Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

kdkya.exe


  • This topic is locked This topic is locked
15 replies to this topic

#1 rt60man

rt60man

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 29 November 2008 - 06:58 AM

Hi,

Could someone please check my Hijackthis log and post me some remedies?

I seriously doubt the existence of kdkya.exe

I've 'not' been successful disabling this using any or all of the following tools/methods...

1. disabling through msconfig - startup.
2. deleting using Avast rootkit (avast rootkit says it has been successful in deleting the same) but reappears upon rebooting.
3. deleting using Hijackthis... it reappears again.
4. Disabling in the startup items of Spybot-S&D

... it simply keeps reappearing in the startup

It seems to have affected my xpsp3 logon screen...
1. I donot anymore see whether any user has logged in .
2. I cannot switch user accounts, unless I have completely logged out of the existing user account
3. Line O20 - Winlogon Notify: dfeadebddadfc - C:\WINDOWS\system32\dfeadebddadfc.dll (file missing)" might say something about this.

Thank you so much for your help
Attached File  hijackthis.log   6.13KB   4 downloads

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 29 November 2008 - 07:19 AM

Please download FileAssassin and unzip it to your Desktop.
  • Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processing
  • Make sure ALL four options are selected (including "Delete file")
  • Copy/paste below file to the box
    • C:\WINDOWS\system32\dfeadebddadfc.dll
  • Press Execute button..



NET


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



NEXT


Download DDS and save it to your desktop.

Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
-----------------------------------------------------

Please include the following logs in your thread:
  • Contents of the DDS.txt posted as text in your reply
  • Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.


Please post these logs in your next reply..

1. Malwarebytes'
2. DDS.txt
3. Attach.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 November 2008 - 05:33 AM

FileAssassin says...

"The file you have specified does not exist or is not visible to FileASSASSIN, Please select another file"

I also noticed files like "autorun.info" and folders "resycled/boot.com" in some directories

Please advise the next course of action. Thank you.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 30 November 2008 - 06:11 AM

I also noticed files like "autorun.info" and folders "resycled/boot.com" in some directories


Delete those files manually and proceed with the next step (Malwarebytes')

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 November 2008 - 07:01 AM

I finished step 2... attached far below is the MBAM report.

After the reboot, I was not able to connect to the internet, and upon checking TCP/IP settings in the LAN properties, I found the DNS values were blank.
I reentered the values and the internet began to work.

However, I am not able to run the third step dds.scr.
Doubleclicking on it opens in notepad, and rightclicking on the same does not give me an option of run or run as.
Also, how do I disable script blockers?

But, The computer seems to be much better now and the logon screen seems to behave properly.

Please advise...




The MBAM report...


Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 5.1.2600 Service Pack 3

11/30/2008 5:02:58 PM
mbam-log-2008-11-30 (17-02-58).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 136774
Time elapsed: 35 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 13
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{6f4a6974-15fb-11dd-948a-c8fc55d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{141fdc3c-15fb-11dd-b723-9ef855d89593} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{74199ec0-15fb-11dd-b03f-fbfc55d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{141fdc3c-15fb-11dd-b723-9ef855d89593} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdkya.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{212cb73b-8538-43b6-aaa6-3ed35a45b8c9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{212cb73b-8538-43b6-aaa6-3ed35a45b8c9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78950dab-46fb-45fa-991f-d00dab70cc9a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78950dab-46fb-45fa-991f-d00dab70cc9a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{212cb73b-8538-43b6-aaa6-3ed35a45b8c9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{212cb73b-8538-43b6-aaa6-3ed35a45b8c9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{78950dab-46fb-45fa-991f-d00dab70cc9a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{78950dab-46fb-45fa-991f-d00dab70cc9a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{212cb73b-8538-43b6-aaa6-3ed35a45b8c9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{212cb73b-8538-43b6-aaa6-3ed35a45b8c9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{78950dab-46fb-45fa-991f-d00dab70cc9a}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{78950dab-46fb-45fa-991f-d00dab70cc9a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.182;85.255.112.197 -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\vntiho06 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kdkya.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-5B5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-DFF.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 30 November 2008 - 07:12 AM

I reentered the values and the internet began to work.


Err.. what values that you enter?


Also, how do I disable script blockers?


Please refer HERE



Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.
NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall



Post me these logs in your next reply.. Post each log in separate post..

1. SDFix
2. ComboFix
3. A fresh HijackThis log :thumbsup:

Edited by fenzodahl512, 30 November 2008 - 07:13 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 November 2008 - 07:43 AM

oops... The preferred DNS server address, I mean.

Do I try running DDS.scr before attempting to run SDfix?

#8 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 30 November 2008 - 08:45 AM

Although I coudn't run DDS.scr, I completed the process with SDfix and Combofix and attached are the reports...

SDfix...




SDFix: Version 1.240
Run by owner on 11/30/2008 at 06:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\owner\LOCALS~1\Temp\tmp19.tmp - Deleted
C:\WINDOWS\mainms.vpi - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 18:45:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\R & V\\Program Files\\BitTorrent\\BitTorrent.exe"="C:\\Documents and Settings\\R & V\\Program Files\\BitTorrent\\BitTorrent.exe:*:Enabled:BitTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Fri 20 Jun 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 23 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Mon 2 Jul 2007 20,480 A..H. --- "C:\Program Files\National Instruments\MeasurementStudioVS2005\DotNET\LicenseEngine.2005.exe"
Sun 30 Nov 2008 1,048,576 A..H. --- "C:\Documents and Settings\All Users\Application Data\National Instruments\Shared Memory\MXSEventSharedMemory.tmp"
Sun 30 Nov 2008 4,203,264 A..H. --- "C:\Documents and Settings\All Users\Application Data\National Instruments\Shared Memory\NI-SMSL LPCSockets Shared Memory.tmp"

Finished!



combofix...


