Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've got many hard-to-solve infections. Help Please


  • This topic is locked This topic is locked
43 replies to this topic

#16 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:49 PM

Posted 01 November 2008 - 01:20 PM

Hi DJohn

OK your Counter-Strike game seems to be from a torrent download and is infected and needs to be removed.

If you are willing to remove it please do this.

Please go to Start > Control Panel > Add/Remove Programs (Windows Vista its Programs and Features) and remove the following (if present):


Counter-Strike


Now please do this.

Download
OTMoveIt3 by OldTimer to your Desktop.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\INSTALL\Kodeky\BS Player\bsplayer224[2].954_clip.exe
    C:\Program Files\Counter-Strike
  • Return to OTMoveIt3, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Are you still having the problems you posted of in post # 3?

Could you let me know what is inside this folder. C:\INSTALL

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


BC AdBot (Login to Remove)

 


#17 DJohn

DJohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Motherwell
  • Local time:12:49 AM

Posted 01 November 2008 - 08:31 PM

Hello Maranatha!

Just a quick notice, I've stopped downloading through bittorrent about a year ago due to its slow download speed and never used it after then. What is interesting is, that there were 3 programs under Counter Strike headline in Add/Remove programs. I deleted all of them so there shouldn't be any problems with this viruses particularly. Also in the panda's repport you can see the list of vulnerabilities of my computer. I looked some of them up and it said these made my system updates program vulnerable. It could have a connection to a problem I have for some time now which is, I can't update my system, not even the critical updates, I don't know why but when I try to install them, it tells me for each of them instalation failed. If you could help please, I really think 93 critical updates can make a difference in my system. Thanks.

Here are OTMoveIt3 results:

Error: Unable to interpret <C:\INSTALL\Kodeky\BS Player\bsplayer224[2].954_clip.exe> in the current context!
Error: Unable to interpret <C:\Program Files\Counter-Strike> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11022008_011946

Edited by DJohn, 01 November 2008 - 08:33 PM.


#18 DJohn

DJohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Motherwell
  • Local time:12:49 AM

Posted 03 November 2008 - 05:29 PM

Hello Maranatha, sorry I didn't notice the small note at the end of your post. About these problems, I'll show you below:


1. I am still getting this ears-killing sond on the startup. - FIXED(thanks ;))

2. I still can't use my disc-burning programs. - It asks me to reinstall it, so I will probably just do it.

3. My java is not working well, even after reinstalling it. I can use it, but after it's been used I have to shut it off through Task Manager because it takes about 90% of processor usage. - Still need to be fixed

4. My computer is running really slow and it seems I am unable to do anything about it. - Still needs to be fixed

5. I can't access my photograps folder on my desktop, when I open the folder, it freezes and I have to shut it off via Task Manager. If there's something I can do about it please help me with it.(I don't have them backed up) - FIXED - THANKS!

6. I can't update my system as I said in my last post. - Still needs to be fixed

About C:/INSTALL. There's a lot of files for system updating(windows media 11, IE 8,mozilla,...), drivers for individual hardware on my computer, codecs for movies sounbd etc..., Some freeware basic programing programs(SCAR)

Edited by DJohn, 04 November 2008 - 12:22 PM.


#19 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:49 PM

Posted 03 November 2008 - 09:57 PM

Hi DJohn

I can't access my photograps folder on my desktop

While I'm waiting to get me next post OK'ed answer a couple questions.

When you were able to open it did it open with a program? Like Windows Picture viewer or one of your photo programs?

If you right click on the folder and click properties under Attributes what is checked?

Is the folder on your Desktop the original folder or a short cut?

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#20 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:05:49 PM

Posted 03 November 2008 - 11:28 PM

Hi DJohn

Please do this.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):

C:\Program Files\Counter-Strike

Also Using Windows Explorer please delete this file (if present):

C:\INSTALL\Kodeky\BS Player\bsplayer224[2].954_clip.exe


I need to see some logs.

You ran Combofix at one time and I need to see the log it produced, you can find it here.
C:\ComboFix.txt


I also would like to see the log from Smitfraudfix that you ran. It is listed here.
C:\rapport.txt


I also need to see a startup list using Hijackthis, here is how.
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Make sure there is a check in the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post
Please answer my questions on my previous post and post all logs asked for, it may take more then one post to fit them in.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#21 DJohn

DJohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Motherwell
  • Local time:12:49 AM

Posted 04 November 2008 - 12:40 PM

Hello Maranatha!
I've done the things you asked me for. They're listed below:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):

C:\Program Files\Counter-Strike


Successfully deleted!

Also Using Windows Explorer please delete this file (if present):

C:\INSTALL\Kodeky\BS Player\bsplayer224[2].954_clip.exe


Successfully deleted!

You ran Combofix at one time and I need to see the log it produced, you can find it here.
C:\ComboFix.txt


ComboFix 08-10-19.04 - MBI 2008-10-20 13:46:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894 [GMT 1:00]
Running from: C:\Documents and Settings\MBI\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.

