Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Build XP SP3 - VirusRemover2008 infection :-(


  • Please log in to reply
16 replies to this topic

#1 londonliving

londonliving

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 21 October 2008 - 11:36 AM

Previous entry:

http://www.bleepingcomputer.com/forums/top...tml#entry981614

-----------
KAPERSKY SCAN:

Tuesday, October 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 21, 2008 13:35:48
Records in database: 1331601
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
I:\
J:\
Scan statistics
Files scanned 103856
Threat name 7
Infected objects 16
Suspicious objects 0
Duration of the scan 02:18:25

File name Threat name Threats count
winlogon.exe\awtsTMGX.dll/winlogon.exe\awtsTMGX.dll Infected: Trojan.Win32.Monderb.gjo 1
C:\WINDOWS\system32\grgdsvwx.dll/C:\WINDOWS\system32\grgdsvwx.dll Infected: Packed.Win32.PolyCrypt.d 1
C:\WINDOWS\system32\vefqmo.dll/C:\WINDOWS\system32\vefqmo.dll Infected: Packed.Win32.PolyCrypt.d 4
C:\Documents and Settings\User\Local Settings\Temp\install45.exe Infected: Trojan-Dropper.Win32.Agent.pt 1
C:\Documents and Settings\User\Local Settings\Temp\pwrmgr.exe Infected: Trojan.Win32.BHO.hdo 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\I9AJU1GV\nd82m0[1] Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\ILWB2Z6V\TotalSecure2009[1].exe Infected: Trojan.Win32.BHO.hdo 1
C:\Program Files\Alcohol Soft\Alcohol 120\Register.exe Infected: Trojan-Dropper.Win32.Agent.adw 1
C:\Program Files\ESET\infected\KRKB01DA.NQF Infected: Backdoor.Win32.Rbot.gen 1
C:\Reference Lib\_Mike Filsame\textwiz\textwiz.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ar 1
C:\Reference Lib\_Mike Filsame\textwiz.zip Infected: not-a-virus:AdWare.Win32.SaveNow.ar 1
C:\WINDOWS\system32\grgdsvwx.dll Infected: Packed.Win32.PolyCrypt.d 1
C:\WINDOWS\system32\vefqmo.dll Infected: Packed.Win32.PolyCrypt.d 1

BC AdBot (Login to Remove)

 


#2 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 23 October 2008 - 06:06 AM

OK.

List of things done:

Googled some of the files from a different machine.

Major Geeks download of MalwareBytes Anti-malware caused an amazing set of complaints from whatever was infecting.
http://forums.majorgeeks.com/showthread.php?t=139313

After running this I had access to My Computer, Programs and My Documents :thumbsup:

Also allowed me to run Windows Update - around 26 missing core features - excluding the 'extras' :)

Ran:
  • Adaware
  • Spybot Search and Destroy
  • Super AntiSpyware
  • NOD32 Full Scan
  • Kaspersky Online Scanner (twice more!)

Not certain if all is clean, but think it might be.

Here is an updated HJT log file to see if this is the case.

All help appreciated.

thanks

---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:15, on 23/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Firefox 3\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://megauplinkbindinstaller.com/install...190&name=ts
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {04EAD768-27C6-41B1-B064-C5446A89A953} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224615040796
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Security\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 8351 bytes

#3 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 29 October 2008 - 07:51 AM

Ran ComboFix as some icons are not right and performance is lower than expected.

It couldn't download a newer version for some reason.

ComboFix File below:

=============

ComboFix 08-10-29.04 - User 2008-10-29 12:34:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.224 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Resident AV is active