ComboFix 08-11-29.03 - owner 2008-11-30 18:57:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1609 [GMT 5.5:30]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Accounts\Important accounts\D a i l y A c c o u n t s\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\1186\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\18S430 isobarik\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\A M R I T H\B-Horn\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\A M R I T H\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\A M R I T H\M-Horn\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\C O S M O\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Fire & Ice\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Fire & Ice\Fire & Ice stack Views\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Himesh Izone\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\MTM midtop\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Pulpit actuator\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\T A I K A\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\T A I K A\Taika Bar Revamp\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\HORNRESP\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\HORNRESP\EXPORT\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Resumes\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Resumes\Enid\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Resumes\Roshan\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Audua\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Bandpass\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\DPC\data\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\DPC\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Hornresp 8.4\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Hornresp 8.4\EXPORT\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Short cuts\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\WinISD\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\WinISD\Drivers\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\WinISD\Filters\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\Hornresp\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\Hornresp\EXPORT\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\WinISD\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\WinISD\Drivers\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Worksheets - SMPS\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Worksheets - SMPS\RCC-FLYBACK-BLOCKING\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Worksheets - SOUND\Desktop_.ini
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 18:38 . 2008-11-30 18:38 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-30 18:36 . 2008-11-30 18:36 <DIR> d----c--- c:\windows\ERUNT
2008-11-30 18:29 . 2008-11-30 18:46 <DIR> d----c--- C:\SDFix
2008-11-30 17:05 . 2008-11-30 17:05 <DIR> d----c--- c:\documents and settings\R & V\Application Data\Malwarebytes
2008-11-30 16:23 . 2008-11-30 16:23 <DIR> d----c--- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 16:23 . 2008-11-30 16:23 <DIR> d----c--- c:\documents and settings\owner\Application Data\Malwarebytes
2008-11-30 16:23 . 2008-11-30 16:23 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 16:23 . 2008-10-22 16:10 38,496 --a--c--- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 16:23 . 2008-10-22 16:10 15,504 --a--c--- c:\windows\system32\drivers\mbam.sys
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-28 19:01 . 2008-11-28 19:01 <DIR> d----c--- c:\program files\Spybot - Search & Destroy
2008-11-28 19:01 . 2008-11-29 16:09 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 18:05 . 2008-11-28 18:05 <DIR> d----c--- c:\windows\system32\QuickTime
2008-11-28 09:44 . 2008-11-28 09:44 27,904 --a--c--- c:\windows\system32\drivers\ndisprot.sys
2008-11-27 14:52 . 2008-11-27 19:48 <DIR> d----c--- c:\temp\_avast4_
2008-11-27 13:57 . 2008-11-27 13:57 942,712 --a--c--- c:\temp\utt7.tmp.exe
2008-11-18 19:24 . 2008-11-18 19:24 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-13 13:48 . 2008-10-24 16:51 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 12:56 . 2008-09-04 22:45 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d----c--- c:\program files\Tektronix
2008-11-01 19:16 . 2001-09-05 21:00 1,700,352 --a--c--- c:\windows\system32\gdiplus.dll
2008-11-01 18:55 . 2008-11-18 19:31 1,158 --a--c--- c:\windows\system32\niorbmap
2008-11-01 18:53 . 2008-11-18 19:25 <DIR> d----c--- C:\VXIPNP
2008-11-01 18:52 . 2008-11-01 18:52 <DIR> d----c--- c:\program files\IVI
2008-10-24 11:49 . 2008-10-15 22:04 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 02:23 . 2008-10-22 02:23 <DIR> d----c--- c:\temp\VBE
2008-10-16 18:13 . 2008-09-08 16:11 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-16 18:12 . 2008-09-15 17:42 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 18:10 . 2008-08-14 15:41 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 18:10 . 2008-08-14 15:39 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 18:10 . 2008-08-14 15:03 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 18:10 . 2008-08-14 15:03 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 13:27 --------- dc----w c:\documents and settings\owner\Application Data\DNA
2008-11-30 13:19 --------- dc----w c:\documents and settings\owner\Application Data\BitTorrent
2008-11-30 13:17 --------- dc----w c:\program files\DNA
2008-11-27 15:56 --------- dc----w c:\documents and settings\R & V\Application Data\BitTorrent
2008-11-22 09:58 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-18 14:13 --------- dc----w c:\documents and settings\All Users\Application Data\National Instruments
2008-11-18 14:01 --------- dc----w c:\program files\Common Files\Merge Modules
2008-11-18 13:58 --------- dc----w c:\program files\National Instruments
2008-11-15 14:44 --------- dc----w c:\program files\SIA SmaartLive 5
2008-11-01 13:46 --------- dc-h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 -c--a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-30 11:13 1,286,152 -c--a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 -c--a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 -c----w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 -c--a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 -c--a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 -c--a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 -c--a-w c:\windows\system32\ntkrnlpa.exe
2004-03-15 12:21 114,688 -c--a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 05:02 131,072 -c--a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 05:18 133,920 -c--a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 13:33 118,784 -c--a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Everyday Auto Backup"="c:\program files\Everyday Auto Backup\AutoBackup.exe" [2007-11-28 69120]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2008-09-27 634672]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-19 342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-01-02 40960]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"wave3"= rddv1046.dll
"midi3"= rddv1046.dll
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^Startup^Calc98.LNK]
path=c:\documents and settings\owner\Start Menu\Programs\Startup\Calc98.LNK
backup=c:\windows\pss\Calc98.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-05-04 10:59 794624 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-11-28 00:55 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-11-28 00:55 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-03-09 18:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-11-06 16:34 177456 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"ose"=3 (0x3)
"niSvcLoc"=2 (0x2)
"NILM License Manager"=3 (0x3)
"NIDomainService"=2 (0x2)
"lkTimeSync"=2 (0x2)
"lkClassAds"=2 (0x2)
"LkCitadelServer"=2 (0x2)
"gusvc"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"helpsvc"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"c:\windows\system32\kdkya.exe"=c:\windows\system32\kdkya.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\R & V\\Program Files\\BitTorrent\\BitTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-07-10 15448]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-19 20560]
R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-08-02 4096]
R2 mxssvr;NI Configuration Manager;"c:\program files\National Instruments\MAX\nimxs.exe" [2007-03-08 12696]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2005-09-21 55296]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-07-19 11360]
R3 nidimk;nidimk;\??\c:\windows\system32\drivers\nidimkl.sys [2007-07-12 11360]
S2 NITaggerService;National Instruments Variable Engine;"c:\program files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 703264]
S2 TinaKey;TinaKey; []
S3 aswArKrn;aswArKrn;\??\c:\docume~1\owner\LOCALS~1\Temp\aswArKrn.sys []
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-28 27904]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-07-18 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-07-18 11896]
S3 NIUSBTMC;NI-VISA USB TMC Driver;c:\windows\system32\DRIVERS\NIUSBTMC.sys [2007-07-19 45160]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-07-19 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-07-19 11360]
S3 RDID1046;EDIROL UA-25;c:\windows\system32\Drivers\rdwm1046.sys [2007-03-22 163390]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2203e5a6-32fb-11dd-b8ed-001b77926ed2}]
\Shell\AutoRun\command - f:\system\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - f:\system\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - f:\system\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b073d685-0dfe-11dd-b87f-001b77926ed2}]
\Shell\AutoRun\command - G:\b.com
\Shell\explore\Command - G:\b.com
\Shell\open\Command - G:\b.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f618df37-8f8d-11dd-b9ee-001b77926ed2}]
\Shell\AutoRun\command - f:\system\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - f:\system\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - f:\system\DriveGuard\DriveProtect.exe -run 

*Newly Created Service* - NIPALK
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\system32\kdkya.exe - c:\windows\system32\kdkya.exe
MSConfigStartUp-kdkya - c:\windows\system32\kdkya.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\dqbwv8iz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.in/
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Google\Google Updater\2.2.1202.1501\npCIDetect11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nplv85win32.dll
FF -: plugin - c:\windows\system32\C2MP\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 18:58:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe??????????????@? ????M????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\rddv1046.dll
.
Completion time: 2008-11-30 18:58:38
ComboFix-quarantined-files.txt 2008-11-30 13:28:36

Pre-Run: 1,200,828,416 bytes free
Post-Run: 1,211,084,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

278 --- E O F --- 2008-11-14 05:28:11

HJThis log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:28 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Everyday Auto Backup\AutoBackup.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://sibernet.southindianbank.com/corp/B...pType=corporate
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Everyday Auto Backup] C:\Program Files\Everyday Auto Backup\AutoBackup.exe /1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{78950DAB-46FB-45FA-991F-D00DAB70CC9A}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

--
End of file - 5744 bytes

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 30 November 2008 - 12:50 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
TinaKey
aswArKrn

File::
c:\temp\utt7.tmp.exe
c:\windows\system32\kdkya.exe
G:\b.com

Folder::
f:\system\DriveGuard

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"c:\windows\system32\kdkya.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2203e5a6-32fb-11dd-b8ed-001b77926ed2}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b073d685-0dfe-11dd-b87f-001b77926ed2}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f618df37-8f8d-11dd-b9ee-001b77926ed2}]

SysRst::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 01 December 2008 - 12:08 AM

Combofix with CFScript executed...

The following is the CF log....