2008-10-19 19:01 . 2008-10-19 19:01 <DIR> d-------- C:\Program Files\Microsoft Games
2008-10-18 18:35 . 2008-10-18 18:35 <DIR> d--hs---- C:\Documents and Settings\MBI\PrivacIE
2008-10-18 18:26 . 2008-10-18 18:28 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-18 18:13 . 2008-10-18 18:13 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-10-18 16:53 . 2008-10-18 16:53 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-18 15:54 . 2008-10-18 22:46 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-18 02:12 . 2008-10-18 02:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-18 02:12 . 2008-10-18 02:12 <DIR> d-------- C:\Documents and Settings\MBI\Application Data\Malwarebytes
2008-10-18 02:12 . 2008-10-18 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-18 02:12 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-18 02:12 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-16 11:31 . 2008-10-16 11:31 <DIR> d-------- C:\Program Files\Sygate
2008-10-16 11:31 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-10-16 11:31 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-10-16 11:31 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-10-16 11:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-10-16 11:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-10-16 11:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-10-16 11:31 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-10-15 13:13 . 2008-10-15 14:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-15 13:13 . 2008-10-15 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-15 02:28 . 2008-10-18 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-15 02:27 . 2008-10-18 23:07 <DIR> d-------- C:\MRT
2008-10-07 20:26 . 2001-07-05 18:19 164 --------- C:\WINDOWS\avrack.ini
2008-10-07 20:03 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-10-07 20:03 . 1995-01-13 14:10 149,504 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2008-10-07 20:03 . 1995-01-13 14:10 108,032 --a------ C:\WINDOWS\system32\MFCUIA32.DLL
2008-10-07 20:03 . 1995-08-30 02:02 82,432 --a------ C:\WINDOWS\system32\CTWFLT32.DLL
2008-10-07 20:03 . 1994-12-05 03:11 53,552 --a------ C:\WINDOWS\CTCCW.DLL
2008-10-07 20:03 . 1995-07-13 02:01 26,768 --a------ C:\WINDOWS\system32\CTL3D.DLL
2008-10-07 20:03 . 1996-05-23 02:24 24,976 --a------ C:\WINDOWS\CTRES.DLL
2008-10-07 20:03 . 2008-10-07 20:03 282 --a------ C:\WINDOWS\SBWIN.INI
2008-10-07 20:03 . 2008-10-07 17:12 231 --a------ C:\WINDOWS\SYSTEM.I~I
2008-10-07 20:01 . 2008-10-07 20:03 <DIR> d-------- C:\Program Files\Creative
2008-10-07 20:01 . 1999-12-17 01:00 6,752 --a------ C:\WINDOWS\system32\PfModNT.sys
2008-10-07 19:27 . 2008-10-07 19:22 35,113,704 --a------ C:\directx_9c_redist.exe
2008-10-07 17:57 . 2008-10-07 20:38 1,341,739,008 --a------ C:\WINDOWS\MEMORY.DMP
2008-10-07 17:48 . 2004-08-04 13:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-10-07 17:47 . 2004-08-04 13:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-10-07 17:46 . 2004-08-04 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-10-07 17:45 . 2004-08-04 13:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-10-07 17:44 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-10-07 17:42 . 2004-08-04 13:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-10-07 17:42 . 2004-08-04 13:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-10-07 17:42 . 2004-08-04 13:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-10-07 17:42 . 2008-10-07 17:42 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-10-07 17:42 . 2008-10-07 17:42 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-10-07 17:42 . 2008-10-07 17:42 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-10-07 17:42 . 2008-10-07 17:42 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-10-07 17:42 . 2008-10-07 17:42 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-10-07 17:42 . 2008-10-07 17:42 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-10-07 17:11 . 2004-08-04 13:00 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-10-07 17:10 . 2008-10-10 19:48 1,456,805 --a------ C:\WINDOWS\setupapi.log.0.old
2008-10-07 17:09 . 2008-10-07 17:09 <DIR> d---s---- C:\WINDOWS\system32\config\systemprofile\History
2008-10-07 16:41 . 2008-10-07 16:41 <DIR> d-------- C:\$WIN_NT$.~BT
2008-10-07 16:41 . 2004-08-04 13:00 472,007 -ra------ C:\txtsetup.sif
2008-10-07 16:41 . 2004-08-04 13:00 260,272 -ra------ C:\$LDR$
2008-10-07 16:06 . 2008-10-18 16:03 2,048 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-07 15:54 . 2008-10-07 15:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-06 22:16 . 2008-10-18 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-06 21:30 . 2008-10-18 01:11 <DIR> d-------- C:\SDFix
2008-10-06 12:25 . 2008-10-06 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-06 12:25 . 2008-10-06 12:24 38,507,080 --a------ C:\kis8.0.0.454en.exe
2008-10-06 11:47 . 2008-10-06 11:47 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-04 18:43 . 2007-03-18 19:28 183,691,264 --a------ C:\Simpsonovi.16x02.Ve.valce.sporaku.je.vse.dovoleno.avi
2008-09-30 18:02 . 2007-12-03 02:10 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-09-29 02:44 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-09-29 02:44 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-09-29 02:44 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-09-29 02:44 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-09-29 02:43 . 2008-09-29 02:44 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-09-29 02:43 . 2008-09-29 02:43 <DIR> d-------- C:\WINDOWS\Logs
2008-09-29 01:52 . 2008-09-29 01:52 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-09-29 01:50 . 2008-09-29 01:50 <DIR> d-------- C:\NVIDIA
2008-09-29 01:10 . 2008-09-29 01:10 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-29 01:10 . 2008-09-29 01:10 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-29 01:10 . 2008-09-29 01:10 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-29 01:10 . 2008-09-29 01:10 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-29 01:05 . 2008-09-29 01:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-24 20:26 . 2008-09-24 20:26 <DIR> d-------- C:\Program Files\Alex Buturuga

