Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde, virtumonde.generic and smitfraud c


  • This topic is locked This topic is locked
5 replies to this topic

#1 arstudio

arstudio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 30 November 2008 - 04:41 PM

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-30 22:40:03
Microsoft Windows XP Professional Service Pack 3
System drive C: has 25 GB (70%) free of 35 GB
Total RAM: 3327 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:06 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {0A46AA04-5E93-4695-9E24-40B11F4EC6C6} - (no file)
O2 - BHO: (no name) - {1729116E-F895-454D-8E46-F55EAF2B79B0} - (no file)
O2 - BHO: (no name) - {18449B9B-5D71-49F8-BE48-034F3FD2FBF3} - (no file)
O2 - BHO: (no name) - {433D3CAA-AAB1-410D-9360-00B5604D9308} - (no file)
O2 - BHO: (no name) - {4B9B565A-7DC5-43EC-A1D6-EC02451AFD5C} - C:\WINDOWS\system32\vtuVMEvW.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {2a0853bb-a556-abc9-cbd4-f8e93d83ba35} - {53ab38d3-9e8f-4dbc-9cba-655abb3580a2} - C:\WINDOWS\system32\bhdcun.dll
O2 - BHO: (no name) - {5557547C-2D6F-411C-8EAD-01964C4FC213} - (no file)
O2 - BHO: (no name) - {5EF0D143-06A3-44AC-A23C-7ACE97A0F7C4} - (no file)
O2 - BHO: (no name) - {62B02D9C-0E1C-4D83-B80D-5AFF8CB3E585} - (no file)
O2 - BHO: (no name) - {BC2EC90F-3787-4194-BC2E-2768E1BA2886} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: bhdcun.dll
O20 - Winlogon Notify: urqNHBuS - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 5656 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
C:\WINDOWS\tasks\kxqicfnu.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A46AA04-5E93-4695-9E24-40B11F4EC6C6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1729116E-F895-454D-8E46-F55EAF2B79B0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18449B9B-5D71-49F8-BE48-034F3FD2FBF3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{433D3CAA-AAB1-410D-9360-00B5604D9308}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B9B565A-7DC5-43EC-A1D6-EC02451AFD5C}]
C:\WINDOWS\system32\vtuVMEvW.dll [2008-11-29 245760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53ab38d3-9e8f-4dbc-9cba-655abb3580a2}]
C:\WINDOWS\system32\bhdcun.dll [2008-11-29 107008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5557547C-2D6F-411C-8EAD-01964C4FC213}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5EF0D143-06A3-44AC-A23C-7ACE97A0F7C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62B02D9C-0E1C-4D83-B80D-5AFF8CB3E585}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC2EC90F-3787-4194-BC2E-2768E1BA2886}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-05-16 16862720]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"Six Engine"=C:\Program Files\ASUS\Six Engine\SixEngine.exe [2008-05-15 5958656]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2008-08-18 1447168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-05-21 25088]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logo Calibration Loader.lnk - C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
ProfileReminder.lnk - C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="bhdcun.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-08-21 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqNHBuS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-12-06 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2008-05-21 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\vtuVMEvW

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSMHelp"=1
"ForceClassicControlPanel"=1
"NoSMConfigurePrograms"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ABC\abc.exe"="C:\Program Files\ABC\abc.exe:*:Enabled:abc"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\AutoRun/AutoRun.exe


