd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:06,bd,a2,b1,ed,dd,fb,4e,d3,d0,68,e3,c2,d8,0e,78,f8,7d,03,1c,a7,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Petroglyph"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe:*:Enabled:Star Wars™: Battlefront™"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 4 Oct 2004 417,792 A..H. --- "C:\Program Files\Canon\Canon Setup Utility 2.3\Maint.exe"
Tue 11 May 2004 61,440 A..H. --- "C:\Program Files\Canon\Canon Setup Utility 2.3\uinstrsc.dll"
Tue 6 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"
Fri 31 Aug 2007 1,648,016 A..HR --- "C:\_OTMoveIt\MovedFiles\05072008_152021\WINDOWS\EditSysHost.exe"

Finished!


Wednesday, May 07, 2008 4:27:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/05/2008
Kaspersky Anti-Virus database records: 744998
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 106767
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 00:40:15

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080506191500\backup\DOCUME~1\ISAACP~1\LOCALS~1\Temp\RarSFX0\_WinRAR.exe Infected: Backdoor.Win32.DSSdoor.d skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{137CEC32-5021-4E34-A3BF-E4D429F289E3}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\cert8.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\history.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\key3.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\parent.lock Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Isaac Praul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-5-7-2008( 15-36-23 ).LOG Object is locked skipped
C:\Documents and Settings\Isaac Praul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz06swms.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Temp\~DF1CCA.tmp Object is locked skipped
C:\Documents and Settings\Isaac Praul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Isaac Praul\My Documents\Downloads\PowerISO v4.0.zip/PowerISO40.exe/data0000.cab/is153196.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Documents and Settings\Isaac Praul\My Documents\Downloads\PowerISO v4.0.zip/PowerISO40.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Documents and Settings\Isaac Praul\My Documents\Downloads\PowerISO v4.0.zip/PowerISO40.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Documents and Settings\Isaac Praul\My Documents\Downloads\PowerISO v4.0.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Isaac Praul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Isaac Praul\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080507-153124.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A92E69F7-EE8B-4AA2-89B9-6EABD3D173BF}\RP32\A0019031.exe Infected: not-a-virus:AdWare.Win32.Shopper.r skipped
C:\System Volume Information\_restore{A92E69F7-EE8B-4AA2-89B9-6EABD3D173BF}\RP35\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64D7AD87-4656-4B3B-9B01-A330B2DFAC9F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_kbIbcAgu7OPrX5D Object is locked skipped
C:\WINDOWS\Temp\mcmsc_igtDio9rOaXNSki Object is locked skipped
C:\WINDOWS\Temp\mcmsc_K9uh0yUwwyoHQLV Object is locked skipped
C:\WINDOWS\Temp\mcmsc_q1mPz17YeaIwMKh Object is locked skipped
C:\WINDOWS\Temp\mcmsc_rHFknkNOMVkfldW Object is locked skipped
C:\WINDOWS\Temp\mcmsc_yUfscp3nGiRuGLY Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\05072008_152021\WINDOWS\EditSysHost.exe Infected: Backdoor.Win32.DSSdoor.d skipped


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:21 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Xfire\xfire.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\EditSysHost.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Documents and Settings\Isaac Praul\Desktop\Alcohol 120\Alcohol.120% 1.9.6.5429\crack\axcmd.exe" /automount
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: OSCust.lnk = C:\WINDOWS\system32\oem\OSCust.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--

#6 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:03:08 PM

Posted 07 May 2008 - 04:24 PM

Using Windows Explorer, (right click on start, click on explore) I need you to DELETE the following folder and all their content if still present :

C:\Documents and Settings\Isaac Praul\My Documents\Downloads\PowerISO v4.0.zip < --Folder


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


You were infected with a dangerous malware,{ http://research.sunbelt-software.com/threa...threatid=169957 }with backdoor capabilities giving intruders complete control of your computer. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to alert them to your situation.

Please read these for more information:

What is a backdoor or remote access trojan? Read this article. Danger: Remote Access Trojans

http://www.microsoft.com/technet/security/...o/virusrat.mspx

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451


Downloading cracked programs can lead to this infection. You can find free alternatives here:
http://www.bleepingcomputer.com/forums/topic3616.html

#7 Mant!s

Mant!s
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 08 May 2008 - 12:15 PM

I use Firefox to surf the web and keep track of my various Accounts and Passwords, none of these sites lead to anything monatery, since this is my gaming computer. To the point; is the Firefox Password Manager secure, or is there a better password-rememberer that works with Firefox? I looked at the list you gave me, but I don't know which supports what or what is more secure then others.

Malwarebytes' Anti-Malware 1.12
Database version: 731

Scan type: Quick Scan
Objects scanned: 40414
Time elapsed: 8 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Mant!s, 08 May 2008 - 12:22 PM.