.
/wow section - STAGE 32
Access is denied.
The system cannot find the file temp0200.
Access is denied.
Access is denied.
SED: can't read temp3100: Permission denied
Access is denied.
Access is denied.
SED: can't read temp3100: Permission denied
Access is denied.
SED: can't read temp3100: Permission denied
Access is denied.
The system cannot find the file temp3100.
Access is denied.
SED: can't read temp3100: Permission denied
Access is denied.
SED: can't read temp3100: Permission denied
Access is denied.
SED: can't read temp3100: Permission denied
Access is denied.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\egme.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-10-28 17:35 . 2008-10-28 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-10-28 13:53 . 2008-10-28 13:53 <DIR> d-------- C:\Program Files\uTorrent
2008-10-28 13:52 . 2008-10-28 17:25 <DIR> d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-10-28 12:55 . 2008-10-28 17:33 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-10-27 13:00 . 2008-10-27 13:00 <DIR> d-------- C:\Documents and Settings\User\Application Data\vlc
2008-10-27 10:05 . 2008-10-27 10:05 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-26 16:05 . 2008-10-26 16:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-26 16:05 . 2008-10-26 16:05 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-10-26 16:05 . 2008-06-10 13:04 31,048 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-10-26 14:41 . 2008-10-26 14:41 <DIR> d-------- C:\WINDOWS\Performance
2008-10-26 14:40 . 2008-10-26 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-10-26 14:39 . 2008-10-26 14:39 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-10-26 13:12 . 2008-10-26 13:12 <DIR> d-------- C:\Program Files\Intel
2008-10-26 13:09 . 2007-07-31 17:11 86,016 --a------ C:\WINDOWS\system32\DellSPMsg.dll
2008-10-24 16:53 . 2008-10-24 16:53 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-10-24 16:52 . 2008-10-24 16:52 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-10-24 16:52 . 2008-10-24 16:52 <DIR> d-------- C:\5b6662e58b646c50bd88b1ad
2008-10-24 16:52 . 2008-07-06 12:06 1,676,288 --------- C:\WINDOWS\system32\xpssvcs.dll
2008-10-24 16:52 . 2008-07-06 12:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-10-24 16:52 . 2008-07-06 10:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-10-24 16:52 . 2008-07-06 12:06 575,488 --------- C:\WINDOWS\system32\xpsshhdr.dll
2008-10-24 16:52 . 2008-07-06 12:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-10-24 16:52 . 2008-07-06 12:06 117,760 --------- C:\WINDOWS\system32\prntvpt.dll
2008-10-24 16:52 . 2008-07-06 12:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-10-24 16:51 . 2008-10-25 09:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-24 16:44 . 2008-10-24 19:51 <DIR> d-------- C:\e5413faf2eb5f506a54721227b9a
2008-10-24 15:53 . 2008-06-24 17:45 113,896 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-10-24 08:12 . 2008-10-15 16:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 15:13 . 2008-10-22 15:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-22 15:12 . 2008-10-22 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-22 14:01 . 2007-07-30 18:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-10-22 14:01 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-10-21 21:04 . 2008-10-22 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 19:31 . 2008-10-21 19:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-10-21 18:35 . 2005-10-14 13:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-10-21 18:32 . 2008-10-21 18:32 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-10-21 18:30 . 2008-10-21 18:30 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-21 18:28 . 2008-10-03 17:41 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-21 18:28 . 2007-04-17 09:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-10-21 18:28 . 2007-03-08 05:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-10-21 18:28 . 2008-08-26 07:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-10-21 18:28 . 2008-08-26 07:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-10-21 18:28 . 2008-08-26 07:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-10-21 18:28 . 2008-08-26 07:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-10-21 18:28 . 2008-08-26 07:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-10-21 18:28 . 2008-08-25 08:38 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-10-21 18:15 . 2008-10-21 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-10-21 18:15 . 2008-08-14 10:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-21 18:15 . 2008-08-14 10:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-21 18:15 . 2008-08-14 09:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-21 18:15 . 2008-08-14 09:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-21 18:15 . 2008-09-15 12:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-21 18:15 . 2008-09-08 10:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-21 18:14 . 2008-04-11 19:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-21 18:14 . 2008-05-01 14:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-21 18:13 . 2008-06-13 11:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-21 18:13 . 2008-05-08 14:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-21 18:03 . 2008-10-24 08:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-10-21 17:49 . 2008-10-21 17:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 17:49 . 2008-10-21 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-21 17:47 . 2008-10-22 15:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 17:41 . 2008-10-21 17:41 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-21 16:47 . 2008-10-24 15:53 <DIR> d-------- C:\Program Files\Security
2008-10-21 16:47 . 2008-10-21 16:47 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 16:47 . 2008-10-21 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 16:47 . 2008-10-16 19:36 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 16:47 . 2008-10-16 19:36 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-21 15:58 . 2008-10-29 09:00 <DIR> d-------- C:\Program Files\Firefox 3
2008-10-21 13:49 . 2008-10-21 13:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 13:31 . 2008-10-21 13:31 <DIR> d-------- C:\WINDOWS\Sun
2008-10-21 13:29 . 2008-10-21 13:29 <DIR> d-------- C:\Program Files\Java
2008-10-21 13:29 . 2008-06-10 01:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-21 13:26 . 2008-10-21 13:26 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-21 13:15 . 2008-10-21 13:15 <DIR> d--hs---- C:\Documents and Settings\User\UserData
2008-10-18 15:55 . 2008-10-18 15:55 <DIR> d-------- C:\Documents and Settings\User\Application Data\phpDesigner 2008
2008-10-18 15:54 . 2008-10-18 15:59 <DIR> d-------- C:\Program Files\phpDesigner 2008
2008-10-18 14:53 . 2008-10-18 14:53 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-10-18 14:53 . 2008-10-18 14:53 <DIR> d-------- C:\Program Files\Common Files\Altova
2008-10-18 14:53 . 2008-10-18 15:02 <DIR> d-------- C:\Program Files\Altova
2008-10-18 14:52 . 2008-10-18 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Altova
2008-10-18 14:46 . 2008-10-18 14:47 <DIR> d-------- C:\Program Files\SequoiaView
2008-10-18 14:44 . 2008-10-18 14:44 <DIR> d-------- C:\Program Files\Database Tools
2008-10-18 14:44 . 2006-04-13 10:30 1,073,152 --a------ C:\WINDOWS\system32\libmysql_c.dll
2008-10-18 14:39 . 2008-10-18 14:39 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2008-10-18 14:32 . 2008-10-18 14:32 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-16 17:18 . 2008-10-16 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-10-16 17:12 . 2008-10-29 09:00 <DIR> d-------- C:\Program Files\QuickTime
2008-10-16 17:07 . 2007-02-20 15:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-10-16 17:07 . 2007-02-20 15:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-10-16 17:00 . 2008-10-16 17:00 <DIR> d-------- C:\Program Files\Bonjour
2008-10-15 17:56 . 2008-10-15 17:56 <DIR> d-------- C:\Documents and Settings\User\Application Data\SYSTRAN
2008-10-15 17:06 . 2008-10-15 17:06 <DIR> d-------- C:\Program Files\Faronics
2008-10-15 16:28 . 2008-10-15 16:29 <DIR> d-------- C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021
2008-10-15 16:28 . 2008-10-15 16:28 <DIR> d-------- C:\Program Files\Ipswitch
2008-10-15 16:28 . 2008-10-15 16:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\Ipswitch
2008-10-15 16:28 . 2008-10-15 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-10-15 16:28 . 2006-07-25 06:46 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-15 16:28 . 2006-07-25 06:42 606,293 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-10-15 16:28 . 2006-07-25 06:46 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-15 16:28 . 2006-07-25 06:46 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-10-15 16:28 . 2006-07-25 06:42 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-10-15 16:16 . 2008-10-15 16:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Talkback
2008-10-15 16:16 . 2008-10-15 16:16 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-15 16:03 . 2008-10-15 16:03 <DIR> d-------- C:\Documents and Settings\User\Application Data\Leadertech
2008-10-15 16:02 . 2008-10-18 14:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-10-15 16:02 . 2008-10-28 17:35 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-10-15 15:56 . 2003-06-25 15:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-10-15 15:56 . 2002-06-21 14:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-10-15 15:48 . 2006-10-26 18:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-10-15 15:47 . 2008-10-15 15:47 <DIR> d-------- C:\Program Files\Microsoft Works
2008-10-15 15:47 . 2006-10-26 18:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-10-15 15:46 . 2008-10-24 16:53 <DIR> d-------- C:\Program Files\MSBuild
2008-10-15 15:43 . 2008-10-15 15:52 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-10-15 15:43 . 2008-10-21 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-15 15:42 . 2008-10-15 15:42 <DIR> dr-h----- C:\MSOCache
2008-10-15 15:18 . 2008-10-15 15:18 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-10-15 15:18 . 2004-08-23 12:20 158,720 --a------ C:\WINDOWS\system32\drivers\a347bus.sys
2008-10-15 15:18 . 2004-04-30 08:33 5,248 --a------ C:\WINDOWS\system32\drivers\a347scsi.sys
2008-10-15 15:13 . 2008-10-28 17:33 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-10-15 15:09 . 2008-10-15 15:13 <DIR> d-------- C:\Icons
2008-10-15 15:00 . 2008-10-15 15:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 13:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-15 07:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-29 20:10 73,720 ----a-w C:\WINDOWS\system32\dxva2.dll
2008-07-29 20:10 493,048 ----a-w C:\WINDOWS\system32\evr.dll
2008-07-29 20:10 26,112 ----a-w C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-29 18:59 781,344 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-29 18:59 43,544 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-29 18:59 161,296 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-29 18:59 105,016 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-29 18:24 97,800 ----a-w C:\WINDOWS\system32\infocardapi.dll
2008-07-29 18:24 622,080 ----a-w C:\WINDOWS\system32\icardagt.exe
2008-07-29 18:24 11,264 ----a-w C:\WINDOWS\system32\icardres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"SpybotSD TeaTimer"="C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-10-15 949376]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-10-16 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\Security\SuperAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 C:\Program Files\Security\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2008-06-24 113896]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFB867B-0BA0-4B37-A370-E4B4A02EC792}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {BAFB867B-0BA0-4B37-A370-E4B4A02EC792}
.
Contents of the 'Scheduled Tasks' folder