======List of files/folders created in the last 1 months======

2008-11-30 22:35:29 ----D---- C:\rsit
2008-11-30 22:01:50 ----D---- C:\WINDOWS\pss
2008-11-30 21:36:51 ----D---- C:\Program Files\Microsoft Works
2008-11-30 21:36:45 ----D---- C:\Program Files\MSBuild
2008-11-30 21:36:40 ----D---- C:\Program Files\Microsoft Visual Studio
2008-11-30 21:36:39 ----D---- C:\Program Files\Common Files\DESIGNER
2008-11-30 21:36:22 ----D---- C:\Program Files\Microsoft.NET
2008-11-30 21:35:19 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-11-30 21:34:53 ----D---- C:\WINDOWS\SHELLNEW
2008-11-30 21:34:36 ----D---- C:\Program Files\Microsoft Office
2008-11-30 21:34:36 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-30 21:34:23 ----RHD---- C:\MSOCache
2008-11-30 21:33:19 ----D---- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-11-30 21:32:36 ----D---- C:\Program Files\WinRAR
2008-11-30 21:12:22 ----ASH---- C:\WINDOWS\system32\WvEMVutv.ini2
2008-11-30 20:44:11 ----D---- C:\Documents and Settings\Administrator\Application Data\Notepad++
2008-11-30 20:18:52 ----D---- C:\Program Files\Trend Micro
2008-11-30 19:42:02 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-30 13:47:40 ----D---- C:\Documents and Settings\Administrator\Application Data\Spotify
2008-11-30 13:47:37 ----D---- C:\Program Files\Spotify
2008-11-30 12:57:40 ----D---- C:\Documents and Settings\Administrator\Application Data\GretagMacbeth
2008-11-30 12:52:18 ----A---- C:\WINDOWS\system32\qt-mt335.dll
2008-11-30 12:52:18 ----A---- C:\WINDOWS\system32\FTD2XX.dll
2008-11-30 12:49:24 ----D---- C:\Program Files\GretagMacbeth
2008-11-30 12:49:06 ----A---- C:\WINDOWS\AutoRun.ini
2008-11-30 12:42:27 ----D---- C:\Documents and Settings\Administrator\Application Data\WTablet
2008-11-30 12:41:57 ----D---- C:\WINDOWS\system32\WTablet
2008-11-30 12:41:56 ----A---- C:\WINDOWS\system32\Wintab32.dll
2008-11-30 12:41:56 ----A---- C:\WINDOWS\system32\Wacom_Tablet.exe
2008-11-30 12:41:56 ----A---- C:\WINDOWS\system32\Wacom_Tablet.dll
2008-11-30 12:41:54 ----D---- C:\Program Files\Tablet
2008-11-30 12:40:05 ----A---- C:\WINDOWS\system32\hidserv.dll
2008-11-30 11:08:19 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-11-30 11:05:13 ----D---- C:\Program Files\Adobe Media Player
2008-11-30 11:03:47 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-11-30 11:02:51 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-30 11:02:37 ----D---- C:\Program Files\Adobe
2008-11-30 11:01:10 ----D---- C:\Program Files\Common Files\Macrovision Shared
2008-11-30 10:59:26 ----D---- C:\Program Files\Common Files\Adobe
2008-11-30 05:06:15 ----R---- C:\WINDOWS\RTHDCPL.exe
2008-11-30 05:06:15 ----R---- C:\WINDOWS\MicCal.exe
2008-11-30 05:06:13 ----R---- C:\WINDOWS\Alcmtr.exe
2008-11-30 05:06:12 ----R---- C:\WINDOWS\alcwzrd.exe
2008-11-30 05:06:12 ----D---- C:\Program Files\Realtek
2008-11-30 05:06:11 ----R---- C:\WINDOWS\RtlExUpd.dll
2008-11-30 05:06:11 ----A---- C:\WINDOWS\HideWin.exe
2008-11-30 05:05:42 ----D---- C:\WINDOWS\system32\Atheros_L1e
2008-11-30 05:05:39 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-30 04:59:50 ----D---- C:\WINDOWS\ASUSInstAll
2008-11-30 04:55:08 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-30 04:55:07 ----RA---- C:\WINDOWS\system32\CSVer.dll
2008-11-30 04:55:07 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-30 04:55:06 ----D---- C:\Program Files\Intel
2008-11-30 04:54:59 ----D---- C:\Intel
2008-11-30 04:54:36 ----A---- C:\WINDOWS\Ascd_log.ini
2008-11-30 04:51:50 ----RA---- C:\WINDOWS\system32\atiiiexx.dll
2008-11-30 04:51:48 ----RA---- C:\WINDOWS\system32\ATIDEMGX.dll
2008-11-30 04:50:04 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-30 04:47:34 ----A---- C:\WINDOWS\Ascd_tmp.ini
2008-11-30 04:43:56 ----HD---- C:\Program Files\Uninstall Information
2008-11-30 04:43:48 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-11-30 04:43:43 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-11-30 04:43:43 ----ASH---- C:\Documents and Settings\Administrator\Application Data\desktop.ini
2008-11-30 04:43:39 ----SD---- C:\WINDOWS\system32\Microsoft
2008-11-30 04:43:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-30 04:42:28 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-11-30 04:42:26 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-30 04:42:10 ----A---- C:\WINDOWS\control.ini
2008-11-30 04:42:10 ----A---- C:\AUTOEXEC.BAT