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 12:45 --------- d-----w C:\Documents and Settings\MBI\Application Data\OpenOffice.org2
2008-10-19 21:36 30 ----a-w C:\Documents and Settings\MBI\jagex_runescape_preferences.dat
2008-10-18 21:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-18 00:00 --------- d-----w C:\Program Files\SwiftSwitch
2008-10-18 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-17 23:58 --------- d-----w C:\Program Files\Java
2008-10-16 15:40 --------- d-----w C:\Program Files\SwiftKit
2008-10-14 17:58 --------- d-----w C:\Documents and Settings\MBI\Application Data\Skype
2008-10-07 19:26 --------- d-----w C:\Program Files\AvRack
2008-10-07 18:37 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-10-07 18:37 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-10-06 20:05 98,304 ----a-w C:\WINDOWS\DUMP4cd7.tmp
2008-10-06 20:00 98,304 ----a-w C:\WINDOWS\DUMP5b2f.tmp
2008-10-06 19:59 98,304 ----a-w C:\WINDOWS\DUMP5ad2.tmp
2008-10-06 10:30 --------- d-----w C:\Program Files\ICQToolbar
2008-09-30 17:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-30 17:02 --------- d-----w C:\Program Files\Google
2008-09-29 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-09-25 23:15 --------- d-----w C:\Program Files\ICQ6
2008-09-25 13:50 --------- d-----w C:\Program Files\Counter-Strike
2008-09-21 07:31 88 --sh--r C:\Documents and Settings\All Users\Application Data\5A8963B446.sys
2008-09-21 07:31 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-09-20 12:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-09-20 12:54 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-09-13 08:29 --------- d-----w C:\Documents and Settings\MBI\Application Data\ICQ
2008-08-22 02:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 02:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 02:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 02:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 02:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 02:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 02:05 48,640 ------w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 02:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 02:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 02:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 01:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-05 16:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-31 09:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 09:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 09:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2007-11-15 17:23 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-05 22:36 56 --sh--r C:\WINDOWS\system32\46B463895A.sys
2008-05-30 21:23 88 --sh--r C:\WINDOWS\system32\5A8963B446.sys
2008-05-30 21:23 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-18_17.30.48.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-04 14:45:26 209,632 -c----w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe
+ 2005-05-04 13:45:26 209,632 -c----w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe
- 2005-05-04 14:45:28 371,936 -c----w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\updspapi.dll
+ 2005-05-04 13:45:28 371,936 -c----w C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\updspapi.dll
- 2008-10-18 10:29:19 315,392 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl.dll
+ 2008-10-19 20:42:49 315,392 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl.dll
- 2008-10-18 10:29:19 20,480 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl_awt.dll
+ 2008-10-19 20:42:49 20,480 ----a-w C:\WINDOWS\.jagex_cache_32\runescape\jogl_awt.dll
+ 2004-08-04 12:00:00 61,440 -c--a-w C:\WINDOWS\ie8\admparse.dll
+ 2004-08-04 12:00:00 99,840 -c--a-w C:\WINDOWS\ie8\advpack.dll
+ 2004-08-04 12:00:00 1,016,832 -c--a-w C:\WINDOWS\ie8\browseui.dll
+ 2004-08-04 12:00:00 35,328 -c--a-w C:\WINDOWS\ie8\corpol.dll
+ 2004-08-04 12:00:00 357,888 -c--a-w C:\WINDOWS\ie8\dxtmsft.dll
+ 2004-08-04 12:00:00 201,728 -c--a-w C:\WINDOWS\ie8\dxtrans.dll
+ 2004-08-04 12:00:00 38,912 -c--a-w C:\WINDOWS\ie8\hmmapi.dll
+ 2008-06-23 16:57:28 63,488 -c--a-w C:\WINDOWS\ie8\icardie.dll
+ 2004-08-04 12:00:00 34,304 -c--a-w C:\WINDOWS\ie8\ie4uinit.exe
+ 2004-08-04 12:00:00 139,264 -c--a-w C:\WINDOWS\ie8\ieakeng.dll
+ 2004-08-04 12:00:00 216,576 -c--a-w C:\WINDOWS\ie8\ieaksie.dll
+ 2004-08-04 12:00:00 221,184 -c--a-w C:\WINDOWS\ie8\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 -c--a-w C:\WINDOWS\ie8\ieapfltr.dat
+ 2008-06-23 16:57:29 383,488 -c--a-w C:\WINDOWS\ie8\ieapfltr.dll
+ 2004-08-04 12:00:00 323,584 -c--a-w C:\WINDOWS\ie8\iedkcs32.dll
+ 2004-08-04 12:00:00 81,920 -c--a-w C:\WINDOWS\ie8\ieencode.dll
+ 2004-08-04 12:00:00 81,920 -c--a-w C:\WINDOWS\ie8\ieencode.dll.000
+ 2008-06-23 16:57:33 6,066,176 -c--a-w C:\WINDOWS\ie8\ieframe.dll
+ 2004-08-04 12:00:00 249,344 -c--a-w C:\WINDOWS\ie8\iepeers.dll
+ 2007-08-13 18:54:10 287,744 -c--a-w C:\WINDOWS\ie8\ieproxy.dll
+ 2004-08-04 12:00:00 48,640 -c--a-w C:\WINDOWS\ie8\iernonce.dll
+ 2008-06-23 16:57:34 267,776 -c--a-w C:\WINDOWS\ie8\iertutil.dll
+ 2004-08-04 12:00:00 62,976 -c--a-w C:\WINDOWS\ie8\iesetup.dll
+ 2007-08-13 18:54:10 180,736 -c--a-w C:\WINDOWS\ie8\ieui.dll
+ 2004-08-04 12:00:00 93,184 -c--a-w C:\WINDOWS\ie8\iexplore.exe
+ 2004-08-04 12:00:00 35,840 -c--a-w C:\WINDOWS\ie8\imgutil.dll
+ 2004-08-04 12:00:00 96,256 -c--a-w C:\WINDOWS\ie8\inseng.dll
+ 2004-08-04 12:00:00 450,560 -c--a-w C:\WINDOWS\ie8\jscript.dll
+ 2004-08-04 12:00:00 15,872 -c--a-w C:\WINDOWS\ie8\jsproxy.dll
+ 2004-08-04 12:00:00 22,016 -c--a-w C:\WINDOWS\ie8\licmgr10.dll
+ 2008-06-23 16:57:36 459,264 -c--a-w C:\WINDOWS\ie8\msfeeds.dll
+ 2008-06-23 16:57:36 52,224 -c--a-w C:\WINDOWS\ie8\msfeedsbs.dll
+ 2007-08-13 18:36:40 12,288 -c--a-w C:\WINDOWS\ie8\msfeedssync.exe