ComboFix 08-11-30.01 - owner 2008-12-01 10:21:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1564 [GMT 5.5:30]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\temp\utt7.tmp.exe
c:\windows\system32\kdkya.exe
G:\b.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Accounts\Important accounts\D a i l y A c c o u n t s\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\1186\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\18S430 isobarik\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\A M R I T H\B-Horn\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\A M R I T H\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\A M R I T H\M-Horn\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\C O S M O\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Fire & Ice\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Fire & Ice\Fire & Ice stack Views\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Himesh Izone\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\MTM midtop\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\Pulpit actuator\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\T A I K A\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Acad files\T A I K A\Taika Bar Revamp\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\HORNRESP\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\HORNRESP\EXPORT\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Resumes\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Resumes\Enid\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Resumes\Roshan\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Audua\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Bandpass\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\DPC\data\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\DPC\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Hornresp 8.4\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Hornresp 8.4\EXPORT\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\Short cuts\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\WinISD\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\WinISD\Drivers\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker Builder\WinISD\Filters\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\Hornresp\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\Hornresp\EXPORT\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\WinISD\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Speaker building softwares\setup files\WinISD\Drivers\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Worksheets - SMPS\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Worksheets - SMPS\RCC-FLYBACK-BLOCKING\Desktop_.ini
c:\documents and settings\All Users\Documents\Roshan's Documents\Worksheets - SOUND\Desktop_.ini
c:\temp\utt7.tmp.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWARKRN
-------\Legacy_TINAKEY
-------\Service_aswArKrn
-------\Service_TinaKey


((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-11-30 18:38 . 2008-11-30 18:38 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-30 18:36 . 2008-11-30 18:36 <DIR> d----c--- c:\windows\ERUNT
2008-11-30 18:29 . 2008-11-30 18:46 <DIR> d----c--- C:\SDFix
2008-11-30 17:05 . 2008-11-30 17:05 <DIR> d----c--- c:\documents and settings\R & V\Application Data\Malwarebytes
2008-11-30 16:23 . 2008-11-30 16:23 <DIR> d----c--- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 16:23 . 2008-11-30 16:23 <DIR> d----c--- c:\documents and settings\owner\Application Data\Malwarebytes
2008-11-30 16:23 . 2008-11-30 16:23 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 16:23 . 2008-10-22 16:10 38,496 --a--c--- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 16:23 . 2008-10-22 16:10 15,504 --a--c--- c:\windows\system32\drivers\mbam.sys
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-28 19:17 . 2008-11-28 19:17 <DIR> d----c--- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-28 19:01 . 2008-11-28 19:01 <DIR> d----c--- c:\program files\Spybot - Search & Destroy
2008-11-28 19:01 . 2008-11-29 16:09 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 18:05 . 2008-11-28 18:05 <DIR> d----c--- c:\windows\system32\QuickTime
2008-11-28 09:44 . 2008-11-28 09:44 27,904 --a--c--- c:\windows\system32\drivers\ndisprot.sys
2008-11-27 14:52 . 2008-11-27 19:48 <DIR> d----c--- c:\temp\_avast4_
2008-11-18 19:24 . 2008-11-18 19:24 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-13 13:48 . 2008-10-24 16:51 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 12:56 . 2008-09-04 22:45 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d----c--- c:\program files\Tektronix
2008-11-01 19:16 . 2001-09-05 21:00 1,700,352 --a--c--- c:\windows\system32\gdiplus.dll
2008-11-01 18:55 . 2008-11-18 19:31 1,158 --a--c--- c:\windows\system32\niorbmap
2008-11-01 18:53 . 2008-11-18 19:25 <DIR> d----c--- C:\VXIPNP
2008-11-01 18:52 . 2008-11-01 18:52 <DIR> d----c--- c:\program files\IVI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 04:42 --------- dc----w c:\documents and settings\owner\Application Data\BitTorrent
2008-12-01 04:41 --------- dc----w c:\program files\DNA
2008-12-01 04:41 --------- dc----w c:\documents and settings\owner\Application Data\DNA
2008-11-27 15:56 --------- dc----w c:\documents and settings\R & V\Application Data\BitTorrent
2008-11-22 09:58 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-18 14:13 --------- dc----w c:\documents and settings\All Users\Application Data\National Instruments
2008-11-18 14:01 --------- dc----w c:\program files\Common Files\Merge Modules
2008-11-18 13:58 --------- dc----w c:\program files\National Instruments
2008-11-15 14:44 --------- dc----w c:\program files\SIA SmaartLive 5
2008-11-01 13:46 --------- dc-h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 -c--a-w c:\windows\system32\drivers\mrxsmb.sys
2004-03-15 12:21 114,688 -c--a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 05:02 131,072 -c--a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 05:18 133,920 -c--a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 13:33 118,784 -c--a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-30_18.58.20.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 14:32:28 163,328 -c--a-w c:\windows\erdnt\subs\ERDNT.EXE
- 2008-11-30 13:18:04 62,746 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-01 04:45:28 62,746 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-30 13:18:04 401,632 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-01 04:45:28 401,632 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-01 04:54:23 16,384 -c--atw c:\windows\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dc48\isign32.dll
2004-08-04 17:30 81920 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063667.dll

c:\dc48\isrdbg32.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063668.dl"

c:\dc48\ksecdd.sys
2004-08-04 17:30 92032 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063804.sys

c:\dc48\localspl.dll
2004-08-04 17:30 341504 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063817.dll

c:\dc48\lonsint.dll
2004-08-04 17:30 13312 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063825.dll

c:\dc48\md5filt.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063842

c:\combofix\mi

c:\dc48\mmc.exe
2004-08-04 17:30 815104 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063871.exe

c:\dc48\mountmgr.sys
2004-08-04 17:30 42240 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063888.sys

c:\dc48\mpr.dll
2004-08-04 17:30 59904 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063900.dll

c:\dc48\mqsnap.dll
2004-08-04 17:30 517632 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063915.dll

c:\dc48\msconf.dll
2004-08-04 17:30 69632 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063949.dll

c:\dc48\mtxdm.dll
2004-08-04 17:30 20480 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064075.dll

c:\dc48\netstat.exe
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064124'

c:\dc48\ntkrnlmp.exe
2007-02-28 14:38 2136064 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064159.exe

c:\dc48\obrb0416.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064201.dl"

c:\dc48\obrb0804.dll
2004-08-04 17:30 270336 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064207.dll

c:\dc48\odbcp32r.dll
2004-08-04 17:30 12288 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064227.dll

c:\dc48\oemig50.exe
2004-08-04 17:30 60416 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064236.exe
2004-08-04 17:30 60416 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064236.exe

c:\dc48\oledb32r.dll
2004-08-04 17:30 65536 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064244.dll

c:\dc48\safrcdlg.dll
2004-08-04 17:30 43520 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064397.dll

c:\dc48\sendmail.dll
2004-08-04 17:30 55296 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064436.dll

c:\dc48\sessmgr.exe
2004-08-04 17:30 140800 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064444.exe

c:\dc48\shgina.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064463."

c:\combofix\s

c:\dc48\shrpubw.exe
2004-08-04 17:30 77824 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064470.exe
2004-08-04 17:30 77824 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064470.exe

c:\dc48\smbinst.exe
2004-08-04 17:30 8192 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064484.exe

c:\dc48\spiisupd.exe
2004-08-04 17:30 12800 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064510.exe

c:\dc48\sprb040e.dll
2004-08-04 17:30 769536 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064556.dll

c:\dc48\sprb041d.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064566.dl

c:\dc48\sprb0c0a.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064571.dl

c:\dc48\sspifilt.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064597.dl"

c:\dc48\synceng.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064621"

c:\combofix\ta

c:\dc48\tlntadmn.exe
2004-08-04 17:30 61440 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064667.exe

c:\dc48\tracerpt.exe
2004-08-04 17:30 259584 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064675.exe

c:\dc48\usbstor.sys
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064727

c:\combofix\vd

c:\dc48\version.dll
{A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064746"

c:\combofix\wa

c:\dc48\winipsec.dll
2004-08-04 17:30 32768 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064804.dll
2004-08-04 17:30 32768 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064804.dll

2007-07-19 17:42 54368 c:\documents and settings\All Users\Application Data\National Instruments\MAX\Data Dictionaries\Last\niRemoteDD.dll
2005-12-30 23:22 41984 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061507.dll

2007-07-19 17:43 115304 c:\documents and settings\All Users\Application Data\National Instruments\MAX\Data Dictionaries\Last\niswdd.dll
2005-12-30 23:22 114688 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061506.dll

C:\kbdlk41a.dll
2004-08-04 17:30 6656 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063782.dll

C:\mpr.dll
2004-08-04 17:30 59904 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0063900.dll