2008-11-30 04:41:58 ----A---- C:\WINDOWS\OEWABLog.txt
2008-11-30 04:41:55 ----D---- C:\WINDOWS\system32\dllcache
2008-11-30 04:41:55 ----A---- C:\WINDOWS\system32\mapi32.dll
2008-11-30 04:41:28 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-11-30 04:41:26 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-11-30 04:41:22 ----HD---- C:\Program Files\WindowsUpdate
2008-11-30 04:41:19 ----D---- C:\Program Files\Online Services
2008-11-30 04:41:05 ----A---- C:\WINDOWS\system32\desktop.ini
2008-11-30 04:41:05 ----A---- C:\WINDOWS\desktop.ini
2008-11-30 04:41:02 ----A---- C:\WINDOWS\system32\acctres.dll
2008-11-30 04:41:01 ----D---- C:\Program Files\Common Files\Services
2008-11-30 04:41:00 ----SD---- C:\WINDOWS\Tasks
2008-11-30 04:41:00 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2008-11-30 04:40:59 ----D---- C:\Program Files\Common Files\MSSoap
2008-11-30 04:40:55 ----D---- C:\WINDOWS\srchasst
2008-11-30 04:40:54 ----D---- C:\WINDOWS\system32\Macromed
2008-11-30 04:40:52 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-11-30 04:40:52 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-11-30 04:40:52 ----A---- C:\WINDOWS\system32\wuauserv.dll
2008-11-30 04:40:52 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\wups.dll
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2008-11-30 04:40:51 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2008-11-30 04:40:50 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-11-30 04:40:47 ----D---- C:\Program Files\Movie Maker
2008-11-30 04:40:33 ----A---- C:\WINDOWS\system32\fltMc.exe
2008-11-30 04:40:33 ----A---- C:\WINDOWS\system32\fltlib.dll
2008-11-30 04:40:32 ----D---- C:\WINDOWS\system32\Restore
2008-11-30 04:40:32 ----A---- C:\WINDOWS\system32\srsvc.dll
2008-11-30 04:40:32 ----A---- C:\WINDOWS\system32\srrstr.dll
2008-11-30 04:40:32 ----A---- C:\WINDOWS\system32\srclient.dll
2008-11-30 04:40:32 ----A---- C:\WINDOWS\system32\msoert2.dll
2008-11-30 04:40:32 ----A---- C:\WINDOWS\system32\msoeacct.dll
2008-11-30 04:40:30 ----A---- C:\WINDOWS\system32\inetres.dll
2008-11-30 04:40:30 ----A---- C:\WINDOWS\system32\inetcomm.dll
2008-11-30 04:40:28 ----D---- C:\Program Files\Outlook Express
2008-11-30 04:40:28 ----A---- C:\WINDOWS\system32\schedsvc.dll
2008-11-30 04:40:28 ----A---- C:\WINDOWS\system32\mstinit.exe
2008-11-30 04:40:28 ----A---- C:\WINDOWS\system32\mstask.dll
2008-11-30 04:40:27 ----A---- C:\WINDOWS\system32\isign32.dll
2008-11-30 04:40:27 ----A---- C:\WINDOWS\system32\inetcfg.dll
2008-11-30 04:40:27 ----A---- C:\WINDOWS\system32\icwphbk.dll
2008-11-30 04:40:27 ----A---- C:\WINDOWS\system32\icwdial.dll
2008-11-30 04:40:22 ----D---- C:\Program Files\Common Files\System
2008-11-30 04:39:56 ----D---- C:\Program Files\ComPlus Applications
2008-11-30 04:39:55 ----A---- C:\WINDOWS\vbaddin.ini
2008-11-30 04:39:55 ----A---- C:\WINDOWS\vb.ini
2008-11-30 04:39:52 ----D---- C:\WINDOWS\Registration
2008-11-30 04:39:16 ----A---- C:\WINDOWS\system32\wiaaut.dll
2008-11-30 04:39:16 ----A---- C:\WINDOWS\system32\WhyReboot.exe
2008-11-30 04:39:16 ----A---- C:\WINDOWS\system32\WC.com
2008-11-30 04:39:16 ----A---- C:\WINDOWS\system32\WallChan.exe
2008-11-30 04:39:13 ----A---- C:\WINDOWS\system32\Replacer.cmd
2008-11-30 04:39:12 ----A---- C:\WINDOWS\system32\Reg2InfHandler.cmd
2008-11-30 04:39:12 ----A---- C:\WINDOWS\system32\PCalc.exe
2008-11-30 04:39:11 ----A---- C:\WINDOWS\system32\modifyPE.exe
2008-11-30 04:39:09 ----A---- C:\WINDOWS\system32\RegFileMerger.exe
2008-11-30 04:39:09 ----A---- C:\WINDOWS\system32\makeiso.cmd
2008-11-30 04:39:09 ----A---- C:\WINDOWS\system32\LCISOCreator.exe
2008-11-30 04:39:07 ----A---- C:\WINDOWS\system32\HFExtract.exe
2008-11-30 04:39:06 ----A---- C:\WINDOWS\system32\EXPander.exe
2008-11-30 04:39:05 ----A---- C:\WINDOWS\system32\cdimage.exe
2008-11-30 04:39:05 ----A---- C:\WINDOWS\system32\Cabarc.exe
2008-11-30 04:39:04 ----D---- C:\Program Files\Notepad++
2008-11-30 04:39:03 ----A---- C:\WINDOWS\system32\cygwin1.dll
2008-11-30 04:39:02 ----A---- C:\WINDOWS\system32\autoitx3.dll
2008-11-30 04:39:02 ----A---- C:\WINDOWS\system32\atl71.dll
2008-11-30 04:39:01 ----A---- C:\WINDOWS\system32\wrap_oal.dll
2008-11-30 04:39:01 ----A---- C:\WINDOWS\system32\vb40032.dll
2008-11-30 04:39:01 ----A---- C:\WINDOWS\system32\atl70.dll
2008-11-30 04:39:00 ----A---- C:\WINDOWS\system32\ssleay32.dll
2008-11-30 04:38:59 ----N---- C:\WINDOWS\system32\msvcr71.dll
2008-11-30 04:38:59 ----N---- C:\WINDOWS\system32\msvcp71.dll