+ 2004-08-04 12:00:00 29,184 -c--a-w C:\WINDOWS\ie8\mshta.exe
+ 2004-08-04 12:00:00 3,003,392 -c--a-w C:\WINDOWS\ie8\mshtml.dll
+ 2004-08-04 12:00:00 448,512 -c--a-w C:\WINDOWS\ie8\mshtmled.dll
+ 2004-08-04 12:00:00 56,832 -c--a-w C:\WINDOWS\ie8\mshtmler.dll
+ 2004-08-04 12:00:00 146,432 -c--a-w C:\WINDOWS\ie8\msls31.dll
+ 2004-08-04 12:00:00 146,432 -c--a-w C:\WINDOWS\ie8\msrating.dll
+ 2004-08-04 12:00:00 530,432 -c--a-w C:\WINDOWS\ie8\mstime.dll
+ 2004-08-04 12:00:00 96,256 -c--a-w C:\WINDOWS\ie8\occache.dll
+ 2004-08-04 12:00:00 39,424 -c--a-w C:\WINDOWS\ie8\pngfilt.dll
+ 2004-08-04 12:00:00 1,483,264 -c--a-w C:\WINDOWS\ie8\shdocvw.dll
+ 2004-08-04 12:00:00 473,600 -c--a-w C:\WINDOWS\ie8\shlwapi.dll
+ 2006-09-06 17:43:16 213,216 -c--a-w C:\WINDOWS\ie8\spuninst.exe
+ 2008-08-22 02:21:04 49,736 -c--a-w C:\WINDOWS\ie8\spuninst\iecustom.dll
+ 2008-06-12 10:27:58 231,456 -c--a-w C:\WINDOWS\ie8\spuninst\spuninst.exe
+ 2008-06-12 10:28:00 382,496 -c--a-w C:\WINDOWS\ie8\spuninst\updspapi.dll
+ 2004-08-04 12:00:00 37,888 -c--a-w C:\WINDOWS\ie8\url.dll
+ 2004-08-04 12:00:00 601,088 -c--a-w C:\WINDOWS\ie8\urlmon.dll
+ 2004-08-04 12:00:00 417,792 -c--a-w C:\WINDOWS\ie8\vbscript.dll
+ 2004-08-04 12:00:00 848,384 -c--a-w C:\WINDOWS\ie8\vgx.dll
+ 2004-08-04 12:00:00 276,480 -c--a-w C:\WINDOWS\ie8\webcheck.dll
+ 2007-08-13 18:45:16 206,336 -c--a-w C:\WINDOWS\ie8\winfxdocobj.exe
+ 2004-08-04 12:00:00 656,384 -c--a-w C:\WINDOWS\ie8\wininet.dll
- 2004-08-04 12:00:00 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-08-22 02:06:16 128,512 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-07-19 14:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-07-19 14:30:53 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
- 2004-08-04 12:00:00 1,016,832 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-06-12 10:27:52 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2004-08-04 12:00:00 61,440 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2008-08-22 02:06:30 72,704 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2004-08-04 12:00:00 99,840 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-08-22 02:06:16 128,512 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2004-08-04 12:00:00 1,016,832 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-06-12 10:27:52 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2004-08-04 12:00:00 35,328 -c--a-w C:\WINDOWS\system32\dllcache\corpol.dll
+ 2008-08-22 02:07:08 18,944 -c--a-w C:\WINDOWS\system32\dllcache\corpol.dll
- 2004-08-04 12:00:00 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-08-22 02:05:16 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2004-08-04 12:00:00 201,728 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-08-22 02:05:10 217,088 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2004-08-04 12:00:00 38,912 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2008-08-22 02:00:28 68,608 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2004-08-04 12:00:00 34,304 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-08-22 02:06:24 162,304 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2004-08-04 12:00:00 139,264 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-08-22 02:06:36 124,928 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2004-08-04 12:00:00 216,576 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-08-22 02:06:40 228,864 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00:00 221,184 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-08-22 02:06:24 163,840 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2004-08-04 12:00:00 323,584 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-08-22 02:06:44 385,024 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2004-08-04 12:00:00 249,344 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-08-22 02:05:24 186,880 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2004-08-04 12:00:00 48,640 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-08-22 02:06:20 55,808 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2004-08-04 12:00:00 62,976 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2008-08-22 02:06:24 71,680 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2004-08-04 12:00:00 93,184 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-08-22 02:16:40 637,984 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2004-08-04 12:00:00 35,840 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2008-08-22 02:05:14 35,840 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2004-08-04 12:00:00 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-08-22 02:06:16 94,720 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2004-08-04 12:00:00 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2008-08-22 02:06:30 552,960 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2004-08-04 12:00:00 15,872 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-08-22 02:06:58 28,672 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00:00 22,016 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2008-08-22 02:08:00 43,008 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2004-08-04 12:00:00 29,184 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2008-08-22 02:04:54 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2004-08-04 12:00:00 3,003,392 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-22 02:09:32 5,699,584 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2004-08-04 12:00:00 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-08-22 02:05:08 70,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2004-08-04 12:00:00 56,832 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2008-08-22 02:05:00 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2004-08-04 12:00:00 2,804,224 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll
+ 2005-05-04 13:45:32 2,890,240 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll
- 2004-08-04 12:00:00 77,312 -c--a-w C:\WINDOWS\system32\dllcache\msiexec.exe
+ 2005-05-04 13:45:36 78,848 -c--a-w C:\WINDOWS\system32\dllcache\msiexec.exe
- 2004-08-04 12:00:00 331,264 -c--a-w C:\WINDOWS\system32\dllcache\msihnd.dll
+ 2005-05-04 13:45:36 271,360 -c--a-w C:\WINDOWS\system32\dllcache\msihnd.dll
- 2004-08-04 12:00:00 884,736 -c--a-w C:\WINDOWS\system32\dllcache\msimsg.dll
+ 2005-05-04 13:45:36 884,736 -c--a-w C:\WINDOWS\system32\dllcache\msimsg.dll
- 2004-08-04 12:00:00 44,032 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
+ 2005-05-04 13:45:36 15,360 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
- 2004-08-04 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2008-08-22 01:57:56 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2004-08-04 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-08-22 02:07:50 193,536 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2004-08-04 12:00:00 530,432 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-08-22 02:05:34 630,272 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-04 12:00:00 96,256 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-08-22 02:07:50 116,224 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2004-08-04 12:00:00 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-08-22 02:05:14 45,056 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2004-08-04 12:00:00 1,483,264 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-06-12 10:27:52 1,497,088 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2004-08-04 12:00:00 473,600 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-06-12 10:27:52 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-06-12 10:27:56 134,144 -c----w C:\WINDOWS\system32\dllcache\sqmapi.dll
- 2004-08-04 12:00:00 37,888 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-08-22 02:07:58 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2004-08-04 12:00:00 601,088 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-22 02:08:22 1,206,784 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 12:00:00 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2008-08-22 02:06:36 434,176 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2004-08-04 12:00:00 848,384 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2008-08-22 02:07:20 755,200 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
- 2004-08-04 12:00:00 276,480 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-08-22 02:08:08 236,544 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2004-08-04 12:00:00 656,384 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-22 02:08:06 878,592 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-07-19 14:32:15 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-07-19 14:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-01-17 16:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
+ 2008-07-19 14:37:21 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-07-19 14:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-07-19 14:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-07-19 14:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
- 2004-08-04 12:00:00 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-08-22 02:05:16 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2004-08-04 12:00:00 201,728 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-08-22 02:05:10 217,088 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-10-07 17:03:25 134,072 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-20 01:09:18 142,032 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 1998-05-08 04:57:22 143,872 ------w C:\WINDOWS\system32\iacenc.dll
- 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-08-22 02:05:20 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
- 2006-06-29 08:05:44 26,112 -c----w C:\WINDOWS\system32\idndl.dll
+ 2008-06-12 10:27:42 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
- 2004-08-04 12:00:00 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-08-22 02:06:24 162,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2004-08-04 12:00:00 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-08-22 02:06:36 124,928 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2004-08-04 12:00:00 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-08-22 02:06:40 228,864 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2004-08-04 12:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-08-22 02:06:24 163,840 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
+ 2008-07-29 21:58:08 3,670,112 ----a-w C:\WINDOWS\system32\ieapfltr.dat
- 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-08-22 01:42:22 443,392 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2004-08-04 12:00:00 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-08-22 02:06:44 385,024 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-08-22 02:10:34 11,985,408 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2004-08-04 12:00:00 249,344 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-08-22 02:05:24 186,880 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2004-08-04 12:00:00 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-08-22 02:06:20 55,808 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-08-22 02:06:02 1,778,688 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-08-22 02:06:24 36,864 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-13 18:54:10 180,736 ------w C:\WINDOWS\system32\ieui.dll
+ 2008-08-22 01:58:12 181,760 ----a-w C:\WINDOWS\system32\ieui.dll
- 2004-08-04 12:00:00 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-08-22 02:06:16 94,720 ----a-w C:\WINDOWS\system32\inseng.dll