2008-12-01 10:24 225200 c:\program files\Alwil Software\Avast4\DATA\aswar0.dll
2008-11-15 19:04 225200 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058642.dll
2008-12-01 10:15 225200 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP145\A0068066.dll

2008-12-01 10:24 391216 c:\program files\Alwil Software\Avast4\DATA\clnr0.dll
2008-11-15 19:04 391216 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058643.dll
2008-12-01 10:15 391216 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP145\A0068067.dll

2008-12-01 10:24 9080 c:\program files\Alwil Software\Avast4\DATA\exts0.dll
2008-11-15 19:04 9080 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058644.dll
2008-12-01 10:15 9080 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP145\A0068068.dll

2008-11-19 14:55 342336 c:\program files\DNA\btdna.exe
2008-10-04 09:56 289088 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061594.exe

2008-11-19 14:55 49152 c:\program files\DNA\plugins\npbtdna.dll
2008-10-04 09:56 54592 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061596.dll

2008-11-19 12:18 17408 c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2008-09-29 09:42 17408 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061559.dll

2008-11-19 12:18 23040 c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2008-09-29 09:42 23040 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061561.dll

2008-11-19 12:18 134656 c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2008-09-29 09:42 134656 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061562.dll

c:\program files\Mozilla Firefox\components\iamfamous.dll
2008-11-28 09:44 50176 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067747.dll

2008-11-19 12:18 185856 c:\program files\Mozilla Firefox\crashreporter.exe
2008-09-29 09:42 185856 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061563.exe

2008-11-19 12:18 307712 c:\program files\Mozilla Firefox\firefox.exe
2008-09-29 09:42 307712 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061564.exe

2008-11-19 12:18 233472 c:\program files\Mozilla Firefox\freebl3.dll
2008-09-29 09:42 233472 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061565.dll

2008-11-19 12:18 697344 c:\program files\Mozilla Firefox\js3250.dll
2008-09-29 09:42 697344 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061566.dll

2008-11-19 12:18 710144 c:\program files\Mozilla Firefox\mozcrt19.dll
2008-09-29 09:42 710144 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061567.dll

2008-11-19 12:18 198144 c:\program files\Mozilla Firefox\nspr4.dll
2008-09-29 09:42 198144 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061568.dll

2008-11-19 12:18 697856 c:\program files\Mozilla Firefox\nss3.dll
2008-09-29 09:42 697856 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061569.dll

2008-11-19 12:18 304640 c:\program files\Mozilla Firefox\nssckbi.dll
2008-09-29 09:42 304640 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061570.dll

2008-11-19 12:18 103936 c:\program files\Mozilla Firefox\nssdbm3.dll
2008-09-29 09:42 103936 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061571.dll

2008-11-19 12:18 87552 c:\program files\Mozilla Firefox\nssutil3.dll
2008-09-29 09:42 87552 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061572.dll

2008-11-19 12:18 20480 c:\program files\Mozilla Firefox\plc4.dll
2008-09-29 09:42 20480 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061574.dll

2008-11-19 12:18 17408 c:\program files\Mozilla Firefox\plds4.dll
2008-09-29 09:42 17408 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061575.dll

2008-11-19 12:18 65536 c:\program files\Mozilla Firefox\plugins\npnul32.dll
2008-09-29 09:42 65536 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061576.dll

2008-11-19 12:18 103936 c:\program files\Mozilla Firefox\smime3.dll
2008-09-29 09:42 103936 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061577.dll

2008-11-19 12:18 151552 c:\program files\Mozilla Firefox\softokn3.dll
2008-09-29 09:42 151552 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061578.dll

2008-11-19 12:18 395776 c:\program files\Mozilla Firefox\sqlite3.dll
2008-09-29 09:42 395776 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061579.dll

2008-11-19 12:18 136704 c:\program files\Mozilla Firefox\ssl3.dll
2008-09-29 09:42 136704 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061580.dll

2008-11-19 12:18 509544 c:\program files\Mozilla Firefox\uninstall\helper.exe
2008-09-29 09:42 509544 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061581.exe

2008-11-19 12:18 242176 c:\program files\Mozilla Firefox\updater.exe
2008-09-29 09:42 242176 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061582.exe

2008-11-19 12:18 17920 c:\program files\Mozilla Firefox\xpcom.dll
2008-09-29 09:42 17920 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061583.dll

2008-11-19 12:18 9729536 c:\program files\Mozilla Firefox\xul.dll
2008-09-29 09:42 9728512 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061584.dll

c:\program files\Spyware Doctor\BH.dll
2008-02-01 12:55 242568 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061775.dll

c:\program files\Spyware Doctor\cdialogs.dll
2008-02-08 15:34 655240 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061774.dll

c:\program files\Spyware Doctor\commhlpr.dll
2007-12-19 12:12 96648 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061773.dll

c:\program files\Spyware Doctor\commlib.dll
2008-02-01 12:56 825224 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061785.dll

c:\program files\Spyware Doctor\commom.dll
2008-02-01 12:56 919432 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061784.dll

c:\program files\Spyware Doctor\drvctl.exe
2007-12-10 14:53 28040 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061782.exe

c:\program files\Spyware Doctor\filehlpr.dll
2008-02-01 12:55 140680 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061772.dll

c:\program files\Spyware Doctor\ikdll.dll
2008-02-01 12:55 119688 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061771.dll

c:\program files\Spyware Doctor\inethlpr.dll
2008-02-01 12:55 178568 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061770.dll

c:\program files\Spyware Doctor\InnoHelpers.dll
2008-02-15 17:10 229376 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061787.dll

c:\program files\Spyware Doctor\msvcp71.dll
2008-01-08 11:23 499712 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061755.dll

c:\program files\Spyware Doctor\msvcr71.dll
2008-01-08 11:23 348160 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061754.dll

c:\program files\Spyware Doctor\msvcr80.dll
2008-02-15 17:10 626688 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061786.dll

c:\program files\Spyware Doctor\NetworkLayer\Driver.exe
2007-12-18 16:15 161672 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061753.exe

c:\program files\Spyware Doctor\NetworkLayer\InterfaceDLL.dll
2008-02-01 12:55 497544 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061746.dll

c:\program files\Spyware Doctor\NetworkLayer\msvcp71.dll
2008-01-08 11:23 499712 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061748.dll

c:\program files\Spyware Doctor\NetworkLayer\msvcr71.dll
2008-01-08 11:23 348160 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061747.dll

c:\program files\Spyware Doctor\NetworkLayer\PCTCFFix.exe
2007-12-10 14:53 71560 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061750.exe

c:\program files\Spyware Doctor\NetworkLayer\PCTCFHook.dll
2007-12-10 14:53 104328 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061752.dll

c:\program files\Spyware Doctor\NetworkLayer\pctfw2.sys
2007-12-10 14:53 218504 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061749.sys

c:\program files\Spyware Doctor\NetworkLayer\PCTLsp.dll
2007-12-10 14:53 190344 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061751.dll

c:\program files\Spyware Doctor\pctsAuxs.exe
2008-02-01 12:55 747912 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061776.exe

c:\program files\Spyware Doctor\pctsGui.exe
2008-02-08 15:34 2727816 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061778.exe

c:\program files\Spyware Doctor\pctsSvc.exe
2008-02-01 12:55 948616 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061777.exe

c:\program files\Spyware Doctor\pctsTray.exe
2008-02-01 12:55 1103240 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061779.exe

c:\program files\Spyware Doctor\PCTWSC.dll
2007-12-10 14:53 173960 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061769.dll

c:\program files\Spyware Doctor\PWindow.dll
2008-02-01 12:56 185224 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061768.dll

c:\program files\Spyware Doctor\RegHelper.dll
2008-02-01 12:56 115080 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061767.dll

c:\program files\Spyware Doctor\sdcore.dll
2007-12-10 14:54 119176 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061766.dll

c:\program files\Spyware Doctor\sdinvoker.exe
2007-12-10 14:54 289160 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061781.exe

c:\program files\Spyware Doctor\sdloader.exe
2008-02-01 12:56 190344 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061780.exe

c:\program files\Spyware Doctor\sdwvhlp.dll
2007-12-10 14:54 59272 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061765.dll

c:\program files\Spyware Doctor\SH.dll
2008-02-01 12:56 217480 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061764.dll

c:\program files\Spyware Doctor\smumhook.dll
2008-02-01 12:56 142728 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061763.dll

c:\program files\Spyware Doctor\sporder.dll
2007-12-21 11:43 8704 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061762.dll

c:\program files\Spyware Doctor\SysAccess.dll
2008-02-01 12:56 135048 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061761.dll

c:\program files\Spyware Doctor\unins000.exe
2008-04-22 18:05 707976 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061792.exe

c:\program files\Spyware Doctor\Update.exe
2008-02-01 12:56 1795976 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061783.exe

c:\program files\Spyware Doctor\Upgrade.exe
2008-02-01 12:56 1538440 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061760.exe