2008-11-30 04:38:59 ----A---- C:\WINDOWS\system32\openal32.dll
2008-11-30 04:38:59 ----A---- C:\WINDOWS\system32\msvcr70.dll
2008-11-30 04:38:59 ----A---- C:\WINDOWS\system32\msvcp70.dll
2008-11-30 04:38:59 ----A---- C:\WINDOWS\system32\msvci70.dll
2008-11-30 04:38:59 ----A---- C:\WINDOWS\system32\msstkprp.dll
2008-11-30 04:38:58 ----A---- C:\WINDOWS\system32\msstdfmt.dll
2008-11-30 04:38:57 ----N---- C:\WINDOWS\system32\mfc71.dll
2008-11-30 04:38:57 ----A---- C:\WINDOWS\system32\mfc71u.dll
2008-11-30 04:38:57 ----A---- C:\WINDOWS\system32\mfc70u.dll
2008-11-30 04:38:56 ----A---- C:\WINDOWS\system32\mfc70.dll
2008-11-30 04:38:56 ----A---- C:\WINDOWS\system32\libmmd.dll
2008-11-30 04:38:55 ----A---- C:\WINDOWS\system32\libssl32.dll
2008-11-30 04:38:55 ----A---- C:\WINDOWS\system32\libintl3.dll
2008-11-30 04:38:55 ----A---- C:\WINDOWS\system32\libiconv2.dll
2008-11-30 04:38:54 ----A---- C:\WINDOWS\system32\libeay32.dll
2008-11-30 04:38:54 ----A---- C:\WINDOWS\system32\cygwinb19.dll
2008-11-30 04:38:33 ----D---- C:\Program Files\Utilities
2008-11-30 04:38:31 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-30 04:38:31 ----D---- C:\WINDOWS\Offline Web Pages
2008-11-30 04:38:31 ----A---- C:\WINDOWS\system32\winfxdocobj.exe
2008-11-30 04:38:31 ----A---- C:\WINDOWS\system32\advpack.dll.mui
2008-11-30 04:38:30 ----D---- C:\WINDOWS\wbem
2008-11-30 04:38:30 ----A---- C:\WINDOWS\system32\msfeedssync.exe
2008-11-30 04:38:29 ----RA---- C:\WINDOWS\system32\msfeedsbs.dll
2008-11-30 04:38:28 ----RA---- C:\WINDOWS\system32\ieframe.dll.mui
2008-11-30 04:38:27 ----D---- C:\Program Files\Internet Explorer
2008-11-30 04:38:22 ----D---- C:\Program Files\Windows Media Connect 2
2008-11-30 04:38:21 ----D---- C:\Program Files\Windows Media Player
2008-11-30 04:38:21 ----A---- C:\WINDOWS\system32\write.exe
2008-11-30 04:38:15 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-11-30 04:38:15 ----A---- C:\WINDOWS\system32\hticons.dll
2008-11-30 04:38:15 ----A---- C:\WINDOWS\system32\avwav.dll
2008-11-30 04:38:15 ----A---- C:\WINDOWS\system32\avtapi.dll
2008-11-30 04:38:15 ----A---- C:\WINDOWS\system32\avmeter.dll
2008-11-30 04:38:14 ----A---- C:\WINDOWS\system32\winchat.exe
2008-11-30 04:38:11 ----A---- C:\WINDOWS\system32\getuname.dll
2008-11-30 04:38:11 ----A---- C:\WINDOWS\system32\charmap.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\winmine.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\tskill.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\sol.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\reset.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\freecell.exe
2008-11-30 04:38:10 ----A---- C:\WINDOWS\system32\calc.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\tslabels.ini
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\tscon.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\shadow.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\rwinsta.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\regini.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\qwinsta.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\qappsrv.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\msg.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\logoff.exe
2008-11-30 04:38:09 ----A---- C:\WINDOWS\system32\cdmodem.dll
2008-11-30 04:38:05 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2008-11-30 04:38:04 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-11-30 04:38:03 ----D---- C:\Program Files\Windows NT
2008-11-30 04:38:03 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-11-30 04:38:03 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-11-30 04:38:03 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-11-30 04:38:03 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-11-30 04:38:02 ----A---- C:\WINDOWS\system32\spider.exe
2008-11-30 04:38:01 ----D---- C:\WINDOWS\system32\en-US
2008-11-30 04:38:01 ----A---- C:\WINDOWS\system32\tsgqec.dll
2008-11-30 04:38:01 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2008-11-30 04:38:01 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2008-11-30 04:38:01 ----A---- C:\WINDOWS\system32\aaclient.dll
2008-11-30 04:38:00 ----A---- C:\WINDOWS\system32\mstscax.dll
2008-11-30 04:38:00 ----A---- C:\WINDOWS\system32\mstsc.exe
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\remotepg.dll
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\rdshost.exe
