Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant Get Rid Of Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 systemrestore

systemrestore

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 11 July 2008 - 01:54 AM

i think my svchost is infected with virus ever once in awhile virus keeps installing itself into restore point avg was telling me at some point that svchost was infected said it cleaned it but dunno hijack log included but i don't see any issues. the orignal prog that caused issue is long gone does anyone know where its hiding my thoughts is to set up slave drive copy all data but windows but what ide really like to do is use Knoppix Linux live cd delete svchost and reinstall it so if anyone has svchost for media center 2005 copy and paste it to me plz or walk me thought maybe using the repair function in win cd my remembering days of apple 2 /load days are really fuzzy so using the repair console scares me plz help oh guru of pc,s i only know soo much


p.s. didnt work
1.vondofix
2.adaware
3.zone alarms
4.avast
5.disableing/reinabling system restore
i really dont want to reinstall windows altho i can just leave it alone as long as i don't use system restore i will be fine but i really dont like knowing its there well im tired of messing with this im g2g2bed any help will be appreciated

virus pic




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:20 AM, on 7/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214054581618
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\..\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4566 bytes

Edited by systemrestore, 11 July 2008 - 02:00 AM.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:19 AM

Posted 12 July 2008 - 05:39 AM

Hi systemrestore (like the name)

Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Please ensure that you install the Recovery Console.
If it's not already installed on your machine

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log in your next reply

In your next reply, please submit:
ComboFix.txt
and a new Hjt log

Thanks

BBPP6nz.png


#3 systemrestore

systemrestore
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 12 July 2008 - 08:39 AM