2008-11-29 14:41 396288 c:\program files\Trend Micro\HijackThis\HijackThis.exe
2008-04-21 10:58 396288 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067649.exe

c:\resycled\boot.com
2008-11-26 22:38 29696 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067587.com

C:\samlib.dll
2004-08-04 17:30 64000 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064400.dll

2008-10-25 20:37 1214 c:\sdfix\apps\assosfix.reg
2008-10-25 20:37 1214 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067843.reg

2008-08-07 15:27 145920 c:\sdfix\apps\Cghtme.exe
2008-08-07 15:27 145920 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067809.exe

2008-08-07 15:26 10240 c:\sdfix\apps\cliptext.exe
2008-08-07 15:26 10240 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067810.exe

c:\sdfix\apps\CSweg.exe
2008-08-07 15:27 278016 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067922.exe

2008-08-07 15:27 61440 c:\sdfix\apps\download.exe
2008-08-07 15:27 61440 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067811.exe

2008-08-07 15:27 1024 c:\sdfix\apps\dummy.sys
2008-08-07 15:27 1024 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067837.sys

2008-08-07 15:27 344 c:\sdfix\apps\Enable_Command_Prompt.reg
2008-08-07 15:27 344 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067844.reg

2008-08-07 15:27 157696 c:\sdfix\apps\ERUNT.EXE
2008-08-07 15:27 157696 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067812.EXE

2008-08-07 15:27 4538 c:\sdfix\apps\fix.reg
2008-08-07 15:27 4538 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067845.reg

2008-08-12 23:15 748 c:\sdfix\apps\FixBeep.reg
2008-08-12 23:15 748 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067846.reg

2008-11-06 00:57 306649 c:\sdfix\apps\FixBH.reg
2008-11-06 00:57 306649 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067847.reg

2008-08-07 15:27 2010 c:\sdfix\apps\FixComponents.reg
2008-08-07 15:27 2010 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067848.reg

2008-11-04 02:17 45016 c:\sdfix\apps\FIXCU.reg
2008-11-04 02:17 45016 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067849.reg

2008-11-05 13:14 88390 c:\sdfix\apps\FIXLM.reg
2008-11-05 13:14 88390 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067850.reg

2008-08-07 15:27 27136 c:\sdfix\apps\FixPath.exe
2008-08-07 15:27 27136 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067813.exe

2008-08-07 15:27 619 c:\sdfix\apps\FixRedir.reg
2008-08-07 15:27 619 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067851.reg

2008-08-07 15:27 826 c:\sdfix\apps\FixSchedule.reg
2008-08-07 15:27 826 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067852.reg

2008-08-07 15:27 932 c:\sdfix\apps\FixWebCheck.reg
2008-08-07 15:27 932 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067853.reg

2008-08-07 15:27 1610 c:\sdfix\apps\fixXP.reg
2008-08-07 15:27 1610 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067854.reg

2008-08-07 15:27 404 c:\sdfix\apps\FixXPsp2.reg
2008-08-07 15:27 404 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067855.reg

2008-08-07 15:27 80412 c:\sdfix\apps\grep.exe
2008-08-07 15:27 80412 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067814.exe

2008-08-07 15:27 1069 c:\sdfix\apps\HaxdFix.reg
2008-08-07 15:27 1069 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067856.reg

2008-09-30 20:22 828 c:\sdfix\apps\HPFix.reg
2008-09-30 20:22 828 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067857.reg

2008-09-30 20:18 164 c:\sdfix\apps\HPFix2.reg
2008-09-30 20:18 164 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067858.reg

2008-09-30 20:19 1744 c:\sdfix\apps\HPFix3.reg
2008-09-30 20:19 1744 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067859.reg

2008-08-07 15:27 1400 c:\sdfix\apps\HPFix4.reg
2008-08-07 15:27 1400 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067860.reg

2008-08-07 15:27 690 c:\sdfix\apps\HPFix5.reg
2008-08-07 15:27 690 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067861.reg

2008-09-30 20:19 1116 c:\sdfix\apps\HPFix6.reg
2008-09-30 20:19 1116 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067862.reg

2008-09-30 20:20 2232 c:\sdfix\apps\HPFix7.reg
2008-09-30 20:20 2232 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067863.reg

2008-08-07 15:27 1360 c:\sdfix\apps\HPFix8.reg
2008-08-07 15:27 1360 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067864.reg

2008-10-26 16:10 4134 c:\sdfix\apps\HPFix9.reg
2008-10-26 16:10 4134 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067865.reg

2008-08-07 15:27 33280 c:\sdfix\apps\isadmin.exe
2008-08-07 15:27 33280 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067815.exe

2003-12-09 00:31 11254 c:\sdfix\apps\locate.com
2003-12-09 00:31 11254 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067807.com

2008-08-07 15:27 49152 c:\sdfix\apps\LS.exe
2008-08-07 15:27 49152 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067816.exe

2008-08-07 15:27 6656 c:\sdfix\apps\MD5File.exe
2008-08-07 15:27 6656 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067817.exe

2008-08-07 15:27 38400 c:\sdfix\apps\moveex.exe
2008-08-07 15:27 38400 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067818.exe

2008-08-07 15:27 402 c:\sdfix\apps\MyGcpvFix.reg
2008-08-07 15:27 402 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067866.reg

2008-08-07 15:27 2286 c:\sdfix\apps\MyGkFix2.reg
2008-08-07 15:27 2286 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067867.reg

2008-08-07 15:27 53248 c:\sdfix\apps\Process.exe
2008-08-07 15:27 53248 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067819.exe

2008-08-07 15:27 16414 c:\sdfix\apps\procs.exe
2008-08-07 15:27 16414 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067820.exe

2008-08-07 15:27 61440 c:\sdfix\apps\psservice.exe
2008-08-07 15:27 61440 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067821.exe

2008-08-07 15:27 146432 c:\sdfix\apps\Replace\regedit.exe
2008-08-07 15:27 146432 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067822.exe

2008-08-07 15:27 4080 c:\sdfix\apps\Replace\w2k\beep.sys
2008-08-07 15:27 4080 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067835.sys

2003-06-19 11:05 50620 c:\sdfix\apps\Replace\w2k\command.com
2003-06-19 11:05 50620 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067805.com

2008-08-21 09:45 2855 c:\sdfix\apps\Replace\w2k\command.PIF
2008-08-21 09:45 2855 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067841.PIF

2008-08-07 15:27 2800 c:\sdfix\apps\Replace\w2k\null.sys
2008-08-07 15:27 2800 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067839.sys

2008-08-07 15:27 4224 c:\sdfix\apps\Replace\xp\beep.sys
2008-08-07 15:27 4224 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067836.sys

2001-08-18 12:00 50620 c:\sdfix\apps\Replace\xp\command.com
2001-08-18 12:00 50620 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067806.com

2008-08-21 09:45 2855 c:\sdfix\apps\Replace\xp\command.PIF
2008-08-21 09:45 2855 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067842.PIF