2008-10-29 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-27 06:59]

2008-10-28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 12:56]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{04EAD768-27C6-41B1-B064-C5446A89A953} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\x9jo1zcf.default\
FF -: plugin - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\x9jo1zcf.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}\plugins\npagent.dll
FF -: plugin - C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin7.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 12:36:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-29 12:40:21
ComboFix-quarantined-files.txt 2008-10-29 12:39:19

Pre-Run: 17,912,225,792 bytes free
Post-Run: 17,899,204,608 bytes free

274 --- E O F --- 2008-10-24 08:14:38



#4 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 03 November 2008 - 02:26 AM

Hi guys

Still waiting on a response and notice the 'bump after 5 days' reminder thread is not working anymore...

I understand you are busy - and providing a great service at no charge - so all your efforts are appreciated! :) :) :thumbsup:

As I must proceed on installing onto this potentially infected machine :) let me know when to post a new HijackThis Log and I will suspend the process.

Thanks again for all your efforts

LL

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:12 AM

Posted 05 November 2008 - 10:47 AM

Hello londonliving,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 05 November 2008 - 01:26 PM

Hi there

Thanks for getting back.

I will post a new log up, currently away from the machine but expect to be back tomorrow.

Some extra installs, but nothing terribly massive.

Cheers

LL

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:12 AM

Posted 05 November 2008 - 01:35 PM

Okie dokie. Post when you're ready. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 06 November 2008 - 06:22 PM

Log Below. (ComboFix)

As an aside, Acrobat won't launch in FF3 - may be a red herring though! 512Mb RAM
:thumbsup:

-------------------------------------------------------------------------------------------------