#8 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:03:08 PM

Posted 08 May 2008 - 02:20 PM

I use Firefox to surf the web and keep track of my various Accounts and Passwords, none of these sites lead to anything monatery, since this is my gaming computer. To the point; is the Firefox Password Manager secure, or is there a better password-rememberer that works with Firefox?

Not really sure, better start a new topic here: http://www.bleepingcomputer.com/forums/f/14/web-browsingemail-and-other-internet-applications/

I looked at the list you gave me, but I don't know which supports what or what is more secure then others.

These programs are free, don’t have to crack them to use. You can find a free alternative of PowerISO v4.0 and for Alcohol 120\Alcohol.120% 1.9.6.5429\crack\axcmd.exe"


Please visit the online Jotti Virus Scanner Posted Image<--link
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:

    C:\WINDOWS\system32\oem\OSCust.exe

    C:\WINDOWS\EditSysHost.exe

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html

And a new HijackThis log.

#9 Mant!s

Mant!s
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 09 May 2008 - 02:14 PM

Jotti said the first file was clean, but the second file could not be found, or did not exist. I don't know if somehow I did it incorrectly or something

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:37 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Xfire\xfire.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\EditSysHost.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Documents and Settings\Isaac Praul\Desktop\Alcohol 120\Alcohol.120% 1.9.6.5429\crack\axcmd.exe" /automount
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: OSCust.lnk = C:\WINDOWS\system32\oem\OSCust.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 10147 bytes

#10 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:03:08 PM

Posted 10 May 2008 - 04:59 AM

Hi Mant!s

Please download ComboFix.exe. Visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we may continue cleaning the system.


#11 Mant!s

Mant!s
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 May 2008 - 09:55 AM

I cannot install the Recovery Console, I do not have my installer disc, and I run XP Media Center Editon SP2, and they don't have a download for that if I am correct.

#12 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:03:08 PM

Posted 11 May 2008 - 11:07 AM

XP Media Center Edition is based on XP Pro.

Windows XP Professional SP2 it’s the correct one. :thumbsup:

#13 Mant!s

Mant!s
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 May 2008 - 02:15 PM

Ok. However, I'm a little concerned by the 'Roughly 1/100 Machines don't make it through the cleaning process." Does that mean that it will totally screw up your computer, or just that it won't fix anything?

#14 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:03:08 PM

Posted 11 May 2008 - 02:50 PM

It’s safe to run it in your comp. :thumbsup:

#15 Mant!s

Mant!s
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 May 2008 - 04:30 PM

ComboFix 08-05-11.1 - Isaac Praul 2008-05-11 16:47:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1460 [GMT -4:00]
Running from: C:\Documents and Settings\Isaac Praul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Isaac Praul\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\readme-net.doc