2008-08-07 15:27 2944 c:\sdfix\apps\Replace\xp\null.sys
2008-08-07 15:27 2944 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067840.sys

2008-08-07 15:27 134 c:\sdfix\apps\Reset_AppInit_DLLs.reg
2008-08-07 15:27 134 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067868.reg

2008-08-07 15:27 8192 c:\sdfix\apps\RestartIt!.exe
2008-08-07 15:27 8192 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067823.exe

2007-12-08 10:50 24098 c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
2007-12-08 10:50 24098 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067869.reg

2008-09-14 00:11 25528 c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
2008-09-14 00:11 25528 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067870.reg

2007-02-18 23:21 27054 c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
2007-02-18 23:21 27054 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067871.reg

2008-07-29 23:06 27144 c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
2008-07-29 23:06 27144 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067872.reg

2008-08-07 15:27 3654 c:\sdfix\apps\Restore_SecurityCenter.reg
2008-08-07 15:27 3654 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067873.reg

2008-08-07 15:27 5768 c:\sdfix\apps\Restore_SharedAccess.reg
2008-08-07 15:27 5768 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067874.reg

2008-08-07 15:27 31232 c:\sdfix\apps\sc.exe
2008-08-07 15:27 31232 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067824.exe

2008-08-07 15:27 98816 c:\sdfix\apps\sed.exe
2008-08-07 15:27 98816 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067825.exe

2008-08-07 15:27 49152 c:\sdfix\apps\SF.exe
2008-08-07 15:27 49152 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067826.exe

2008-08-07 15:27 19456 c:\sdfix\apps\shutdown.exe
2008-08-07 15:27 19456 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067827.exe

2008-09-16 19:17 204800 c:\sdfix\apps\UnRAR.exe
2008-09-16 19:17 204800 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067830.exe

2008-08-07 15:27 167936 c:\sdfix\apps\unzip.exe
2008-08-07 15:27 167936 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067831.exe

2008-08-07 15:27 41472 c:\sdfix\apps\WINMSG.EXE
2008-08-07 15:27 41472 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067833.EXE

2008-08-07 15:27 304 c:\sdfix\apps\winsec.reg
2008-08-07 15:27 304 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067875.reg

2008-08-07 15:27 126976 c:\sdfix\apps\zip.exe
2008-08-07 15:27 126976 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067834.exe

c:\sdfix\attrib.exe
2008-04-14 05:42 12288 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067920.exe

c:\sdfix\backupreg\AppInit_DLLs.reg
2008-11-30 18:37 74 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067888.reg

c:\sdfix\backupreg\bat_shell_open.reg
2008-11-30 18:37 204 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067889.reg

c:\sdfix\backupreg\BHO.reg
2008-11-30 18:37 1436 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067890.reg

c:\sdfix\backupreg\com_shell_open.reg
2008-11-30 18:37 204 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067891.reg

c:\sdfix\backupreg\ControlPanel_Load.reg
2008-11-30 18:37 50930 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067892.reg

c:\sdfix\backupreg\Drivers32.reg
2008-11-30 18:37 4098 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067893.reg

c:\sdfix\backupreg\exe_shell_open.reg
2008-11-30 18:37 204 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067894.reg

c:\sdfix\backupreg\HKCU_SOFTWARE_Policy.reg
2008-11-30 18:37 4018 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067897.reg

c:\sdfix\backupreg\HKCU_WINDOWS_Policy.reg
2008-11-30 18:37 1704 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067898.reg

c:\sdfix\backupreg\HKCURun.reg
2008-11-30 18:37 968 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067895.reg

c:\sdfix\backupreg\HKCURunServices.reg
2008-11-30 18:37 228 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067896.reg

c:\sdfix\backupreg\HKLM_SOFTWARE_Policy.reg
2008-11-30 18:37 118448 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067901.reg

c:\sdfix\backupreg\HKLM_WINDOWS_Policy.reg
2008-11-30 18:37 1392 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067902.reg

c:\sdfix\backupreg\HKLMRun.reg
2008-11-30 18:37 2090 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067899.reg

c:\sdfix\backupreg\HKLMRunServices.reg
2008-11-30 18:37 74 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067900.reg

c:\sdfix\backupreg\IEDesktop.reg
2008-11-30 18:37 3784 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067903.reg

c:\sdfix\backupreg\IEMain.reg
2008-11-30 18:37 4692 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067904.reg

c:\sdfix\backupreg\Installed_Components.reg
2008-11-30 18:37 32432 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067905.reg

c:\sdfix\backupreg\pif_shell_open.reg
2008-11-30 18:37 204 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067906.reg

c:\sdfix\backupreg\reg_shell_open.reg
2008-11-30 18:37 222 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067907.reg

c:\sdfix\backupreg\SecurityProviders.reg
2008-11-30 18:37 8002 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067908.reg

c:\sdfix\backupreg\SharedTaskScheduler.reg
2008-11-30 18:37 546 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067909.reg

c:\sdfix\backupreg\ShellServiceObjectDelayLoad.reg
2008-11-30 18:37 696 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067910.reg

c:\sdfix\backupreg\SubSystems.reg
2008-11-30 18:37 5282 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067911.reg

c:\sdfix\backupreg\txt_shell_open.reg
2008-11-30 18:37 668 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067912.reg

c:\sdfix\backupreg\Winlogon.reg
2008-11-30 18:37 29116 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067913.reg

c:\sdfix\backupreg\WinlogonNotify.reg
2008-11-30 18:37 9196 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067914.reg

2008-08-07 15:27 145920 c:\sdfix\catchme.exe
2008-08-07 15:27 145920 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067808.exe

2008-10-08 23:41 11932 c:\sdfix\DBFix.bat
2008-10-08 23:41 11932 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067798.bat

c:\sdfix\dnif.exe
2004-08-04 17:30 9216 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067918.exe

c:\sdfix\dummy.exe
2008-08-07 15:27 6656 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067917.exe

2008-08-07 15:27 1024 c:\sdfix\dummy.sys
2008-08-07 15:27 1024 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067838.sys

c:\sdfix\editreg.exe
2008-04-14 05:42 146432 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067921.exe

c:\sdfix\rtsdnif.exe
2008-04-14 05:42 27136 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067919.exe

2008-11-06 00:58 964661 c:\sdfix\RunThis.bat
2008-11-06 00:58 964661 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067799.bat

c:\sdfix\userinfix.reg
2008-11-30 18:39 169 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067923.reg

C:\shlwapi.dll
2008-06-23 21:08 474112 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064466.dll

C:\srv.sys
2006-08-14 16:04 332928 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0064586.sys

c:\windows\Installer\{62DBBC58-6C51-4793-BA66-45012F8BA32C}\IconTmpl1.0DED9891_8CB9_41F7_A2A0_A7E11270DB0A.exe
2008-11-01 18:56 6144 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061172.exe

c:\windows\Installer\{62DBBC58-6C51-4793-BA66-45012F8BA32C}\IconTmpl3.0DED9891_8CB9_41F7_A2A0_A7E11270DB0A.exe
2008-11-01 18:56 4608 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061173.exe

c:\windows\LastGood.Tmp\system32\drivers\drmk.sys
2008-04-14 00:15 60160 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059619.sys

c:\windows\LastGood.Tmp\system32\drivers\ks.sys
2008-04-14 00:46 141056 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059620.sys

c:\windows\LastGood.Tmp\system32\drivers\portcls.sys
2008-04-14 00:49 146048 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059621.sys

c:\windows\LastGood.Tmp\system32\drivers\rdwm1046.sys
2004-04-02 01:07 163390 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059622.sys

c:\windows\LastGood.Tmp\system32\drivers\stream.sys
2008-04-14 00:15 49408 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059623.sys

c:\windows\LastGood.Tmp\system32\ksuser.dll
2008-04-14 05:41 4096 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059625.dll

c:\windows\LastGood.Tmp\system32\rdas1046.dll
2004-04-02 01:07 69632 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059626.dll

c:\windows\LastGood.Tmp\system32\RdCi1046.dll
2004-04-02 01:07 38401 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059627.dll

c:\windows\LastGood.Tmp\system32\rddv1046.dll
2004-04-02 01:07 52636 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059628.dll

c:\windows\LastGood.Tmp\system32\wdmaud.drv
2008-04-14 05:42 23552 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0059629.drv