ComboFix 08-10-29.04 - User 2008-11-06 23:04:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.216 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-05 17:33 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-11-05 17:32 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-11-05 17:28 . 2008-11-05 17:32 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-11-05 17:28 . 2008-11-05 17:28 <DIR> d-------- C:\Program Files\Samsung
2008-11-05 17:28 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-11-04 11:04 . 2008-11-06 12:56 <DIR> d-------- C:\Program Files\FairUse Wizard 2
2008-11-03 11:22 . 2008-11-03 18:38 <DIR> d-------- C:\Documents and Settings\User\dwhelper
2008-11-03 08:13 . 2008-04-14 05:42 151,552 --a------ C:\WINDOWS\system32\irftp.exe
2008-11-03 08:13 . 2008-04-14 05:42 151,552 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-11-03 08:13 . 2008-04-14 05:41 28,160 --a------ C:\WINDOWS\system32\irmon.dll
2008-11-03 08:13 . 2008-04-14 05:41 28,160 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2008-11-03 08:13 . 2008-04-14 05:42 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-11-03 08:13 . 2008-04-14 05:42 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-10-31 11:48 . 2008-10-31 11:48 <DIR> d-------- C:\Program Files\western civilisation
2008-10-31 11:48 . 2008-10-31 11:48 <DIR> d-------- C:\Program Files\CSS Tools
2008-10-30 08:47 . 2008-10-30 08:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\vlc
2008-10-29 17:33 . 2008-10-29 17:33 <DIR> d-------- C:\Documents and Settings\User\Application Data\dvdcss
2008-10-29 12:58 . 2008-10-29 12:58 <DIR> d-------- C:\Documents and Settings\User\Application Data\Apple Computer
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-29 08:59 . 2008-10-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-10-28 17:35 . 2008-10-28 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-10-28 13:53 . 2008-10-28 13:53 <DIR> d-------- C:\Program Files\uTorrent
2008-10-28 13:52 . 2008-10-31 11:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-10-28 12:55 . 2008-10-31 12:33 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-10-27 10:05 . 2008-10-27 10:05 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-26 16:05 . 2008-10-26 16:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-26 16:05 . 2008-10-26 16:05 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-10-26 16:05 . 2008-06-10 13:04 31,048 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-10-26 14:41 . 2008-10-26 14:41 <DIR> d-------- C:\WINDOWS\Performance
2008-10-26 14:40 . 2008-10-26 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-10-26 14:39 . 2008-10-26 14:39 <DIR> d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-10-26 13:12 . 2008-10-26 13:12 <DIR> d-------- C:\Program Files\Intel
2008-10-26 13:09 . 2007-07-31 17:11 86,016 --a------ C:\WINDOWS\system32\DellSPMsg.dll
2008-10-24 16:53 . 2008-10-24 16:53 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-10-24 16:52 . 2008-10-24 16:52 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-10-24 16:52 . 2008-10-24 16:52 <DIR> d-------- C:\5b6662e58b646c50bd88b1ad
2008-10-24 16:52 . 2008-07-06 12:06 1,676,288 --------- C:\WINDOWS\system32\xpssvcs.dll
2008-10-24 16:52 . 2008-07-06 12:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-10-24 16:52 . 2008-07-06 10:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-10-24 16:52 . 2008-07-06 12:06 575,488 --------- C:\WINDOWS\system32\xpsshhdr.dll
2008-10-24 16:52 . 2008-07-06 12:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-10-24 16:52 . 2008-07-06 12:06 117,760 --------- C:\WINDOWS\system32\prntvpt.dll
2008-10-24 16:52 . 2008-07-06 12:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-10-24 16:51 . 2008-10-25 09:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-24 16:44 . 2008-10-24 19:51 <DIR> d-------- C:\e5413faf2eb5f506a54721227b9a
2008-10-24 15:53 . 2008-06-24 17:45 113,896 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-10-24 08:12 . 2008-10-15 16:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-22 15:13 . 2008-10-22 15:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-22 15:12 . 2008-10-22 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-22 14:01 . 2007-07-30 18:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-10-22 14:01 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-10-21 21:04 . 2008-10-22 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 19:31 . 2008-10-21 19:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-10-21 18:35 . 2005-10-14 13:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-10-21 18:32 . 2008-10-21 18:32 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-10-21 18:30 . 2008-10-21 18:30 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-21 18:28 . 2008-10-03 17:41 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-21 18:28 . 2007-04-17 09:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-10-21 18:28 . 2007-03-08 05:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-10-21 18:28 . 2008-08-26 07:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-10-21 18:28 . 2008-08-26 07:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-10-21 18:28 . 2008-08-26 07:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-10-21 18:28 . 2008-08-26 07:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-10-21 18:28 . 2008-08-26 07:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-10-21 18:28 . 2008-08-25 08:38 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-10-21 18:15 . 2008-10-21 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-10-21 18:15 . 2008-08-14 10:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-21 18:15 . 2008-08-14 10:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-21 18:15 . 2008-08-14 09:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-21 18:15 . 2008-08-14 09:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-21 18:15 . 2008-09-15 12:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-21 18:15 . 2008-09-08 10:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-21 18:14 . 2008-04-11 19:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-21 18:14 . 2008-05-01 14:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-21 18:13 . 2008-05-08 14:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-21 18:03 . 2008-10-24 08:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-10-21 17:49 . 2008-10-21 17:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 17:49 . 2008-10-21 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-21 17:47 . 2008-10-22 15:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-21 17:41 . 2008-10-21 17:41 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-21 16:47 . 2008-10-24 15:53 <DIR> d-------- C:\Program Files\Security
2008-10-21 16:47 . 2008-10-21 16:47 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-21 16:47 . 2008-10-21 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 16:47 . 2008-10-16 19:36 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 16:47 . 2008-10-16 19:36 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 15:58 . 2008-11-06 21:39 <DIR> d-------- C:\Program Files\Firefox 3
2008-10-21 13:49 . 2008-10-21 13:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 13:31 . 2008-10-21 13:31 <DIR> d-------- C:\WINDOWS\Sun
2008-10-21 13:29 . 2008-10-21 13:29 <DIR> d-------- C:\Program Files\Java
2008-10-21 13:29 . 2008-06-10 01:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-21 13:26 . 2008-10-21 13:26 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-21 13:15 . 2008-10-21 13:15 <DIR> d--hs---- C:\Documents and Settings\User\UserData
2008-10-18 15:55 . 2008-10-18 15:55 <DIR> d-------- C:\Documents and Settings\User\Application Data\phpDesigner 2008
2008-10-18 15:54 . 2008-10-18 15:59 <DIR> d-------- C:\Program Files\phpDesigner 2008
2008-10-18 14:53 . 2008-10-18 14:53 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-10-18 14:53 . 2008-10-18 14:53 <DIR> d-------- C:\Program Files\Common Files\Altova
2008-10-18 14:53 . 2008-10-18 15:02 <DIR> d-------- C:\Program Files\Altova
2008-10-18 14:52 . 2008-10-18 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Altova
2008-10-18 14:46 . 2008-10-18 14:47 <DIR> d-------- C:\Program Files\SequoiaView
2008-10-18 14:44 . 2008-10-18 14:44 <DIR> d-------- C:\Program Files\Database Tools
2008-10-18 14:44 . 2006-04-13 10:30 1,073,152 --a------ C:\WINDOWS\system32\libmysql_c.dll
2008-10-18 14:39 . 2008-10-18 14:39 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2008-10-18 14:32 . 2008-10-18 14:32 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-16 17:18 . 2008-10-16 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-10-16 17:12 . 2008-10-29 09:00 <DIR> d-------- C:\Program Files\QuickTime