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 14:53 . 2008-05-11 14:54 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-10 20:49 . 2008-05-10 21:00 <DIR> d-------- C:\Program Files\AutoMacroRecorder
2008-05-10 20:46 . 2008-05-10 20:46 215,144 --a------ C:\WINDOWS\patchw32.dll
2008-05-10 20:39 . 2008-05-10 20:39 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-05-10 20:39 . 2008-05-10 20:39 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-10 20:38 . 2008-05-10 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\THQ
2008-05-10 20:23 . 2008-05-10 20:23 <DIR> d-------- C:\Program Files\THQ
2008-05-10 10:20 . 2008-05-10 10:20 <DIR> d-------- C:\Program Files\PC Wizard 2008
2008-05-10 10:20 . 2007-09-15 15:11 27,136 --a------ C:\WINDOWS\system32\PCWizard.cpl
2008-05-09 23:21 . 2008-05-11 11:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 23:21 . 2008-05-09 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 23:20 . 2008-05-09 23:20 <DIR> d-------- C:\Program Files\iTunes
2008-05-09 23:20 . 2008-05-09 23:20 <DIR> d-------- C:\Program Files\iPod
2008-05-09 23:20 . 2008-05-09 23:20 <DIR> d-------- C:\Program Files\Bonjour
2008-05-09 23:20 . 2008-05-09 23:20 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\Apple Computer
2008-05-09 23:19 . 2008-05-09 23:19 <DIR> d-------- C:\Program Files\QuickTime
2008-05-09 23:19 . 2008-05-09 23:19 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-09 23:19 . 2008-05-09 23:19 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-09 23:19 . 2008-05-09 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-09 23:19 . 2008-05-09 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-08 14:55 . 2008-05-08 14:55 <DIR> d-------- C:\Program Files\PowerCrypt 2000
2008-05-08 14:20 . 2008-05-08 14:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-08 13:37 . 2008-05-08 14:55 249,856 --------- C:\WINDOWS\Setup1.exe
2008-05-08 13:37 . 2008-05-08 14:55 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-08 13:06 . 2008-05-08 13:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 13:06 . 2008-05-08 13:06 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\Malwarebytes
2008-05-08 13:06 . 2008-05-08 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 13:06 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 13:06 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-07 15:26 . 2008-05-07 15:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-07 15:22 . 2008-05-07 15:36 <DIR> d-------- C:\SDFix
2008-05-07 15:20 . 2008-05-07 15:20 <DIR> d-------- C:\_OTMoveIt
2008-05-05 18:52 . 2008-05-05 18:52 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\InstallShield
2008-05-03 19:29 . 2008-05-09 21:32 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-05-03 19:20 . 2008-05-03 19:20 <DIR> d-------- C:\Program Files\Bethesda Softworks
2008-05-03 16:59 . 2008-05-03 19:17 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-05-03 16:03 . 2008-05-11 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-03 15:45 . 2008-05-03 15:46 <DIR> d-------- C:\Program Files\TmNationsForever
2008-05-02 21:51 . 2008-05-02 21:51 <DIR> d-------- C:\Program Files\MySpace
2008-05-02 21:51 . 2008-05-02 21:51 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\MySpace
2008-05-02 16:59 . 2008-05-02 16:59 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-05-02 16:59 . 2008-05-02 16:59 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-05-02 16:46 . 2008-05-02 16:53 <DIR> d-------- C:\Program Files\TrackMania Sunrise
2008-04-29 19:06 . 2008-04-29 19:06 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\Petroglyph
2008-04-29 18:48 . 2008-04-29 18:48 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-04-28 16:29 . 2008-04-29 16:08 <DIR> d-------- C:\BF2_ModTools
2008-04-26 15:21 . 2008-04-26 15:22 <DIR> d-------- C:\Program Files\hl2
2008-04-26 15:20 . 2008-04-26 17:11 <DIR> d-------- C:\Program Files\garrysmod
2008-04-26 15:20 . 2006-12-09 14:19 955,392 --a------ C:\Program Files\Launcher.exe
2008-04-26 15:20 . 2006-05-25 13:24 839,680 --a------ C:\Program Files\steamclient.dll
2008-04-26 15:20 . 2006-05-25 13:24 241,664 --a------ C:\Program Files\tier0_s.dll
2008-04-26 15:20 . 2006-05-25 13:24 229,376 --a------ C:\Program Files\vstdlib_s.dll
2008-04-26 15:20 . 2006-05-25 13:24 208,896 --a------ C:\Program Files\tier0.dll
2008-04-26 15:20 . 2006-05-25 13:24 118,784 --a------ C:\Program Files\vstdlib.dll
2008-04-26 15:20 . 2006-12-09 11:32 106,496 --a------ C:\Program Files\hl2.exe
2008-04-26 15:20 . 2006-05-25 13:24 61,440 --a------ C:\Program Files\steam_api.dll
2008-04-26 15:06 . 2008-04-26 15:06 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\DAEMON Tools
2008-04-26 15:06 . 2008-04-26 15:06 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-25 11:35 . 2008-04-25 11:35 103,424 --a------ C:\WINDOWS\system32\SwitchBlade_nat.dll
2008-04-25 11:29 . 2008-04-25 11:29 <DIR> d-------- C:\Program Files\SwitchBlade
2008-04-25 11:29 . 2008-04-25 11:40 <DIR> d-------- C:\Program Files\Microsoft Xbox 360 Accessories
2008-04-25 11:29 . 2007-02-26 17:15 1,421,216 --a------ C:\WINDOWS\system32\WdfCoInstaller01001.dll
2008-04-25 11:29 . 2007-02-26 17:15 61,984 --a------ C:\WINDOWS\system32\drivers\xusb21.sys
2008-04-23 16:30 . 2008-04-27 22:00 <DIR> d-------- C:\Program Files\Folding@Home
2008-04-23 16:30 . 2002-04-18 18:50 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE
2008-04-23 16:30 . 2002-01-16 03:27 69,632 --a------ C:\WINDOWS\system32\Copy of GkSui18.EXE
2008-04-22 18:29 . 2008-04-22 18:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-20 20:48 . 2008-04-20 20:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-20 20:48 . 2008-04-20 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-20 20:46 . 2008-04-20 20:46 <DIR> d-------- C:\Deckard
2008-04-20 20:26 . 2008-04-20 20:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 20:15 . 2008-04-20 20:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 20:15 . 2008-04-20 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 20:11 . 2008-04-21 15:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-20 20:11 . 2008-04-20 20:11 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\SUPERAntiSpyware.com