2007-02-13 00:51 741376 c:\windows\system32\audxlib.dll
2007-02-13 00:51 741376 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067473.dll

2007-02-27 02:52 110592 c:\windows\system32\avi.dll
2007-02-27 02:52 110592 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067531.dll

2007-02-27 02:51 99840 c:\windows\system32\avs.dll
2007-02-27 02:51 99840 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067534.dll

2007-02-27 02:52 106496 c:\windows\system32\avss.dll
2007-02-27 02:52 106496 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067535.dll

2004-12-01 23:11 95800 c:\windows\system32\bass.dll
2004-12-01 23:11 95800 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067542.dll

2001-10-28 22:16 250368 c:\windows\system32\C2MP\4bitrate.exe
2001-10-28 22:16 250368 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067551.exe

2004-03-05 01:30 6144 c:\windows\system32\C2MP\AviC.exe
2004-03-05 01:30 6144 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067464.exe

2005-05-05 06:42 69632 c:\windows\system32\C2MP\DivXConfig.exe
2005-05-05 06:42 69632 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067443.exe

2001-10-26 01:38 24576 c:\windows\system32\C2MP\DSEnu.exe
2001-10-26 01:38 24576 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067553.exe

2005-08-09 17:28 275456 c:\windows\system32\C2MP\DSFMgr.exe
2005-08-09 17:28 275456 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067561.exe

2003-09-09 14:30 235008 c:\windows\system32\C2MP\graphedt.exe
2003-09-09 14:30 235008 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067554.exe

2006-11-20 03:50 909312 c:\windows\system32\C2MP\GSpot.exe
2006-11-20 03:50 909312 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067548.exe

2007-01-30 10:33 548864 c:\windows\system32\C2MP\Microsoft.VC80.CRT\msvcp80.dll
2007-01-30 10:33 548864 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067455.dll

2007-01-30 10:33 626688 c:\windows\system32\C2MP\Microsoft.VC80.CRT\msvcr80.dll
2007-01-30 10:33 626688 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067456.dll

2002-06-12 22:22 23040 c:\windows\system32\C2MP\MiniCalc.exe
2002-06-12 22:22 23040 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067465.exe

2002-12-12 05:44 13312 c:\windows\system32\C2MP\msdmo.dll
2002-12-12 05:44 13312 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067549.dll

2007-01-30 10:26 700416 c:\windows\system32\C2MP\npdivx32.dll
2007-01-30 10:26 700416 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067458.dll

2003-12-27 00:56 9216 c:\windows\system32\C2MP\OGMCalc.exe
2003-12-27 00:56 9216 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067466.exe

1999-06-24 06:17 19968 c:\windows\system32\C2MP\SetStereo.exe
1999-06-24 06:17 19968 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067521.exe

2003-11-24 13:58 13824 c:\windows\system32\C2MP\StatsReader.exe
2003-11-24 13:58 13824 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067463.exe

2007-03-05 03:15 26415 c:\windows\system32\C2MP\Un_Parts.exe
2007-03-05 03:15 26415 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067433.exe

2007-03-05 03:15 35220 c:\windows\system32\C2MP\Uninst.exe
2007-03-05 03:15 35220 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067434.exe

2007-03-04 23:09 972306 c:\windows\system32\C2MP\x264.exe
2007-03-04 23:09 972306 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067499.exe

2007-02-01 10:26 639066 c:\windows\system32\DivX.dll
2007-02-01 10:26 639066 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067445.dll

2007-02-01 02:57 524288 c:\windows\system32\DivXsm.exe
2007-02-01 02:57 524288 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067441.exe

2008-04-14 00:15 60160 c:\windows\system32\dllcache\drmk.sys
2008-04-14 00:15 60160 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058635.sys

2008-04-14 00:46 141056 c:\windows\system32\dllcache\ks.sys
2008-04-14 00:46 141056 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058636.sys

2008-04-14 05:41 4096 c:\windows\system32\dllcache\ksuser.dll
2008-04-14 05:41 4096 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058638.dll

2008-04-14 00:49 146048 c:\windows\system32\dllcache\portcls.sys
2008-04-14 00:49 146048 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058639.sys

2008-04-14 00:15 49408 c:\windows\system32\dllcache\stream.sys
2008-04-14 00:15 49408 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058640.sys

2007-01-30 10:26 73728 c:\windows\system32\dpl100.dll
2007-01-30 10:26 73728 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067452.dll

2007-01-30 10:26 294912 c:\windows\system32\dpu11.dll
2007-01-30 10:26 294912 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067448.dll

2007-01-30 10:26 593920 c:\windows\system32\dpuGUI11.dll
2007-01-30 10:26 593920 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067449.dll

2007-01-30 10:26 344064 c:\windows\system32\dpus11.dll
2007-01-30 10:26 344064 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067450.dll

2007-01-30 10:26 57344 c:\windows\system32\dpv11.dll
2007-01-30 10:26 57344 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067451.dll

2008-04-14 00:15 60160 c:\windows\system32\drivers\drmk.sys
2008-04-14 00:15 60160 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058620.sys

c:\windows\system32\drivers\ikfilesec.sys
2008-02-01 12:55 42376 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061757.sys

c:\windows\system32\drivers\iksysflt.sys
2007-12-10 14:53 66952 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061759.sys

c:\windows\system32\drivers\iksyssec.sys
2007-12-10 14:53 81288 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061758.sys

c:\windows\system32\drivers\kcom.sys
2007-12-10 14:53 29576 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0061756.sys

2008-04-14 00:46 141056 c:\windows\system32\drivers\ks.sys
2008-04-14 00:46 141056 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058621.sys

2008-04-14 00:49 146048 c:\windows\system32\drivers\portcls.sys
2008-04-14 00:49 146048 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058624.sys

2004-04-02 01:07 163390 c:\windows\system32\drivers\rdwm1046.sys
2004-04-02 01:07 163390 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058632.sys

2008-04-14 00:15 49408 c:\windows\system32\drivers\stream.sys
2008-04-14 00:15 49408 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058625.sys

2007-02-27 02:53 104960 c:\windows\system32\dsmux.exe
2007-02-27 02:53 104960 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067525.exe

2007-01-30 10:26 196608 c:\windows\system32\dtu100.dll
2007-01-30 10:26 196608 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067453.dll

2007-02-27 02:54 220672 c:\windows\system32\dxr.dll
2007-02-27 02:54 220672 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067532.dll

2007-02-13 00:51 225280 c:\windows\system32\ff_kernelDeint.dll
2007-02-13 00:51 225280 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067474.dll

2007-02-13 00:51 40960 c:\windows\system32\ff_liba52.dll
2007-02-13 00:51 40960 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067475.dll

2007-02-13 00:51 155648 c:\windows\system32\ff_libdts.dll
2007-02-13 00:51 155648 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067476.dll

2007-02-13 00:51 245760 c:\windows\system32\ff_libfaad2.dll
2007-02-13 00:51 245760 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067477.dll

2007-02-13 00:51 118784 c:\windows\system32\ff_libmad.dll
2007-02-13 00:51 118784 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067478.dll

2007-02-13 00:51 97280 c:\windows\system32\ff_realaac.dll
2007-02-13 00:51 97280 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067479.dll

2007-02-13 00:51 122880 c:\windows\system32\ff_samplerate.dll
2007-02-13 00:51 122880 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067480.dll

2007-02-13 00:51 143360 c:\windows\system32\ff_theora.dll
2007-02-13 00:51 143360 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067481.dll

2007-02-13 00:51 79872 c:\windows\system32\ff_tremor.dll
2007-02-13 00:51 79872 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067482.dll