ComboFix 08-07-11.1 - J-DAY 2008-07-12 9:29:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1603 [GMT -4:00]
Running from: C:\Documents and Settings\J-DAY\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-11 13:07 . 2008-07-11 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2008-07-11 02:11 . 2008-07-11 02:11 <DIR> d-------- C:\VundoFix Backups
2008-07-10 13:07 . 2008-07-10 13:07 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\MailFrontier
2008-07-10 13:07 . 2008-07-10 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-10 13:05 . 2008-07-10 13:05 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-07-10 12:50 . 2008-07-10 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-07-10 12:49 . 2008-07-10 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-10 10:28 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-10 09:59 . 2008-07-10 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CCP
2008-07-10 08:32 . 2008-07-10 08:32 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-10 08:21 . 2008-07-10 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-10 08:18 . 2008-07-10 10:33 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-07-10 08:02 . 2008-07-10 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-10 02:46 . 2008-07-10 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-09 13:23 . 2008-07-12 09:02 1,279 --a------ C:\rollback.ini
2008-07-09 13:06 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-09 13:06 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-07-09 10:09 . 2008-07-09 10:09 <DIR> dr-h----- C:\WINDOWS\system32\VProRecovery
2008-07-08 14:04 . 2008-07-08 14:04 307,200 --a------ C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2008-07-08 07:37 . 2008-07-12 09:31 3,261,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-08 07:37 . 2008-07-12 09:14 44,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-08 07:36 . 2008-07-08 07:36 4,096 --ahs---- C:\VSNAP.IDX
2008-07-08 07:23 . 2008-07-11 04:05 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-08 07:22 . 2008-07-11 04:04 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-08 07:22 . 2008-07-08 07:22 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-08 07:22 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-07-08 07:22 . 2008-07-12 09:15 355,091 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-07-08 07:21 . 2008-07-12 09:25 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-07 13:20 . 2008-07-07 13:20 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\Symantec
2008-07-07 13:00 . 2008-05-07 16:46 215,144 -ra------ C:\WINDOWS\patchw32.dll
2008-07-07 12:57 . 2008-05-07 16:46 215,144 -ra------ C:\WINDOWS\pw32a.dll
2008-07-07 12:41 . 2008-07-10 13:03 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-07 12:36 . 2008-07-07 12:36 <DIR> d-------- C:\Program Files\AVG
2008-07-07 12:36 . 2008-07-07 12:36 10,520 --------- C:\WINDOWS\system32\avgrsstx.dll.install_backup
2008-07-07 12:17 . 2008-07-07 12:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 01:27 . 2008-07-07 01:27 <DIR> d-------- C:\Program Files\Symantec
2008-07-07 01:25 . 2007-12-20 17:13 136,416 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
2008-07-07 01:25 . 2008-05-07 16:44 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-07-07 01:25 . 2008-05-07 16:44 16,168 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-07-07 01:24 . 2008-07-10 10:03 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-07 00:06 . 2008-07-07 00:20 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-07-06 23:56 . 2008-07-10 10:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-06 23:52 . 2008-07-06 23:52 <DIR> d-------- C:\Program Files\Panda Security
2008-07-04 01:10 . 2008-07-04 01:10 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-29 22:18 . 2008-06-29 22:19 <DIR> d-------- C:\Program Files\Microsoft Streets & Trips
2008-06-29 22:16 . 2008-06-29 22:18 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-29 22:15 . 2008-06-29 22:15 <DIR> d-------- C:\Program Files\Microsoft Works Suite 2003
2008-06-29 22:11 . 2002-09-10 12:26 4,481,358 --a------ C:\WINDOWS\ctdvaudy.cdf
2008-06-29 21:07 . 2008-06-08 23:58 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-06-29 21:07 . 2008-06-22 20:33 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-29 21:07 . 2008-06-22 20:33 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-06-29 20:52 . 2008-06-29 20:52 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-29 20:52 . 2007-09-04 12:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-06-29 20:48 . 2008-06-29 20:48 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-06-29 20:34 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-29 19:46 . 2008-06-29 19:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-06-29 19:37 . 2008-06-29 19:56 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\Creative
2008-06-29 19:33 . 2008-06-29 22:08 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-06-29 02:04 . 2008-06-29 02:29 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-06-26 14:51 . 2008-06-26 14:51 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-25 12:23 . 2008-06-29 04:03 <DIR> d-------- C:\Program Files\EA GAMES
2008-06-25 10:21 . 2008-04-14 00:15 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-25 01:18 . 2008-06-25 01:25 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-06-25 01:16 . 2008-06-25 01:16 <DIR> d-------- C:\WINDOWS\Sun
2008-06-25 00:38 . 2004-08-17 21:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-06-25 00:26 . 2008-06-25 00:26 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\DAEMON Tools
2008-06-25 00:10 . 2008-06-25 00:12 <DIR> d-------- C:\Program Files\MagicISO
2008-06-25 00:05 . 2008-06-25 00:05 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\DAEMON Tools Pro
2008-06-24 23:54 . 2008-06-25 00:26 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-22 22:11 . 2008-06-22 22:11 <DIR> d-------- C:\Program Files\CCP
2008-06-22 00:02 . 2005-09-14 18:01 824,512 --a------ C:\WINDOWS\system32\drivers\hcwPVRP2.sys
2008-06-21 23:42 . 2008-06-21 23:42 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-21 23:40 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003380_.tmp
2008-06-21 23:06 . 2008-06-21 23:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-21 23:05 . 2008-06-21 23:05 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-21 23:05 . 2008-06-29 19:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-21 23:05 . 2008-06-21 23:06 <DIR> d-------- C:\fd71a5321c6887e8f1f94e58c52b
2008-06-21 23:05 . 2008-06-21 23:05 <DIR> d-------- C:\0ea6d011f7f0528b73f86ee1d3cbf4
2008-06-21 23:04 . 2008-06-21 23:05 <DIR> d-------- C:\7a007090548a2a8233218c
2008-06-21 22:40 . 2006-03-20 23:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-06-21 22:29 . 2008-06-21 22:29 <DIR> d-------- C:\Program Files\MSBuild
2008-06-21 22:27 . 2008-06-21 22:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-21 22:26 . 2008-06-21 22:26 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-21 22:25 . 2008-06-21 22:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-21 22:25 . 2008-06-21 22:25 <DIR> d-------- C:\4c2c2a345372565189e59f9467