2008-04-20 20:11 . 2008-04-20 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-20 13:56 . 2008-04-20 13:56 319 --a------ C:\WINDOWS\game.ini
2008-04-20 13:10 . 2003-09-18 14:32 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-20 13:10 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-20 13:09 . 2008-04-20 13:09 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-04-20 13:09 . 2008-04-20 13:09 <DIR> d--h----- C:\Program Files\CanonBJ
2008-04-20 13:09 . 2008-04-20 13:09 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-04-20 13:09 . 2006-05-01 01:00 161,792 --a------ C:\WINDOWS\system32\CNMLM86.DLL
2008-04-20 13:08 . 2008-04-20 13:12 <DIR> d-------- C:\Program Files\Canon
2008-04-20 13:07 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-20 13:07 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-20 11:27 . 2008-04-20 11:27 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-20 11:26 . 2008-04-20 11:26 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-20 11:26 . 2008-04-20 11:26 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-20 11:26 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-20 11:25 . 2008-04-20 11:26 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-20 11:25 . 2008-04-20 11:25 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-20 11:24 . 2008-04-20 11:24 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-19 15:44 . 2008-04-19 15:44 <DIR> d-------- C:\Program Files\CoD RconTool
2008-04-19 11:01 . 2008-04-19 11:01 <DIR> d-------- C:\Program Files\DNA
2008-04-19 11:01 . 2008-04-19 11:01 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-19 11:01 . 2008-05-11 16:46 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\DNA
2008-04-19 08:41 . 2008-04-19 08:41 <DIR> d-------- C:\Program Files\EML
2008-04-18 22:15 . 2008-04-18 22:15 <DIR> d-------- C:\reslists
2008-04-18 22:15 . 2008-04-18 22:15 <DIR> d-------- C:\platform
2008-04-18 22:15 . 2008-04-18 22:15 <DIR> d-------- C:\bin
2008-04-18 21:14 . 2008-04-18 21:14 <DIR> d-------- C:\Program Files\reslists
2008-04-18 21:14 . 2008-04-18 21:14 <DIR> d-------- C:\Program Files\platform
2008-04-18 21:14 . 2008-04-18 21:14 <DIR> d-------- C:\Program Files\bin
2008-04-18 21:13 . 2008-04-18 21:13 <DIR> d-------- C:\Program Files\New Folder
2008-04-18 16:31 . 2008-04-18 16:31 <DIR> d-------- C:\Program Files\Ventrilo
2008-04-18 16:31 . 2008-05-10 20:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 16:31 . 2008-04-18 16:32 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\Ventrilo
2008-04-18 16:24 . 2005-02-01 15:20 5,760,056 --a------ C:\WINDOWS\Darkstar.bmp
2008-04-18 16:20 . 2008-04-18 17:54 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\SiteAdvisor
2008-04-18 15:34 . 2008-04-18 15:34 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:34 . 2008-04-18 15:35 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:22 . 2008-04-18 15:22 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2008-04-18 15:22 . 2008-04-19 00:43 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-18 15:22 . 2008-04-18 15:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-18 15:22 . 2008-04-19 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-18 15:18 . 2008-05-10 20:40 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-18 15:15 . 2008-05-07 15:11 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 23:14 . 2008-05-11 11:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-17 23:14 . 2008-05-11 12:10 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-04-17 23:14 . 2008-04-20 14:00 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-04-17 23:14 . 2008-05-11 12:10 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-17 23:14 . 2008-04-20 13:56 22,328 --a------ C:\Documents and Settings\Isaac Praul\Application Data\PnkBstrK.sys
2008-04-17 23:10 . 2008-05-11 16:44 <DIR> d-------- C:\Documents and Settings\Isaac Praul\Application Data\Xfire
2008-04-17 23:10 . 2006-03-20 23:23 23,040 --------- C:\WINDOWS\kb913800.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 00:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 21:54 --------- d-----w C:\Program Files\McAfee
2008-04-18 20:24 --------- d-----w C:\Program Files\AlienGUIse
2008-04-18 02:48 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 20:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 13:02 289088]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-12-28 12:03 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AlcoholAutomount"="C:\Documents and Settings\Isaac Praul\Desktop\Alcohol 120\Alcohol.120% 1.9.6.5429\crack\axcmd.exe" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 19:27 9117696]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-19 12:09 8523776]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 05:28 16005120 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 16:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 23:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 11:42 36904]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 20:38 437008]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 20:39 461584]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 21:30 1191936]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 18:05 734264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\Isaac Praul\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-04-22 18:29:52 2998608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
OSCust.lnk - C:\WINDOWS\system32\oem\OSCust.exe [2007-08-17 16:53:44 67072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=

R1 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-14 21:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchBFII.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 03:19:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-11 20:28:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-20 14:18:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-20 14:18:52 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 16:49:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-11 16:49:58
ComboFix-quarantined-files.txt 2008-05-11 20:49:56

Pre-Run: 442,001,694,720 bytes free
Post-Run: 442,013,122,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

259 --- E O F --- 2008-04-26 17:28:19




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users