2008-10-16 17:07 . 2007-02-20 15:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-10-16 17:07 . 2007-02-20 15:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-10-16 17:00 . 2008-10-16 17:00 <DIR> d-------- C:\Program Files\Bonjour
2008-10-15 17:56 . 2008-10-15 17:56 <DIR> d-------- C:\Documents and Settings\User\Application Data\SYSTRAN
2008-10-15 17:06 . 2008-10-15 17:06 <DIR> d-------- C:\Program Files\Faronics
2008-10-15 16:28 . 2008-10-15 16:29 <DIR> d-------- C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021
2008-10-15 16:28 . 2008-10-15 16:28 <DIR> d-------- C:\Program Files\Ipswitch
2008-10-15 16:28 . 2008-10-15 16:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\Ipswitch
2008-10-15 16:28 . 2008-10-15 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-10-15 16:28 . 2006-07-25 06:46 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-10-15 16:28 . 2006-07-25 06:42 606,293 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-10-15 16:28 . 2006-07-25 06:46 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-15 16:28 . 2006-07-25 06:46 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-10-15 16:28 . 2006-07-25 06:42 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-10-15 16:16 . 2008-10-15 16:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Talkback
2008-10-15 16:16 . 2008-10-15 16:16 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-15 16:03 . 2008-10-15 16:03 <DIR> d-------- C:\Documents and Settings\User\Application Data\Leadertech
2008-10-15 16:02 . 2008-10-18 14:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 17:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-15 07:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-29_12.38.51.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-31 11:48:20 65,536 ----a-r C:\WINDOWS\Installer\{90381EFF-A3F1-42FB-8CF5-E3C941DC0548}\ARPPRODUCTICON.exe
+ 2008-10-31 11:48:20 65,536 ----a-r C:\WINDOWS\Installer\{90381EFF-A3F1-42FB-8CF5-E3C941DC0548}\NewShortcut4_90381EFFA3F142FB8CF5E3C941DC0548.exe
- 2008-10-16 17:11:18 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
+ 2008-10-30 11:05:56 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
- 2008-10-16 17:11:19 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2008-10-30 11:05:57 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2008-10-16 17:11:19 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2008-10-30 11:05:57 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
- 2008-10-16 17:11:19 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2008-10-30 11:05:57 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
- 2008-10-16 17:11:19 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2008-10-30 11:05:57 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
- 2008-10-16 17:11:18 23,558 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2008-10-30 11:05:56 23,558 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2008-10-15 16:33:31 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70700000002}\SC_Reader.exe
+ 2008-10-30 08:52:32 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70700000002}\SC_Reader.exe
+ 2002-11-12 01:14:54 73,728 ----a-w C:\WINDOWS\system32\CSHttpClient.dll
+ 2008-04-14 00:16:30 18,944 -c--a-w C:\WINDOWS\system32\dllcache\bthusb.sys
+ 2008-04-14 05:42:22 193,024 -c--a-w C:\WINDOWS\system32\dllcache\fsquirt.exe
- 2008-04-13 23:16:30 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
+ 2008-04-14 00:16:30 18,944 ----a-w C:\WINDOWS\system32\drivers\BTHUSB.SYS
- 2008-10-28 17:52:18 1,557,048 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-30 12:20:08 1,557,048 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-04-14 04:42:22 193,024 ----a-w C:\WINDOWS\system32\fsquirt.exe
+ 2008-04-14 05:42:22 193,024 ----a-w C:\WINDOWS\system32\fsquirt.exe
+ 2008-05-29 11:16:52 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll
+ 2005-07-23 12:46:34 1,199,480 ----a-w C:\WINDOWS\system32\GraphicsMill20.dll
+ 2005-07-23 12:46:34 263,032 ----a-w C:\WINDOWS\system32\GraphicsMill20Dialogs.dll
- 2008-10-28 14:01:21 71,176 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-11-06 23:06:32 71,176 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-28 14:01:21 441,432 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-11-06 23:06:33 441,432 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-05-02 11:11:16 83,592 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\i386\ss_bus.sys
+ 2007-05-02 11:11:16 12,424 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\i386\ss_cmnt.sys
+ 2007-05-02 11:11:18 15,112 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\i386\ss_mdfl.sys
+ 2007-05-02 11:11:18 109,704 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\i386\ss_mdm.sys
+ 2007-05-02 11:11:18 12,424 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\i386\ss_whnt.sys
+ 2007-05-02 11:11:12 72,968 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
+ 2007-05-02 11:12:34 83,592 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\i386\ssm_bus.sys
+ 2007-05-02 11:12:34 12,424 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\i386\ssm_cmnt.sys
+ 2007-05-02 11:12:36 15,112 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\i386\ssm_mdfl.sys
+ 2007-05-02 11:12:36 109,704 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\i386\ssm_mdm.sys
+ 2007-05-02 11:12:36 12,424 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\i386\ssm_whnt.sys
+ 2007-05-02 11:12:28 72,968 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
+ 2007-07-03 16:54:24 80,552 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\i386\sscdbus.sys
+ 2007-07-03 16:56:00 9,256 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\i386\sscdcmnt.sys
+ 2007-07-03 16:57:24 11,944 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\i386\sscdmdfl.sys
+ 2007-07-03 16:58:20 106,792 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\i386\sscdmdm.sys
+ 2007-07-03 16:59:10 86,824 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\i386\sscdserd.sys
+ 2007-07-03 17:00:16 9,256 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\i386\sscdwhnt.sys
+ 2007-07-03 16:53:24 70,824 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
+ 2007-07-05 12:37:34 83,456 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\i386\sssdbus.sys
+ 2007-07-05 12:37:34 12,160 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\i386\sssdcmnt.sys
+ 2007-07-05 12:37:34 14,848 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\i386\sssdmdfl.sys
+ 2007-07-05 12:37:34 109,696 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\i386\sssdmdm.sys
+ 2007-07-05 12:37:34 103,808 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\i386\sssdmgmt.sys
+ 2007-07-05 12:37:36 99,712 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\i386\sssdobex.sys
+ 2007-07-05 12:37:36 12,160 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\i386\sssdwhnt.sys
+ 2007-07-19 09:44:10 70,904 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
+ 2007-07-05 12:38:14 83,328 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\6\i386\ssbcbus.sys
+ 2007-07-05 12:38:16 12,160 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\6\i386\ssbccmnt.sys
+ 2007-07-05 12:38:16 14,848 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\6\i386\ssbcmdfl.sys
+ 2007-07-05 12:38:16 109,696 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\6\i386\ssbcmdm.sys
+ 2007-07-05 12:38:16 12,160 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\6\i386\ssbcwhnt.sys
+ 2007-07-05 12:38:12 73,728 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
+ 2003-08-28 11:57:00 360,448 ----a-w C:\WINDOWS\system32\Srcvw3.dll
+ 2005-07-23 12:46:34 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2005-07-23 12:46:34 40,960 ----a-w C:\WINDOWS\system32\vbalFlBr6.dll
+ 2008-11-06 23:02:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_44c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"SpybotSD TeaTimer"="C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-10-15 949376]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-10-16 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\Security\SuperAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 C:\Program Files\Security\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2008-06-24 113896]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFB867B-0BA0-4B37-A370-E4B4A02EC792}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {BAFB867B-0BA0-4B37-A370-E4B4A02EC792}
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-27 06:59]