+ 1997-06-14 02:56:08 56,832 ------w C:\WINDOWS\system32\iyvu9_32.dll
- 2004-08-04 12:00:00 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2008-08-22 02:06:30 552,960 ----a-w C:\WINDOWS\system32\jscript.dll
- 2004-08-04 12:00:00 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-08-22 02:06:58 28,672 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-08-26 12:28:14 16,208,504 -c--a-w C:\WINDOWS\system32\MRT.exe
+ 2008-10-07 11:19:42 16,721,856 -c--a-w C:\WINDOWS\system32\MRT.exe
- 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-08-22 02:05:48 580,608 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-06-23 16:57:36 52,224 -c--a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-08-22 02:05:22 53,760 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-13 18:36:40 12,288 -c----w C:\WINDOWS\system32\msfeedssync.exe
+ 2008-08-22 02:05:22 13,312 ----a-w C:\WINDOWS\system32\msfeedssync.exe
- 2004-08-04 12:00:00 3,003,392 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-22 02:09:32 5,699,584 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2004-08-04 12:00:00 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-08-22 02:05:08 70,656 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-04 12:00:00 2,804,224 ----a-w C:\WINDOWS\system32\msi.dll
+ 2005-05-04 13:45:32 2,890,240 ----a-w C:\WINDOWS\system32\msi.dll
- 2004-08-04 12:00:00 77,312 ----a-w C:\WINDOWS\system32\msiexec.exe
+ 2005-05-04 13:45:36 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
- 2004-08-04 12:00:00 331,264 ----a-w C:\WINDOWS\system32\msihnd.dll
+ 2005-05-04 13:45:36 271,360 ----a-w C:\WINDOWS\system32\msihnd.dll
- 2004-08-04 12:00:00 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
+ 2005-05-04 13:45:36 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
- 2004-08-04 12:00:00 44,032 ----a-w C:\WINDOWS\system32\msisip.dll
+ 2005-05-04 13:45:36 15,360 ----a-w C:\WINDOWS\system32\msisip.dll
- 2004-08-04 12:00:00 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-08-22 02:07:50 193,536 ----a-w C:\WINDOWS\system32\msrating.dll
- 2004-08-04 12:00:00 530,432 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-08-22 02:05:34 630,272 ----a-w C:\WINDOWS\system32\mstime.dll
- 2006-06-28 17:59:26 24,576 -c----w C:\WINDOWS\system32\nlsdl.dll
+ 2008-06-12 10:27:44 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
- 2006-06-29 08:05:44 23,552 ------w C:\WINDOWS\system32\normaliz.dll
+ 2008-06-12 10:27:42 23,552 ----a-w C:\WINDOWS\system32\normaliz.dll
- 2004-08-04 12:00:00 96,256 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-08-22 02:07:50 116,224 ----a-w C:\WINDOWS\system32\occache.dll
- 2004-08-04 12:00:00 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-08-22 02:05:14 45,056 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2004-08-04 12:00:00 1,483,264 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-06-12 10:27:52 1,497,088 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2004-08-04 12:00:00 473,600 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-06-12 10:27:52 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-06-12 10:27:58 16,928 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-08-10 19:46:18 26,488 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2008-06-12 10:27:58 26,144 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2004-08-04 12:00:00 37,888 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-08-22 02:07:58 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2004-08-04 12:00:00 601,088 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-22 02:08:22 1,206,784 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 12:00:00 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-08-22 02:08:08 236,544 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-13 18:45:16 206,336 -c----w C:\WINDOWS\system32\WinFXDocObj.exe
+ 2008-08-22 02:08:22 208,384 ----a-w C:\WINDOWS\system32\WinFXDocObj.exe
- 2008-04-14 00:12:11 121,856 ------w C:\WINDOWS\system32\xmllite.dll
+ 2008-06-12 10:28:02 121,856 ----a-w C:\WINDOWS\system32\xmllite.dll
+ 2008-10-20 12:22:47 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_6cc.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-03 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 13529088]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"nwiz"="nwiz.exe" [2008-05-03 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 44544]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\MBI\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2008-06-19 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\WebEye\\WebEye.exe"=
"C:\\Games\\SwiftSwitch\\SwiftSwitch.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Counter-Strike\\hl.exe"=
"C:\\Program Files\\Counter-Strike\\hlds.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Games\\FlatOut2\\FlatOut2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
S1 ensqio;ensqio;C:\WINDOWS\system32\DRIVERS\ensqio.sys [ ]
S1 sbpcint4;SB PCI128;C:\WINDOWS\system32\DRIVERS\sbpcint4.sys [ ]
S3 BAGNP;BAGNP;C:\DOCUME~1\MBI\LOCALS~1\Temp\BAGNP.exe [ ]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 61536]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 9360]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 97088]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 88624]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 18704]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 86432]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 90800]
S4 KHGCCI;KHGCCI;C:\DOCUME~1\MBI\LOCALS~1\Temp\KHGCCI.exe [ ]
S4 KPKXTQY;KPKXTQY;C:\DOCUME~1\MBI\LOCALS~1\Temp\KPKXTQY.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87733064-5686-11dd-8744-000c768ee581}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f69c9872-185b-11dd-b80d-806d6172696f}]
\Shell\AutoRun\command - F:\Launch.exe