2008-06-21 22:25 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-21 22:23 . 2008-04-14 00:15 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-06-21 22:23 . 2008-04-14 00:15 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-06-21 22:18 . 2008-06-21 22:18 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-06-21 21:51 . 2008-06-21 21:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-21 21:28 . 2008-04-14 05:42 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-06-21 21:00 . 2008-06-21 21:00 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\ATI
2008-06-21 20:59 . 2008-06-21 20:59 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-21 20:47 . 2008-06-21 22:51 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-21 20:46 . 2008-06-21 20:53 <DIR> d-------- C:\WINDOWS\Logs
2008-06-21 20:40 . 2008-06-21 20:42 <DIR> d-------- C:\Program Files\ATI Technologies
2008-06-21 20:40 . 2008-06-02 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-06-21 20:39 . 2008-06-21 20:39 <DIR> d-------- C:\ATI
2008-06-21 19:37 . 2008-07-07 13:29 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\EVEMon
2008-06-21 19:21 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-06-21 14:24 . 2008-06-21 14:24 <DIR> d-------- C:\Program Files\EVEMon
2008-06-21 14:15 . 2008-06-21 14:15 165,376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-21 14:15 . 2008-06-21 14:15 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-21 11:59 . 2008-06-21 11:59 <DIR> d-------- C:\Program Files\Windows Plus
2008-06-21 11:58 . 2004-07-01 05:06 10,604,352 --a--c--- C:\WINDOWS\system32\dllcache\ehcir.ird
2008-06-21 11:57 . 2008-06-21 11:59 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2008-06-21 11:46 . 2008-06-21 12:11 <DIR> d-------- C:\Program Files\Blaze Media Pro
2008-06-21 11:43 . 2008-06-21 11:43 <DIR> d-------- C:\WINDOWS\WinRAR
2008-06-21 11:32 . 2008-07-12 09:03 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\Azureus
2008-06-21 11:31 . 2008-06-21 11:31 <DIR> d-------- C:\Program Files\Java
2008-06-21 11:31 . 2008-06-21 11:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-21 11:31 . 2008-03-25 05:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-21 11:26 . 2006-05-04 01:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-06-21 11:25 . 2008-06-21 11:25 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-06-21 11:25 . 2008-06-21 11:25 <DIR> d-------- C:\Program Files\Samsung
2008-06-21 11:25 . 2005-08-30 04:47 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2008-06-21 11:25 . 2005-08-30 04:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2008-06-21 11:25 . 2005-08-30 04:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2008-06-21 11:25 . 2006-07-24 19:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-21 11:25 . 2005-08-28 23:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-21 10:20 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\002975_.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 06:37 1,814,016 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-01 15:29 --------- d-----w C:\Documents and Settings\J-DAY\Application Data\Vso
2008-06-21 18:26 --------- d-----w C:\Program Files\Darkstar One
2008-06-21 16:26 --------- d-----w C:\Program Files\Logitech
2008-06-21 16:15 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-21 16:15 47,360 ----a-w C:\Documents and Settings\J-DAY\Application Data\pcouffin.sys
2008-06-21 16:15 --------- d-----w C:\Program Files\VSO
2008-06-21 16:14 --------- d-----w C:\Program Files\Elecard
2008-06-21 16:14 --------- d-----w C:\Program Files\Common Files\Elecard
2008-06-21 16:04 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:27 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-05-30 18:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 06:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 09:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 09:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 09:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 09:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 09:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 09:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 09:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 09:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 05:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 04:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 04:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-14 04:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-14 04:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-14 04:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-14 04:01 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 04:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-14 03:45 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-14 03:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-14 03:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-14 03:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-14 03:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-14 03:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-14 02:57 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-14 02:56 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-14 02:56 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-14 02:56 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-14 02:54 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-14 02:51 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-14 02:39 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-14 02:33 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-14 02:33 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-14 02:18 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-14 02:15 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-14 01:56 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-04-14 01:53 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-14 01:52 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-14 01:09 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-12_ 9.19.45.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 21:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-07-12 13:15:34 345,104 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-07-12 13:28:16 345,720 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:42 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 04:00 90112]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 20:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 20:57 2095640]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"CTHelper"="CTHELPER.EXE" [2003-01-27 18:16 28672 C:\WINDOWS\system32\cthelper.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^J-DAY^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\J-DAY\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 07:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2005-09-14 18:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ba86352-42c2-11dd-b395-00508dd5d610}]
\Shell\AutoRun\command - G:\Autorun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 09:31:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-12 9:32:23
ComboFix-quarantined-files.txt 2008-07-12 13:32:18
ComboFix2.txt 2008-07-12 13:20:32