2008-10-28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 12:56]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\x9jo1zcf.default\
FF -: plugin - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\x9jo1zcf.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}\plugins\npagent.dll
FF -: plugin - C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\nppdf32.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Firefox 3\plugins\npqtplugin7.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 23:07:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\User\LOCALS~1\Temp\RGI3A.tmp


**************************************************************************
.
Completion time: 2008-11-06 23:10:29
ComboFix-quarantined-files.txt 2008-11-06 23:09:26
ComboFix2.txt 2008-10-29 12:40:22

Pre-Run: 10,050,203,648 bytes free
Post-Run: 10,203,435,008 bytes free

313 --- E O F --- 2008-10-24 08:14:38

Edited by londonliving, 06 November 2008 - 06:26 PM.


#9 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 06 November 2008 - 06:28 PM

HJT Log here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:25:56, on 06/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://megauplinkbindinstaller.com/install...190&name=ts
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\Security\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\Security\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\Security\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224615040796
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Security\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 8865 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:12 AM

Posted 06 November 2008 - 07:26 PM

Hello,

Well those look pretty good. :thumbsup: How is it running please?

I'd like to have a look at a file, please:


Please navigate to the following file:

Use Windows Search (Start > Search > For Files or Folders), to search for the following file:
RGI3A.tmp

Be sure to have it look in hidden files and folders, because that's where this one is. ;)

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 07 November 2008 - 02:22 AM

I had to reboot after running the ComboFix scan - notepad text screen came up with logfile, but desktop was black and empty of icons. No right click or start menu available.

Scanned for RGI3A.tmp but couldn't find it :thumbsup:

Have the view hidden files off (and known extensions) but nothing there.

Is it worth re-running the scan, to see if it repeats?

As far as the machine runs:

512Mb - nearly 350Mb gone at startup - possibly the cost of prevention!

FireFox3 has crashed a number of times, usually with video streaming - so possibly a memory issue.

Other than that, with the little time I've been able to use it, it seems stable.

I think the Malwarebyte's Antimalware may have caught the major issue, but I don't know if anything else lurks in the depths...

Cheers

LL

Edited by londonliving, 07 November 2008 - 02:29 AM.


#12 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 09 November 2008 - 09:11 PM

Hmm.

Browser was dragged to:

h**p://www.speed-downloading.com/?&nums=FEr2YHxAAA-FEp.YDcAAA&tag_id=110&grpid=1648

Something is still around - if only adware.

Will run adaware and post new HJT ? ComboFix log.

LL

#13 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 10 November 2008 - 09:17 AM

ComboFix 08-11-09.04 - User 2008-11-10 14:03:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.45 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.
/wow section - STAGE 32
Access is denied.