2007-02-13 00:51 38400 c:\windows\system32\ff_unrar.dll
2007-02-13 00:51 38400 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067483.dll

2007-02-13 00:51 10752 c:\windows\system32\ff_vfw.dll
2007-02-13 00:51 10752 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067490.dll

2007-02-13 00:51 26624 c:\windows\system32\ff_wmv9.dll
2007-02-13 00:51 26624 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067484.dll

2007-02-13 00:51 462848 c:\windows\system32\ff_x264.dll
2007-02-13 00:51 462848 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067485.dll

2006-07-07 21:21 8192 c:\windows\system32\FLT_ffdshow.dll
2006-07-07 21:21 8192 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067472.dll

2007-02-27 02:54 239616 c:\windows\system32\gdsmux.exe
2007-02-27 02:54 239616 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067526.exe

2003-12-20 07:08 45568 c:\windows\system32\huffyuv.dll
2003-12-20 07:08 45568 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067508.dll

2008-04-14 05:41 4096 c:\windows\system32\ksuser.dll
2008-04-14 05:41 4096 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058623.dll

2007-02-13 00:51 3426304 c:\windows\system32\libavcodec.dll
2007-02-13 00:51 3426304 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067486.dll

2007-01-30 10:33 1044480 c:\windows\system32\libdivx.dll
2007-01-30 10:33 1044480 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067446.dll

2007-02-13 00:51 114688 c:\windows\system32\libmpeg2_ff.dll
2007-02-13 00:51 114688 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067487.dll

2007-02-13 00:51 399872 c:\windows\system32\libmplayer.dll
2007-02-13 00:51 399872 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067488.dll

2007-02-27 02:52 135168 c:\windows\system32\mkv2vfr.exe
2007-02-27 02:52 135168 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067536.exe

2007-02-27 02:52 150528 c:\windows\system32\mkx.dll
2007-02-27 02:52 150528 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067529.dll

2007-02-27 02:51 79360 c:\windows\system32\mkzlib.dll
2007-02-27 02:51 79360 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067527.dll

2007-02-27 02:52 141312 c:\windows\system32\mp4.dll
2007-02-27 02:52 141312 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067530.dll

2007-02-27 02:52 123392 c:\windows\system32\ogm.dll
2007-02-27 02:52 123392 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067528.dll

2004-04-21 03:30 172032 c:\windows\system32\OptimFROG.dll
2004-04-21 03:30 172032 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067518.dll

2003-09-09 14:28 295936 c:\windows\system32\proppage.dll
2003-09-09 14:28 295936 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067555.dll

2007-01-30 10:33 3596288 c:\windows\system32\qt-dx331.dll
2007-01-30 10:33 3596288 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067440.dll

2004-04-02 01:07 69632 c:\windows\system32\rdas1046.dll
2004-04-02 01:07 69632 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058633.dll

2004-04-02 01:07 38401 c:\windows\system32\RdCi1046.dll
2004-04-02 01:07 38401 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058634.dll

2004-04-02 01:07 52636 c:\windows\system32\rddv1046.dll
2004-04-02 01:07 52636 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058631.dll

2007-01-30 10:33 200704 c:\windows\system32\ssldivx.dll
2007-01-30 10:33 200704 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067447.dll

2007-02-13 00:51 200704 c:\windows\system32\TomsMoComp_ff.dll
2007-02-13 00:51 200704 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067489.dll

2007-02-27 02:52 151552 c:\windows\system32\ts.dll
2007-02-27 02:52 151552 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067533.dll

2004-12-10 14:33 438272 c:\windows\system32\vp6vfw.dll
2004-12-10 14:33 438272 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067503.dll

2007-01-09 13:58 974848 c:\windows\system32\VSFilter.dll
2007-01-09 13:58 974848 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067545.dll

2008-04-14 05:42 23552 c:\windows\system32\wdmaud.drv
2008-04-14 05:42 23552 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058626.drv
2008-04-14 05:42 23552 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0058630.drv

2006-11-01 20:22 765952 c:\windows\system32\xvidcore.dll
2004-12-20 11:03 679936 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067460.dll

2006-11-01 20:24 180224 c:\windows\system32\xvidvfw.dll
2004-12-20 11:08 155648 {A956970F-DECB-4CDE-B673-597F8AEF843C}\RP143\A0067461.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Everyday Auto Backup"="c:\program files\Everyday Auto Backup\AutoBackup.exe" [2007-11-28 69120]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2008-09-27 634672]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-19 342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-01-02 40960]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"wave3"= rddv1046.dll
"midi3"= rddv1046.dll
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^Startup^Calc98.LNK]
path=c:\documents and settings\owner\Start Menu\Programs\Startup\Calc98.LNK
backup=c:\windows\pss\Calc98.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-05-04 10:59 794624 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-11-28 00:55 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-11-28 00:55 98304 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-03-09 18:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-11-06 16:34 177456 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"ose"=3 (0x3)
"niSvcLoc"=2 (0x2)
"NILM License Manager"=3 (0x3)
"NIDomainService"=2 (0x2)
"lkTimeSync"=2 (0x2)
"lkClassAds"=2 (0x2)
"LkCitadelServer"=2 (0x2)
"gusvc"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"helpsvc"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"c:\windows\system32\kdkya.exe"=c:\windows\system32\kdkya.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\R & V\\Program Files\\BitTorrent\\BitTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-07-10 15448]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-19 20560]
R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-08-02 4096]
R2 mxssvr;NI Configuration Manager;"c:\program files\National Instruments\MAX\nimxs.exe" [2007-03-08 12696]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2005-09-21 55296]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-07-19 11360]
R3 nidimk;nidimk;\??\c:\windows\system32\drivers\nidimkl.sys [2007-07-12 11360]
S2 NITaggerService;National Instruments Variable Engine;"c:\program files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 703264]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-28 27904]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-07-18 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-07-18 11896]
S3 NIUSBTMC;NI-VISA USB TMC Driver;c:\windows\system32\DRIVERS\NIUSBTMC.sys [2007-07-19 45160]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-07-19 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-07-19 11360]
S3 RDID1046;EDIROL UA-25;c:\windows\system32\Drivers\rdwm1046.sys [2007-03-22 163390]

*Newly Created Service* - NIPALK
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 10:24:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe??????????????@? ????M????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\rddv1046.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nipalsm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-01 10:27:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 04:57:19
ComboFix2.txt 2008-11-30 13:28:39

Pre-Run: 2,105,061,376 bytes free
Post-Run: 2,028,597,248 bytes free

898 --- E O F --- 2008-11-14 05:28:11


The following is a fresh HJThis log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:17 AM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Everyday Auto Backup\AutoBackup.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://sibernet.southindianbank.com/corp/B...pType=corporate
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Everyday Auto Backup] C:\Program Files\Everyday Auto Backup\AutoBackup.exe /1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{78950DAB-46FB-45FA-991F-D00DAB70CC9A}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

--
End of file - 5870 bytes

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 01 December 2008 - 01:14 AM

Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
Then, please download and install the latest Java from HERE


------------------------------


Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.




Post me Kaspersky Online log and tell me, how is your computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 02 December 2008 - 12:05 AM

Amazing!
It shows no infections


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 01, 2008 06:12:47
Records in database: 1428849
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 84409
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:44:11

No malware has been detected. The scan area is clean.

The selected area was scanned.

Edited by rt60man, 02 December 2008 - 12:19 AM.


#13 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 02 December 2008 - 03:41 AM

My computers performance has improved a lot,

In fact it's sparkling as of now.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 02 December 2008 - 04:18 AM

It shows you are good to go :thumbsup:


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between combofix and /u is needed

    Posted Image


Lastly, to keep your operating system up to date please visit the link below monthlyPlease read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 rt60man

rt60man
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 02 December 2008 - 07:22 AM

Thank you so much for weeding out my problem.

The computer feels fresh now and is certainly faster.

The windows logon problem has disappeared and so are the agents kdkya and boot.com

Thank you once again.

Regards,
rt60man




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users