Pre-Run: 142,112,002,048 bytes free
Post-Run: 142,096,592,896 bytes free

289 --- E O F --- 2008-07-09 15:32:00
------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:12 AM, on 7/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214054581618
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4569 bytes

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:19 AM

Posted 12 July 2008 - 10:28 AM

Hi systemrestore

This is the ComboFix2.txt from the 2nd run.
Can you please post the ComboFix.txt from the 1st run.
It can be found at:
C:\combofix.txt

Thanks.

Edited by Starbuck, 12 July 2008 - 10:32 AM.

BBPP6nz.png


#5 systemrestore

systemrestore
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 13 July 2008 - 06:23 AM

1st run didnt have recovery consol installed but here u go tks






ComboFix 08-07-11.1 - J-DAY 2008-07-12 9:29:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1603 [GMT -4:00]
Running from: C:\Documents and Settings\J-DAY\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-11 13:07 . 2008-07-11 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2008-07-11 02:11 . 2008-07-11 02:11 <DIR> d-------- C:\VundoFix Backups
2008-07-10 13:07 . 2008-07-10 13:07 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\MailFrontier
2008-07-10 13:07 . 2008-07-10 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-10 13:05 . 2008-07-10 13:05 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-07-10 12:50 . 2008-07-10 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-07-10 12:49 . 2008-07-10 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-10 10:28 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-10 09:59 . 2008-07-10 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CCP
2008-07-10 08:32 . 2008-07-10 08:32 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-10 08:21 . 2008-07-10 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-10 08:18 . 2008-07-10 10:33 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-07-10 08:02 . 2008-07-10 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-10 02:46 . 2008-07-10 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-09 13:23 . 2008-07-12 09:02 1,279 --a------ C:\rollback.ini
2008-07-09 13:06 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-09 13:06 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-07-09 10:09 . 2008-07-09 10:09 <DIR> dr-h----- C:\WINDOWS\system32\VProRecovery
2008-07-08 14:04 . 2008-07-08 14:04 307,200 --a------ C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2008-07-08 07:37 . 2008-07-12 09:31 3,261,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-08 07:37 . 2008-07-12 09:14 44,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-08 07:36 . 2008-07-08 07:36 4,096 --ahs---- C:\VSNAP.IDX
2008-07-08 07:23 . 2008-07-11 04:05 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-08 07:22 . 2008-07-11 04:04 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-08 07:22 . 2008-07-08 07:22 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-08 07:22 . 2008-07-09 09:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-07-08 07:22 . 2008-07-12 09:15 355,091 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-07-08 07:21 . 2008-07-12 09:25 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-07 13:20 . 2008-07-07 13:20 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\Symantec
2008-07-07 13:00 . 2008-05-07 16:46 215,144 -ra------ C:\WINDOWS\patchw32.dll
2008-07-07 12:57 . 2008-05-07 16:46 215,144 -ra------ C:\WINDOWS\pw32a.dll
2008-07-07 12:41 . 2008-07-10 13:03 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-07 12:36 . 2008-07-07 12:36 <DIR> d-------- C:\Program Files\AVG
2008-07-07 12:36 . 2008-07-07 12:36 10,520 --------- C:\WINDOWS\system32\avgrsstx.dll.install_backup
2008-07-07 12:17 . 2008-07-07 12:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 01:27 . 2008-07-07 01:27 <DIR> d-------- C:\Program Files\Symantec
2008-07-07 01:25 . 2007-12-20 17:13 136,416 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
2008-07-07 01:25 . 2008-05-07 16:44 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-07-07 01:25 . 2008-05-07 16:44 16,168 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-07-07 01:24 . 2008-07-10 10:03 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-07 00:06 . 2008-07-07 00:20 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-07-06 23:56 . 2008-07-10 10:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-06 23:52 . 2008-07-06 23:52 <DIR> d-------- C:\Program Files\Panda Security
2008-07-04 01:10 . 2008-07-04 01:10 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-29 22:18 . 2008-06-29 22:19 <DIR> d-------- C:\Program Files\Microsoft Streets & Trips
2008-06-29 22:16 . 2008-06-29 22:18 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-29 22:15 . 2008-06-29 22:15 <DIR> d-------- C:\Program Files\Microsoft Works Suite 2003
2008-06-29 22:11 . 2002-09-10 12:26 4,481,358 --a------ C:\WINDOWS\ctdvaudy.cdf