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\MBI\Application Data\Mozilla\Firefox\Profiles\irz4lwdy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 13:51:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MBI\LOCALS~1\Temp\RGI1.tmp


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
Completion time: 2008-10-20 13:55:36
ComboFix-quarantined-files.txt 2008-10-20 12:54:30
ComboFix2.txt 2008-10-18 16:31:57

Pre-Run: 24,186,310,656 bytes free
Post-Run: 24,597,430,272 bytes free

503 --- E O F --- 2008-10-20 06:07:01

I also would like to see the log from Smitfraudfix that you ran. It is listed here.
C:\rapport.txt


SmitFraudFix v2.356

Scan done at 16:03:10.20, Sat 10/18/2008
Run from C:\Documents and Settings\MBI\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\MBI


C:\Documents and Settings\MBI\Application Data


Start Menu


C:\DOCUME~1\MBI\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBD5DE83-4275-4184-9A94-328B78CA0972}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DBD5DE83-4275-4184-9A94-328B78CA0972}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBD5DE83-4275-4184-9A94-328B78CA0972}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DBD5DE83-4275-4184-9A94-328B78CA0972}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

HJT Repport in next post -->

#22 DJohn

DJohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Motherwell
  • Local time:12:49 AM

Posted 04 November 2008 - 12:45 PM

I also need to see a startup list using Hijackthis...


StartupList report, 11/4/2008, 5:43:12 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\hijackthis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18241)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\MBI\Start Menu\Programs\Startup]
OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
snpstd3 = C:\WINDOWS\vsnpstd3.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\ComFile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIEActiveSetup SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - (no file) - {A057A204-BACC-4D26-9990-79A187E2698E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/8/b...heckControl.cab

[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10a.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
aswFsBlk: system32\DRIVERS\aswFsBlk.sys (autostart)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
atksgt: system32\DRIVERS\atksgt.sys (autostart)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
BAGNP: C:\DOCUME~1\MBI\LOCALS~1\Temp\BAGNP.exe (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Cardex: \??\C:\WINDOWS\system32\drivers\TBPANEL.SYS (manual start)
catchme: \??\C:\ComboFix\catchme.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: system32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Wired AutoConfig: %SystemRoot%\System32\svchost.exe -k dot3svc (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Extensible Authentication Protocol Service: %SystemRoot%\System32\svchost.exe -k eapsvcs (manual start)
ensqio: system32\DRIVERS\ensqio.sys (system)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5bv.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
Health Key and Certificate Management Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
HSFHWBS2: system32\DRIVERS\HSFBS2S2.sys (manual start)
HSF_DP: system32\DRIVERS\HSFDPSP2.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
KHGCCI: C:\DOCUME~1\MBI\LOCALS~1\Temp\KHGCCI.exe (disabled)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
KPKXTQY: C:\DOCUME~1\MBI\LOCALS~1\Temp\KPKXTQY.exe (disabled)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
lirsgt: system32\DRIVERS\lirsgt.sys (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Driver for MagicISO SCSI Host Controller: system32\DRIVERS\mcdbus.sys (manual start)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Network Access Protection Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NBService: C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: system32\DRIVERS\NMnt.sys (manual start)
NMIndexingService: "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
pavboot: system32\drivers\pavboot.sys (system)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PfModNT: \??\C:\WINDOWS\system32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
ProtexisLicensing: "C:\Program Files\Common Files\Protexis\License Service\PSIService.exe" (disabled)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Protexis Licensing V2: "c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" (autostart)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SB PCI128: system32\DRIVERS\sbpcint4.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sony Ericsson Device 068 driver (WDM): system32\DRIVERS\se44bus.sys (manual start)
Sony Ericsson Device 068 USB WMC Modem Filter: system32\DRIVERS\se44mdfl.sys (manual start)
Sony Ericsson Device 068 USB WMC Modem Driver: system32\DRIVERS\se44mdm.sys (manual start)
Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM): system32\DRIVERS\se44mgmt.sys (manual start)
Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS): system32\DRIVERS\se44nd5.sys (manual start)
Sony Ericsson Device 068 USB WMC OBEX Interface: system32\DRIVERS\se44obex.sys (manual start)
Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM): system32\DRIVERS\se44unic.sys (manual start)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
StarForce Protection Environment Driver (version 1.x): system32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver (version 2.x): system32\drivers\sfhlp02.sys (system)
SF FrontLine Drivers Auto Removal (v1): %SystemRoot%\system32\sfrem01.exe svc (autostart)
StarForce Protection Synchronization Driver (version 4.x): system32\drivers\sfsync04.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Sygate Personal Firewall: C:\Program Files\Sygate\SPF\smc.exe (autostart)
USB PC Camera (SNPSTD3): system32\DRIVERS\snpstd3.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
StarWind AE Service: C:\Programy\Alcohol 120\StarWind\StarWindServiceAE.exe (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{EC37A50F-2BFD-4F5D-9F6D-AA8CFBE15350} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\Windows Live\Messenger\usnsvc.exe" (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Vinyl AC'97 Audio Controller (WDM): system32\drivers\vinyl97.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
winachsf: system32\DRIVERS\HSFCXTS2.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Live Setup Service: "C:\Program Files\Windows Live\installer\WLSetupSvc.exe" (manual start)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
wpsdrvnt: \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 36,309 bytes
Report generated in 0.375 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#23 DJohn

DJohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Motherwell
  • Local time:12:49 AM

Posted 04 November 2008 - 12:49 PM

Hi DJohn

I can't access my photograps folder on my desktop

While I'm waiting to get me next post OK'ed answer a couple questions.

When you were able to open it did it open with a program? Like Windows Picture viewer or one of your photo programs?

If you right click on the folder and click properties under Attributes what is checked?

Is the folder on your Desktop the original folder or a short cut?

Thanks
maranatha


Thanks Maranatha!

I was looking on the attributes of the folder, nothing suspicious but when I opened another tab I realised it's been trying to open it as "photo-folder" which in fact was to much for my computer since there's 3GB of the photos. So I changed that to "open as data folder" and now it works. Again, big THANKS. ^^

#24 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 05 November 2008 - 07:54 PM

Hi Djohn.

Marantha has some problems he needs to deal with. I'll be helping you instead.
Please give me a while to take a whole review of this whole thread to get an overview of what's going on so far.

I'll get back to you as soon as possible. Please be patient :thumbsup:

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#25 DJohn

DJohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Motherwell
  • Local time:12:49 AM

Posted 06 November 2008 - 12:29 PM

Thanks Extremeboy!

Take as much time as you need(it's a bit of a mess, the least I can do is to give you time eh? ^^).

P.S. His name is Maranatha not Marantha :thumbsup:

#26 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 06 November 2008 - 12:33 PM

Hi.

P.S. His name is Maranatha not Marantha

Okay, I'm sorry. What can I do, sometimes I'm always in a rush. :thumbsup:

Maranatha has some problems he needs to deal with. I'll be helping you instead. :)

The coaches needs to check my work so there may be some delays. From what I seen so far, things looks very messy and confusing..

Be Patient and I'll be back.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#27 DJohn

DJohn
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Motherwell
  • Local time:12:49 AM

Posted 06 November 2008 - 05:23 PM

As I said, take your time :thumbsup:

About that rush thing. I know the feeling :D. I am moving house on 15th of november, my computer is still messed up and I am working days/nighshifts. Believe me, I know how's to be in rush ;).

BTW I might not have an Internet connection for some time after I move the house. I don't mind wether the job on my computer will done before or after I move to a new house.

With REGARDS,

DJOHN

#28 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 06 November 2008 - 05:50 PM

Hi DJohn.

I am moving house on 15th of november, my computer is still messed up and I am working days/nighshifts. Believe me, I know how's to be in rush ;).

Sometimes we are all in a rush. Hopefully we can get your computer sorted before you move :thumbsup:. You must be cramping trying to pack everything up, I know how that feels, I experienced that last year ;).

BTW I might not have an Internet connection for some time after I move the house. I don't mind wether the job on my computer will done before or after I move to a new house.

Incase we don't finish up before you move, and depending on how long you don't have the internet connection, the topic might need to be closed, but you can always re-open it by sending me a PM and I'll tell the coaches to do it for you. :)

Thanks for understanding and I'll be back ASAP.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#29 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 07 November 2008 - 08:12 AM

Hi again.

Sorry about that delay. I took a read over the thread, seemed very complicated.

I want to see a logfile from Combofix.

Please Navigate to the folder C:\Qoobox.
In the Qoobox folder look for a file called: "ComboFix-quarantined-files.txt".

Post the Contents of that log in your next reply.


I saw that the version you were running with Combofix was outdated. Please delete the copy of Combofix.exe you have on your desktop.

Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

Double click on Combofix.exe to run it. Follow the prompts and once it is done post the results back. The log can be found in C:\Combofix.txt


Did you run Flash_Drive Disinfector? It seems it didn't work and also did you do Marantha's reg fix in post #9

Anyways lets try it again. If you lost your copy of Flash_Drive Disinfector it can be found below.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Now I would like a nice list of problems you are still receiving, so I have an idea of what's going on.

Post back with:

-ComboFix-quarantined-files.txt
-Combofix log
-Nice list of Problems you are having
-Fresh RSIT log


Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#30 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 10 November 2008 - 12:24 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5 days the topic will need to be closed.

Thanks for understanding. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users