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\rdpclip.exe
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\rdchost.dll
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\qprocess.exe
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\icaapi.dll
2008-11-30 04:37:59 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2008-11-30 04:37:58 ----D---- C:\WINDOWS\system32\MsDtc
2008-11-30 04:37:58 ----A---- C:\WINDOWS\system32\xolehlp.dll
2008-11-30 04:37:58 ----A---- C:\WINDOWS\system32\mtxoci.dll
2008-11-30 04:37:58 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2008-11-30 04:37:58 ----A---- C:\WINDOWS\system32\msdtctm.dll
2008-11-30 04:37:58 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2008-11-30 04:37:58 ----A---- C:\WINDOWS\system32\msdtclog.dll
2008-11-30 04:37:58 ----A---- C:\WINDOWS\system32\msdtc.exe
2008-11-30 04:37:57 ----D---- C:\WINDOWS\system32\Com
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\stclient.dll
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\mtxex.dll
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\mtxdm.dll
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\comrepl.dll
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\comaddin.dll
2008-11-30 04:37:57 ----A---- C:\WINDOWS\system32\colbact.dll
2008-11-30 04:37:56 ----A---- C:\WINDOWS\system32\comuid.dll
2008-11-30 04:37:56 ----A---- C:\WINDOWS\system32\comsvcs.dll
2008-11-30 04:37:56 ----A---- C:\WINDOWS\system32\clbcatex.dll
2008-11-30 04:37:56 ----A---- C:\WINDOWS\system32\catsrvut.dll
2008-11-30 04:37:56 ----A---- C:\WINDOWS\system32\catsrvps.dll
2008-11-30 04:37:56 ----A---- C:\WINDOWS\system32\catsrv.dll
2008-11-30 04:37:55 ----A---- C:\WINDOWS\system32\comsnap.dll
2008-11-30 04:37:55 ----A---- C:\WINDOWS\system32\clbcatq.dll
2008-11-30 04:37:50 ----A---- C:\WINDOWS\system32\servdeps.dll
2008-11-30 04:37:50 ----A---- C:\WINDOWS\system32\mmfutil.dll
2008-11-30 04:37:50 ----A---- C:\WINDOWS\system32\licwmi.dll
2008-11-30 04:37:49 ----A---- C:\WINDOWS\system32\cmprops.dll
2008-11-29 22:27:16 ----A---- C:\WINDOWS\wininit.ini
2008-11-29 22:18:49 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-29 22:18:49 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 22:11:03 ----D---- C:\Documents and Settings\Administrator\Application Data\ESET
2008-11-29 22:10:03 ----D---- C:\Program Files\ESET
2008-11-29 22:10:03 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2008-11-29 21:39:48 ----D---- C:\Program Files\XML Notepad 2007
2008-11-29 21:38:23 ----RSD---- C:\WINDOWS\assembly
2008-11-29 21:37:49 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-29 21:33:48 ----A---- C:\WINDOWS\system32\bhdcun.dll
2008-11-29 21:33:47 ----A---- C:\WINDOWS\system32\rlebcioq.dll
2008-11-29 21:33:21 ----A---- C:\WINDOWS\system32\d7c987c4-.txt
2008-11-29 21:33:08 ----ASH---- C:\WINDOWS\system32\WvEMVutv.ini
2008-11-29 21:33:07 ----A---- C:\WINDOWS\system32\vtuVMEvW.dll
2008-11-29 21:32:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-11-29 21:32:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-11-29 21:32:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-11-29 21:32:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-11-29 21:32:08 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-11-29 21:31:59 ----D---- C:\WINDOWS\ie7updates
2008-11-29 21:31:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-11-29 21:31:52 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-11-29 21:31:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-11-29 21:31:47 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-11-29 21:31:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-11-29 21:31:40 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-11-29 21:31:38 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-29 21:31:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-11-29 21:31:33 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-11-29 21:31:30 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-11-29 21:31:24 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2008-11-29 21:31:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-11-29 21:31:15 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-29 21:31:14 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-11-29 21:31:11 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-29 21:31:08 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-29 21:31:06 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-11-29 21:31:01 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-11-29 21:28:02 ----D---- C:\WINDOWS\system32\PreInstall