2008-06-29 21:07 . 2008-06-08 23:58 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-06-29 21:07 . 2008-06-22 20:33 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-29 21:07 . 2008-06-22 20:33 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-06-29 20:52 . 2008-06-29 20:52 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-29 20:52 . 2007-09-04 12:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-06-29 20:48 . 2008-06-29 20:48 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-06-29 20:34 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-29 19:46 . 2008-06-29 19:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-06-29 19:37 . 2008-06-29 19:56 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\Creative
2008-06-29 19:33 . 2008-06-29 22:08 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-06-29 02:04 . 2008-06-29 02:29 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-06-26 14:51 . 2008-06-26 14:51 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-25 12:23 . 2008-06-29 04:03 <DIR> d-------- C:\Program Files\EA GAMES
2008-06-25 10:21 . 2008-04-14 00:15 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-25 01:18 . 2008-06-25 01:25 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-06-25 01:16 . 2008-06-25 01:16 <DIR> d-------- C:\WINDOWS\Sun
2008-06-25 00:38 . 2004-08-17 21:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-06-25 00:26 . 2008-06-25 00:26 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\DAEMON Tools
2008-06-25 00:10 . 2008-06-25 00:12 <DIR> d-------- C:\Program Files\MagicISO
2008-06-25 00:05 . 2008-06-25 00:05 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\DAEMON Tools Pro
2008-06-24 23:54 . 2008-06-25 00:26 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-22 22:11 . 2008-06-22 22:11 <DIR> d-------- C:\Program Files\CCP
2008-06-22 00:02 . 2005-09-14 18:01 824,512 --a------ C:\WINDOWS\system32\drivers\hcwPVRP2.sys
2008-06-21 23:42 . 2008-06-21 23:42 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-21 23:40 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003380_.tmp
2008-06-21 23:06 . 2008-06-21 23:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-21 23:05 . 2008-06-21 23:05 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-21 23:05 . 2008-06-29 19:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-21 23:05 . 2008-06-21 23:06 <DIR> d-------- C:\fd71a5321c6887e8f1f94e58c52b
2008-06-21 23:05 . 2008-06-21 23:05 <DIR> d-------- C:\0ea6d011f7f0528b73f86ee1d3cbf4
2008-06-21 23:04 . 2008-06-21 23:05 <DIR> d-------- C:\7a007090548a2a8233218c
2008-06-21 22:40 . 2006-03-20 23:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-06-21 22:29 . 2008-06-21 22:29 <DIR> d-------- C:\Program Files\MSBuild
2008-06-21 22:27 . 2008-06-21 22:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-21 22:26 . 2008-06-21 22:26 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-21 22:25 . 2008-06-21 22:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-21 22:25 . 2008-06-21 22:25 <DIR> d-------- C:\4c2c2a345372565189e59f9467
2008-06-21 22:25 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-21 22:23 . 2008-04-14 00:15 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-06-21 22:23 . 2008-04-14 00:15 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-06-21 22:18 . 2008-06-21 22:18 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-06-21 21:51 . 2008-06-21 21:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-21 21:28 . 2008-04-14 05:42 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-06-21 21:00 . 2008-06-21 21:00 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\ATI
2008-06-21 20:59 . 2008-06-21 20:59 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-21 20:47 . 2008-06-21 22:51 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-21 20:46 . 2008-06-21 20:53 <DIR> d-------- C:\WINDOWS\Logs
2008-06-21 20:40 . 2008-06-21 20:42 <DIR> d-------- C:\Program Files\ATI Technologies
2008-06-21 20:40 . 2008-06-02 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-06-21 20:39 . 2008-06-21 20:39 <DIR> d-------- C:\ATI
2008-06-21 19:37 . 2008-07-07 13:29 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\EVEMon
2008-06-21 19:21 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-06-21 14:24 . 2008-06-21 14:24 <DIR> d-------- C:\Program Files\EVEMon
2008-06-21 14:15 . 2008-06-21 14:15 165,376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-21 14:15 . 2008-06-21 14:15 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-21 11:59 . 2008-06-21 11:59 <DIR> d-------- C:\Program Files\Windows Plus
2008-06-21 11:58 . 2004-07-01 05:06 10,604,352 --a--c--- C:\WINDOWS\system32\dllcache\ehcir.ird
2008-06-21 11:57 . 2008-06-21 11:59 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2008-06-21 11:46 . 2008-06-21 12:11 <DIR> d-------- C:\Program Files\Blaze Media Pro
2008-06-21 11:43 . 2008-06-21 11:43 <DIR> d-------- C:\WINDOWS\WinRAR
2008-06-21 11:32 . 2008-07-12 09:03 <DIR> d-------- C:\Documents and Settings\J-DAY\Application Data\Azureus
2008-06-21 11:31 . 2008-06-21 11:31 <DIR> d-------- C:\Program Files\Java