((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-09 17:32 . 2008-11-09 17:32 <DIR> d-------- c:\program files\Xilisoft
2008-11-09 17:25 . 2008-04-14 04:42 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-08 19:19 . 2008-11-08 19:19 <DIR> d-------- c:\documents and settings\User\Application Data\AVS4YOU
2008-11-08 19:18 . 2008-11-08 19:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2008-11-08 19:14 . 2008-11-08 19:17 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-11-08 19:13 . 2008-11-08 19:18 <DIR> d-------- c:\program files\AVS4YOU
2008-11-08 19:13 . 2007-02-27 18:36 974,848 --a------ c:\windows\system32\mfc70.dll
2008-11-08 19:13 . 2007-02-27 18:36 487,424 --a------ c:\windows\system32\msvcp70.dll
2008-11-08 19:13 . 2007-02-27 18:36 344,064 --a------ c:\windows\system32\msvcr70.dll
2008-11-08 19:13 . 2007-02-27 18:36 24,576 --a------ c:\windows\system32\msxml3a.dll
2008-11-08 18:42 . 2008-11-08 18:42 33 --a------ c:\windows\Multimedia manager.INI
2008-11-08 18:27 . 2008-11-08 18:27 <DIR> d-------- c:\documents and settings\User\Application Data\Samsung
2008-11-07 11:06 . 2008-11-07 11:06 <DIR> d-------- c:\documents and settings\User\Application Data\BWMonitor
2008-11-07 11:05 . 2008-11-07 11:05 <DIR> d-------- c:\program files\BandwidthMonitor
2008-11-07 09:21 . 2008-11-07 09:21 <DIR> d-------- c:\windows\system32\QuickTime
2008-11-07 09:21 . 2008-11-07 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\TechSmith
2008-11-07 09:21 . 2008-07-10 14:56 107,864 --a------ c:\windows\system32\tsccvid.dll
2008-11-07 09:20 . 2008-11-07 12:54 <DIR> d-------- c:\program files\TechSmith
2008-11-07 09:20 . 2008-11-07 09:20 <DIR> d-------- c:\program files\Common Files\TechSmith Shared
2008-11-07 00:44 . 2008-11-07 00:55 <DIR> d-------- c:\documents and settings\User\Application Data\Vso
2008-11-07 00:44 . 2008-11-07 00:55 81,920 --a------ c:\documents and settings\User\Application Data\ezpinst.exe
2008-11-07 00:44 . 2008-11-07 00:55 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-07 00:44 . 2008-11-07 00:55 47,360 --a------ c:\documents and settings\User\Application Data\pcouffin.sys
2008-11-05 17:33 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2008-11-05 17:32 . 2008-11-08 18:52 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2008-11-05 17:28 . 2008-11-05 17:32 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2008-11-05 17:28 . 2008-11-05 17:28 <DIR> d-------- c:\program files\Samsung
2008-11-05 17:28 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2008-11-04 11:04 . 2008-11-06 12:56 <DIR> d-------- c:\program files\FairUse Wizard 2
2008-11-03 11:22 . 2008-11-03 18:38 <DIR> d-------- c:\documents and settings\User\dwhelper
2008-11-03 08:13 . 2008-04-14 05:42 151,552 --a------ c:\windows\system32\irftp.exe
2008-11-03 08:13 . 2008-04-14 05:42 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-11-03 08:13 . 2008-04-14 05:41 28,160 --a------ c:\windows\system32\irmon.dll
2008-11-03 08:13 . 2008-04-14 05:41 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-11-03 08:13 . 2008-04-14 05:42 8,192 --a------ c:\windows\system32\wshirda.dll
2008-11-03 08:13 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-10-31 11:48 . 2008-10-31 11:48 <DIR> d-------- c:\program files\western civilisation
2008-10-31 11:48 . 2008-10-31 11:48 <DIR> d-------- c:\program files\CSS Tools
2008-10-30 08:47 . 2008-11-07 10:16 <DIR> d-------- c:\documents and settings\User\Application Data\vlc
2008-10-29 17:33 . 2008-10-29 17:33 <DIR> d-------- c:\documents and settings\User\Application Data\dvdcss
2008-10-29 12:58 . 2008-10-29 12:58 <DIR> d-------- c:\documents and settings\User\Application Data\Apple Computer
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- c:\program files\Apple Software Update
2008-10-29 08:59 . 2008-10-29 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-29 08:59 . 2008-10-29 08:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-28 17:35 . 2008-10-28 17:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2008-10-28 13:53 . 2008-10-28 13:53 <DIR> d-------- c:\program files\uTorrent
2008-10-28 13:52 . 2008-11-10 13:28 <DIR> d-------- c:\documents and settings\User\Application Data\uTorrent
2008-10-28 12:55 . 2008-11-10 13:49 <DIR> d-------- c:\program files\PeerGuardian2
2008-10-27 10:05 . 2008-10-27 10:05 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-26 16:05 . 2008-10-26 16:06 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-26 16:05 . 2008-10-26 16:05 <DIR> d-------- c:\program files\Microsoft IntelliPoint
2008-10-26 16:05 . 2008-06-10 13:04 31,048 --a------ c:\windows\system32\drivers\point32.sys
2008-10-26 14:41 . 2008-10-26 14:41 <DIR> d-------- c:\windows\Performance
2008-10-26 14:40 . 2008-10-26 14:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2008-10-26 14:39 . 2008-10-26 14:39 <DIR> d-------- c:\program files\Microsoft Windows Vista Upgrade Advisor
2008-10-26 13:12 . 2008-10-26 13:12 <DIR> d-------- c:\program files\Intel
2008-10-26 13:09 . 2007-07-31 17:11 86,016 --a------ c:\windows\system32\DellSPMsg.dll
2008-10-24 16:53 . 2008-10-24 16:53 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-24 16:52 . 2008-10-24 16:52 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-24 16:52 . 2008-10-24 16:52 <DIR> d-------- C:\5b6662e58b646c50bd88b1ad
2008-10-24 16:52 . 2008-07-06 12:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-10-24 16:52 . 2008-07-06 12:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2008-10-24 16:52 . 2008-07-06 10:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-10-24 16:52 . 2008-07-06 12:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-10-24 16:52 . 2008-07-06 12:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2008-10-24 16:52 . 2008-07-06 12:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-10-24 16:52 . 2008-07-06 12:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-10-24 16:51 . 2008-10-25 09:17 <DIR> d-------- c:\windows\SxsCaPendDel
2008-10-24 16:44 . 2008-10-24 19:51 <DIR> d-------- C:\e5413faf2eb5f506a54721227b9a
2008-10-24 15:53 . 2008-06-24 17:45 113,896 --a------ c:\windows\system32\drivers\keyscrambler.sys
2008-10-24 08:12 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 15:13 . 2008-10-22 15:13 <DIR> d-------- c:\program files\Lavasoft
2008-10-22 15:12 . 2008-10-22 15:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-22 14:01 . 2007-07-30 18:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-22 14:01 . 2007-07-30 18:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-21 21:04 . 2008-10-22 04:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-21 19:31 . 2008-10-21 19:31 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-21 18:35 . 2005-10-14 13:45 135,168 --a------ c:\windows\system32\igfxres.dll
2008-10-21 18:32 . 2008-10-21 18:32 127 --a------ c:\windows\system32\MRT.INI
2008-10-21 18:30 . 2008-10-21 18:30 <DIR> d-------- c:\program files\MSXML 4.0