2008-11-29 21:28:02 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-11-29 21:28:01 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-11-29 21:27:38 ----A---- C:\WINDOWS\system32\ddcYoPFW.dll
2008-11-29 21:27:37 ----A---- C:\WINDOWS\system32\urqNHBuS.dll.vir
2008-11-29 21:18:25 ----D---- C:\Documents and Settings\All Users\Application Data\ebay
2008-11-29 21:15:26 ----D---- C:\Documents and Settings\Administrator\Application Data\.ABC
2008-11-29 21:15:11 ----D---- C:\Program Files\ABC
2008-11-29 21:13:07 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-11-29 21:13:07 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-11-29 21:09:09 ----D---- C:\Program Files\MagicISO
2008-11-29 21:01:54 ----D---- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-11-29 21:01:37 ----SHD---- C:\RECYCLER
2008-11-29 21:00:29 ----D---- C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE
2008-11-29 21:00:23 ----D---- C:\Program Files\GlobalSCAPE
2008-11-29 20:37:08 ----A---- C:\WINDOWS\system32\h323log.txt
2008-11-29 20:35:01 ----A---- C:\WINDOWS\system32\usbui.dll
2008-11-29 20:34:08 ----A---- C:\WINDOWS\imsins.BAK
2008-11-29 20:34:06 ----SHD---- C:\WINDOWS\Installer
2008-11-29 20:34:06 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-29 20:34:05 ----D---- C:\Program Files\Common Files\ODBC
2008-11-29 20:34:05 ----A---- C:\WINDOWS\ODBCINST.INI
2008-11-29 20:34:02 ----RD---- C:\Program Files
2008-11-29 20:34:02 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-11-29 20:34:02 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-29 20:34:02 ----D---- C:\Program Files\Common Files
2008-11-29 20:34:00 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2008-11-29 20:34:00 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2008-11-29 20:34:00 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdur.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdru.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2008-11-29 20:33:58 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2008-11-29 20:33:57 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2008-11-29 20:33:57 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2008-11-29 20:33:57 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2008-11-29 20:33:57 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2008-11-29 20:33:57 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2008-11-29 20:33:57 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2008-11-29 20:33:57 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2008-11-29 20:33:56 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2008-11-29 20:33:56 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2008-11-29 20:33:56 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2008-11-29 20:33:56 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2008-11-29 20:33:56 ----RA---- C:\WINDOWS\system32\kbdest.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdro.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2008-11-29 20:33:54 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2008-11-29 20:33:51 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-11-29 20:33:51 ----A---- C:\WINDOWS\system32\irclass.dll
2008-11-29 20:33:51 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2008-11-29 20:33:51 ----A---- C:\WINDOWS\system32\dgsetup.dll
2008-11-29 20:33:51 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2008-11-29 20:33:49 ----A---- C:\WINDOWS\TASKMAN.EXE
2008-11-29 20:33:49 -------- C:\WINDOWS\system32\CONFIG.TMP
2008-11-29 20:33:48 ----A---- C:\WINDOWS\system32\batt.dll
2008-11-29 20:33:48 ----A---- C:\WINDOWS\NOTEPAD.EXE
2008-11-29 20:33:46 ----A---- C:\WINDOWS\system32\storprop.dll
2008-11-29 20:33:41 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-11-29 20:32:00 ----RA---- C:\WINDOWS\SET8.tmp
2008-11-29 20:31:58 ----RA---- C:\WINDOWS\SET4.tmp
2008-11-29 20:31:56 ----RA---- C:\WINDOWS\SET3.tmp
2008-11-29 20:31:52 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-29 20:31:52 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-29 20:31:47 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-29 20:31:15 ----A---- C:\WINDOWS\setuplog.txt
2008-11-29 20:31:12 ----D---- C:\Documents and Settings
2008-11-29 20:30:29 ----SH---- C:\boot.ini