2008-06-21 11:31 . 2008-06-21 11:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-21 11:31 . 2008-03-25 05:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-21 11:26 . 2006-05-04 01:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-06-21 11:25 . 2008-06-21 11:25 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-06-21 11:25 . 2008-06-21 11:25 <DIR> d-------- C:\Program Files\Samsung
2008-06-21 11:25 . 2005-08-30 04:47 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2008-06-21 11:25 . 2005-08-30 04:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2008-06-21 11:25 . 2005-08-30 04:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2008-06-21 11:25 . 2006-07-24 19:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-21 11:25 . 2005-08-28 23:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-21 10:28 . 2008-06-21 23:45 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-21 10:20 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\002975_.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 06:37 1,814,016 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-01 15:29 --------- d-----w C:\Documents and Settings\J-DAY\Application Data\Vso
2008-06-21 18:26 --------- d-----w C:\Program Files\Darkstar One
2008-06-21 16:26 --------- d-----w C:\Program Files\Logitech
2008-06-21 16:15 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-21 16:15 47,360 ----a-w C:\Documents and Settings\J-DAY\Application Data\pcouffin.sys
2008-06-21 16:15 --------- d-----w C:\Program Files\VSO
2008-06-21 16:14 --------- d-----w C:\Program Files\Elecard
2008-06-21 16:14 --------- d-----w C:\Program Files\Common Files\Elecard
2008-06-21 16:04 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:27 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-05-30 18:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 06:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 09:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 09:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 09:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 09:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 09:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 09:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 09:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 09:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 05:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-14 04:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 04:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-14 04:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-14 04:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-14 04:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-14 04:01 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 04:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-14 03:45 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-14 03:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-14 03:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-14 03:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-14 03:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-14 03:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-14 02:57 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-14 02:56 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-14 02:56 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-14 02:56 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-14 02:54 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-14 02:51 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-14 02:39 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-14 02:33 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-14 02:33 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-14 02:18 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-14 02:15 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-14 01:56 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-04-14 01:53 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-14 01:52 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-14 01:09 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-12_ 9.19.45.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 21:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2008-07-12 13:15:34 345,104 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-07-12 13:28:16 345,720 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:42 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 04:00 90112]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 20:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 20:57 2095640]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"CTHelper"="CTHELPER.EXE" [2003-01-27 18:16 28672 C:\WINDOWS\system32\cthelper.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^J-DAY^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\J-DAY\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 07:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2005-09-14 18:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ba86352-42c2-11dd-b395-00508dd5d610}]
\Shell\AutoRun\command - G:\Autorun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 09:31:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-12 9:32:23
ComboFix-quarantined-files.txt 2008-07-12 13:32:18
ComboFix2.txt 2008-07-12 13:20:32