2008-10-21 18:28 . 2008-10-03 17:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-10-21 18:28 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-10-21 18:28 . 2007-03-08 05:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-10-21 18:28 . 2008-08-26 07:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-10-21 18:28 . 2008-08-26 07:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-10-21 18:28 . 2008-08-26 07:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-10-21 18:28 . 2008-08-26 07:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-10-21 18:28 . 2008-08-26 07:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-10-21 18:28 . 2008-08-25 08:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-10-21 18:15 . 2008-10-21 18:16 <DIR> d-------- c:\windows\system32\URTTemp
2008-10-21 18:15 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-21 18:15 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-21 18:15 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-21 18:15 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-21 18:15 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-21 18:15 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-21 18:14 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-10-21 18:14 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-10-21 18:13 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-10-21 18:03 . 2008-10-24 08:14 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-21 17:49 . 2008-10-21 17:49 <DIR> d-------- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2008-10-21 17:49 . 2008-10-21 17:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-21 17:47 . 2008-11-07 12:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-21 17:41 . 2008-10-21 17:41 <DIR> d--h----- c:\windows\PIF
2008-10-21 16:47 . 2008-10-24 15:53 <DIR> d-------- c:\program files\Security
2008-10-21 16:47 . 2008-10-21 16:47 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-10-21 16:47 . 2008-10-21 16:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-21 16:47 . 2008-10-16 19:36 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-21 16:47 . 2008-10-16 19:36 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-21 15:58 . 2008-11-10 13:55 <DIR> d-------- c:\program files\Firefox 3
2008-10-21 13:49 . 2008-10-21 13:49 <DIR> d-------- c:\program files\Trend Micro
2008-10-21 13:31 . 2008-10-21 13:31 <DIR> d-------- c:\windows\Sun
2008-10-21 13:29 . 2008-10-21 13:29 <DIR> d-------- c:\program files\Java
2008-10-21 13:29 . 2008-06-10 01:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-21 13:26 . 2008-10-21 13:26 <DIR> d-------- c:\program files\Common Files\Java
2008-10-21 13:15 . 2008-10-21 13:15 <DIR> d--hs---- c:\documents and settings\User\UserData
2008-10-18 15:55 . 2008-10-18 15:55 <DIR> d-------- c:\documents and settings\User\Application Data\phpDesigner 2008
2008-10-18 15:54 . 2008-10-18 15:59 <DIR> d-------- c:\program files\phpDesigner 2008
2008-10-18 14:53 . 2008-10-18 14:53 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-18 14:53 . 2008-10-18 14:53 <DIR> d-------- c:\program files\Common Files\Altova
2008-10-18 14:53 . 2008-10-18 15:02 <DIR> d-------- c:\program files\Altova
2008-10-18 14:52 . 2008-10-18 14:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Altova
2008-10-18 14:46 . 2008-10-18 14:47 <DIR> d-------- c:\program files\SequoiaView
2008-10-18 14:44 . 2008-10-18 14:44 <DIR> d-------- c:\program files\Database Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 17:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 07:24 --------- d-----w c:\program files\Common Files\InstallShield
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot_2008-11-06_23.08.56.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-07 09:21:24 680,448 ----a-r c:\windows\Installer\{49253DE2-FC99-4BE3-99A4-DAB01A8E6088}\IconEF5C48881.exe
+ 2008-11-07 12:55:24 609,792 ----a-r c:\windows\Installer\{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}\Icon59991D183.exe
+ 2001-09-05 21:00:58 1,700,352 ----a-w c:\windows\system32\gdiplus.dll
- 2008-11-06 23:06:32 71,176 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-10 13:54:57 71,176 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-06 23:06:33 441,432 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-10 13:54:57 441,432 ----a-w c:\windows\system32\perfh009.dat
+ 2008-05-15 16:49:20 21,832 ----a-w c:\windows\system32\spool\drivers\w32x86\3\SNAGITD9.DLL
+ 2008-11-10 13:50:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_288.dat
+ 2006-12-02 00:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"SpybotSD TeaTimer"="c:\program files\Security\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"BandwidthMonitor"="c:\program files\BandwidthMonitor\BWMonitor.exe" [2008-11-07 236032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-10-15 949376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-10-16 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
SnagIt 9.lnk - c:\program files\TechSmith\SnagIt 9\SnagIt32.exe [2008-05-15 6822728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\Security\SuperAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\Security\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFB867B-0BA0-4B37-A370-E4B4A02EC792}]
c:\windows\system32\msiexec.exe /qn /fpu {BAFB867B-0BA0-4B37-A370-E4B4A02EC792}
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-27 06:59]

2008-10-28 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 12:56]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\x9jo1zcf.default\
FF -: plugin - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\x9jo1zcf.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}\plugins\npagent.dll
FF -: plugin - c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npnul32.dll
FF -: plugin - c:\program files\Firefox 3\plugins\nppdf32.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Firefox 3\plugins\npqtplugin7.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 14:07:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-10 14:14:05
ComboFix-quarantined-files.txt 2008-11-10 14:13:41
ComboFix2.txt 2008-11-06 23:10:31
ComboFix3.txt 2008-10-29 12:40:22

Pre-Run: 2,682,990,592 bytes free
Post-Run: 2,696,986,624 bytes free

255 --- E O F --- 2008-10-24 08:14:38

#14 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 10 November 2008 - 09:19 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:17:32, on 10/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://megauplinkbindinstaller.com/install...190&name=ts
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\Security\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\Security\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMonitor.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\Security\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\Security\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1224615040796
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Security\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 9485 bytes

#15 londonliving

londonliving
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 10 November 2008 - 09:21 AM

Also ran SpyBot Search and Destroy before.

Preparing to install some more Adobe software and would love to know all is well before I do that.

Many thanks again

LL




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users