2008-11-29 20:30:15 ----SHD---- C:\System Volume Information
2008-11-29 20:23:15 ----D---- C:\WINDOWS\SoftwareDistribution
2008-11-29 20:23:14 ----RSD---- C:\WINDOWS\Fonts
2008-11-29 20:23:14 ----RD---- C:\WINDOWS\Web
2008-11-29 20:23:14 ----HD---- C:\WINDOWS\inf
2008-11-29 20:23:14 ----D---- C:\WINDOWS\WinSxS
2008-11-29 20:23:14 ----D---- C:\WINDOWS\twain_32
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Temp
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\wins
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\wbem
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\usmt
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\spool
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\ShellExt
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\Setup
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\scripting
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\ras
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\oobe
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\npp
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\mui
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\inetsrv
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\IME
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\icsxml
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\ias
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\export
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\en
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\drivers
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\dhcp
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\config
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\3com_dmi
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\3076
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\2052
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1054
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1042
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1041
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1037
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1033
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1031
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1028
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32\1025
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system32
2008-11-29 20:23:14 ----D---- C:\WINDOWS\system
2008-11-29 20:23:14 ----D---- C:\WINDOWS\security
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Resources
2008-11-29 20:23:14 ----D---- C:\WINDOWS\repair
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Provisioning
2008-11-29 20:23:14 ----D---- C:\WINDOWS\PeerNet
2008-11-29 20:23:14 ----D---- C:\WINDOWS\PCHealth
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Network Diagnostic
2008-11-29 20:23:14 ----D---- C:\WINDOWS\mui
2008-11-29 20:23:14 ----D---- C:\WINDOWS\msapps
2008-11-29 20:23:14 ----D---- C:\WINDOWS\msagent
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Media
2008-11-29 20:23:14 ----D---- C:\WINDOWS\L2Schemas
2008-11-29 20:23:14 ----D---- C:\WINDOWS\java
2008-11-29 20:23:14 ----D---- C:\WINDOWS\ime
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Help
2008-11-29 20:23:14 ----D---- C:\WINDOWS\ehome
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Driver Cache
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Debug
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Cursors
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Connection Wizard
2008-11-29 20:23:14 ----D---- C:\WINDOWS\Config
2008-11-29 20:23:14 ----D---- C:\WINDOWS\AppPatch
2008-11-29 20:23:14 ----D---- C:\WINDOWS\addins
2008-11-29 20:23:14 ----D---- C:\WINDOWS
2008-11-29 20:20:49 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-11-29 20:20:49 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-11-29 20:20:44 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-11-29 20:07:50 ----RA---- C:\WINDOWS\system32\AsIO.dll
2008-11-29 20:07:49 ----D---- C:\WINDOWS\system32\Lang
2008-11-29 20:07:42 ----D---- C:\Program Files\ASUS
2008-11-29 20:06:44 ----R---- C:\WINDOWS\system32\ChCfg.exe
2008-11-29 20:06:25 ----D---- C:\WINDOWS\system32\RTCOM
2008-11-29 20:06:24 ----A---- C:\WINDOWS\system32\ksuser.dll
2008-11-29 20:06:22 ----R---- C:\WINDOWS\SoundMan.exe
2008-11-29 20:06:21 ----R---- C:\WINDOWS\SkyTel.exe
2008-11-29 20:06:21 ----R---- C:\WINDOWS\RtlUpd.exe
2008-11-29 20:06:19 ----R---- C:\WINDOWS\RTLCPL.exe