Pre-Run: 142,112,002,048 bytes free
Post-Run: 142,096,592,896 bytes free

289 --- E O F --- 2008-07-09 15:32:00

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:19 AM

Posted 13 July 2008 - 07:23 PM

Hi systemrestore

Step 1
Run Hijackthis again, click scan, and Put a checkmark next to this item.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Reboot your computer to complete the process.

Step 2
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 3
Open HijackThis... click on Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save..... copy and paste the results in your next post.
More information with a screenshot, can be found here.

In your next reply, please submit:
MBAM scan results
Uninstall list.

Thanks.

BBPP6nz.png


#7 systemrestore

systemrestore
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 13 July 2008 - 07:57 PM

i appreciate all the help but ive already cleaned all that stuff the only problem i have is my svchost needs to be reinstalled via the windows repair console but as requested



Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 3

8:45:00 PM 7/13/2008
mbam-log-7-13-2008 (20-45-00).txt

Scan type: Quick Scan
Objects scanned: 42124
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-----------------------------------------

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Azureus
Blaze Media Pro
Blaze Media Pro
CCleaner (remove only)
CD/DVD Data Recovery version 1.1
ConvertXtoDVD 3.0.0.1
Creative Driver
Darkstar One
Elecard MPEG-2 Decoder&Streaming Pack
EVEMon
EVE-ONLINE (remove only)
ffdshow [rev 2019] [2008-06-22]
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Java™ 6 Update 6
K-Lite Codec Pack 3.9.5 (Full)
Logitech GamePanel Software 2.02
Macro Express 3
Magic ISO Maker v5.4 (build 0251)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft Streets and Trips 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Mozilla Firefox (3.0)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NoAdware v5.0
Panda ActiveScan 2.0
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Sound Blaster Audigy
TeamSpeak 2 RC2
The Sims 2
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Celebration! Stuff
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 IKEA® Home Stuff
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Update Rollup 2 for Windows XP Media Center Edition 2005
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR
ZoneAlarm Security Suite

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:19 AM

Posted 14 July 2008 - 03:35 AM

Hi systemrestore

This is becoming more confusing by the minute.

but ive already cleaned all that stuff

What stuff?
We are just running different scans to make sure the malware has all gone.

the orignal prog that caused issue is long gone does anyone know where its hiding

What was the original program that was causing this?
If it's gone..... why would you think it's hiding?

The 2nd combofix.txt you posted, was the same one as originally posted. You never posted the 1st one ( whether the RC was installed or not, wouldn't make a difference to what CF deleted)

These folders are showing in your reports:
C:\Program Files\Alwil Software
C:\Program Files\AVG
C:\Program Files\Panda Security
C:\Program Files\Symantec
Looks like you keep installing different AV's and then don't clean up properly afterwards.

ZoneAlarm Security Suite ... also contains an anti-virus.

Avast was showing in your Hjt logs.... now it's not even showing in your uninstall list.

Why are you messing about with all these programs.

In your uninstall list:
NoAdware v5.0
This Add or Remove Programs entry corresponds to a program that is either malware, installs malware, or is bundled with malware.
NoAdware is a rogue security software.

I advise that you remove it.

only problem i have is my svchost needs to be reinstalled via the windows repair console but as requested

XP has a built in command that will check for any problems with system files.

The system file checker command scans all protected system files and replaces incorrect versions with correct Microsoft versions.

Click Start... Run... and then type in sfc /scannow (the space between the 'c' and / is meant to be there)
Make sure you have your windows operating disc handy... you may need it if any files need replacing.

BBPP6nz.png


#9 systemrestore

systemrestore
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 14 July 2008 - 04:15 PM

ive removed all the keyloggers,viruses and stuff manually a week ago a couple where in the windows and system 32 folder i got rid of all of them. now all i need to do is repair the damage they have done one of witch i think has damaged my svchost.exe another thing it has done is keeps reinstalling a virus into my restore points however i dont know where its hiding im assuming its not hiding but actually inserted itself into a know process like svc host now i dont know if thats possable but thats what im assuming .and ive downloaded all of those progs to try to find it(the thing that keeps reinstalling things into my restore point)all ive tried cant find anything but the system restore virus. ohh the original prog that installed the virus in the first place on my pc is gone. i uninstalled avast it wasn't worth a darn the only thing i used it for was a start up scan. panda scan is just an active x thingy,and its still in my programs folder. so all in all i think the virus has injected itself into the svc host and reinstalling it or copy and pasting it should remedy the problem)assuming its actually in the svchost cus as where both seeing ever scan we run shows 0 virus/maleware now the only one i havent tried is norton i hope this clears some things up for u ohh NoAdware v5.0 yes i know its not good but it has found bad things that others could not like lavasoft adaware and a few others. ps im using sfc /scannow now lets cross fingers


so basically i have something that keeps installing another prog into my restore points i dont think its a virus on my pc, but rather a process in windows but if so sfc /scannow should fix that i hope

pss after sfc /scannow i will run/install norton,avg,pc chillin and zonealarm scans one more time if all report 0 we will hopefully have got it all and will jump for joy and leave u alone i just hope ur not mad or frustrated at me:(

Edited by systemrestore, 14 July 2008 - 04:25 PM.


#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:19 AM

Posted 14 July 2008 - 06:04 PM

Hi systemrestore

i just hope ur not mad or frustrated at me

It just gets confusing when you run things and install things without my knowledge.
It alters the reports and then that makes things harder to read.

ive removed all the keyloggers,viruses and stuff manually a week ago

But i have to make sure it's all gone.... or i wouldn't be doing my job properly.

now all i need to do is repair the damage they have done one of witch i think has damaged my svchost.exe

You'll probably find that your 'svchost.exe' isn't damaged at all.
malware will normally try to disguise it's self as svchost.
look closely at the entry you had:

c:\windows\system32\..\svchost.exe

yes.... svchost.exe is located in c:\windows\system32, but that's not what it's showing.
did you not see the:

\..\

that means it's not the real macoy.

Let's backtrack a bit......
this appeared in your 1st Hjt log:

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\..\svchost.exe (file missing)

So this meant that something you had run had removed the file... but not the service.
Then we ran ComboFix.. next Hjt log didn't show the entry.
Now we know that CF will remove this file and the service.
But it wasn't showing in the combofix.txt.
That's why i wanted to see the 1st one... it would have shown the deletions. ( along with anything else that we may not have known that was there)

another thing it has done is keeps reinstalling a virus into my restore points however i dont know where its hiding

What do you actually mean by this?
Are you using system restore and then finding that you are reinfected again?
If so..... this is understandable.
Malware can back it's self up in your restore points so that it can reinfect you again.
We normally clear these restore points and set you a new one once we determine that you are 'clean'.
But we don't remove the old ones until then, the point being..... 'a bad restore point is better than no restore point'.

NoAdware v5.0 yes i know its not good but it has found bad things that others could not like lavasoft adaware and a few others.

because this program is known to give 'false positives'.... are you sure that what it's telling you is actually legit?

Can you bear with me and run one last scan....
if this comes up clean.... i'll believe it. if it shows anything bad.... i'll believe that as well.
If it comes back clean, we'll clear all your old restore points and get rid of all the malware backed up in them.
and then i'll stop pestering you.... how's that for a deal?

Please do an online scan with Kaspersky WebScanner.
Notes
Java must be installed and enabled for the scan to work.
Disable your computer's antivirus program as leaving it active will cause conflicts
  • Close ALL programs and windows except for your browser
    Please go to Online Kaspersky Scan and perform an online antivirus scan.
  • Read through the Requirements and limitations statement and click on the Accept button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, the scrolling window will show 'Database is updated. Ready to scan'. Click on the Settings button at the bottom left.
  • Make sure these boxes are checked/ticked. If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan on the left. OK any warnings from your protection programs.
  • Go for a long walk. Please be patient and let the scanner finish. It is better that you do NOT use the computer while the scan is running. Keep all other programs/windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan-ddmmyy before clicking on the Save button. Save the report to a convenient place - for example the Desktop.
  • Please post this log in your next reply.
Note - enable your antivirus program before browsing away from the Kaspersky site.

Go to the Desktop and double-click on the Kaspersky report KAVScan-ddmmyy.txt, it will open in Notepad
Click Edit > Select all then Edit > Copy
Reply to this thread and paste (Ctrl+V) the report along with a new Hjt log.

Thanks.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users