======List of files/folders modified in the last 1 months======

2008-11-30 22:19:42 ----A---- C:\WINDOWS\win.ini
2008-11-30 22:19:42 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2007-12-17 12400]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-08-18 53256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-08-18 54280]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-08-18 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-08-18 71688]
R2 PDIHWCTL;PDIHWCTL; \??\C:\WINDOWS\system32\drivers\pdihwctl.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-08-21 3299840]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-08-18 30728]
R3 eyeonedp;eye-one display; C:\WINDOWS\system32\DRIVERS\eyeonedp.sys [2003-11-27 44344]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-05-20 4800000]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller; C:\WINDOWS\system32\DRIVERS\l1e51x86.sys [2008-03-11 36864]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2008-05-21 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 wacmoumonitor;Wacom Mode Helper; C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2008-07-11 13352]
R3 WacomVKHid;Virtual Keyboard Driver; C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11440]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2008-05-21 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-05-21 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-08-21 573440]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2008-08-18 468224]
R2 TabletServiceWacom;TabletServiceWacom; C:\WINDOWS\system32\Wacom_Tablet.exe [2008-10-10 2749224]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2008-08-18 19200]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-11-30 655624]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 01 December 2008 - 01:59 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.


NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall



Post these logs in your next reply..

1. SDFix
2. ComboFix
3. A fresh HijackThis log..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 arstudio

arstudio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 01 December 2008 - 08:35 AM

SDFix: Version 1.240
Run by Administrator on Mon 12/01/2008 at 02:17 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Missing Security Center Service

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP1.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP33.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP5.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP5A.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP8.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMPD.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMPE.tmp - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMPF.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 14:20:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

Finished!


ComboFix 08-11-30.02 - Administrator 2008-12-01 14:30:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2832 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\bhdcun.dll
c:\windows\system32\ddcYoPFW.dll
c:\windows\system32\rlebcioq.dll
c:\windows\system32\urqNHBuS.dll.vir
c:\windows\system32\vtuVMEvW.dll
c:\windows\system32\WvEMVutv.ini
c:\windows\system32\WvEMVutv.ini2
c:\windows\Tasks\kxqicfnu.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 14:24 . 2008-12-01 14:24 <DIR> d-------- c:\windows\system32\xircom
2008-12-01 14:24 . 2008-12-01 14:24 <DIR> d-------- c:\program files\microsoft frontpage
2008-12-01 14:16 . 2008-12-01 14:16 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-01 14:15 . 2008-12-01 14:15 <DIR> d-------- c:\windows\ERUNT
2008-12-01 14:10 . 2008-12-01 14:21 <DIR> d-------- C:\SDFix
2008-12-01 09:35 . 2008-12-01 09:35 <DIR> d-------- c:\program files\Phase One
2008-12-01 09:35 . 2008-12-01 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Phase One
2008-12-01 09:35 . 2008-10-13 14:50 23,808 --a------ c:\windows\system32\drivers\p1c1394.sys
2008-12-01 09:30 . 2008-12-01 09:30 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-01 09:29 . 2008-12-01 09:29 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-01 09:29 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-11-30 22:35 . 2008-11-30 22:35 <DIR> d-------- C:\rsit
2008-11-30 21:45 . 2008-11-30 21:45 <DIR> d-------- c:\documents and settings\LocalService\Application Data\WTablet
2008-11-30 21:36 . 2008-12-01 09:31 <DIR> d-------- c:\program files\MSBuild
2008-11-30 21:36 . 2008-11-30 21:36 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-30 21:36 . 2008-11-30 21:36 <DIR> d-------- c:\program files\Microsoft Works
2008-11-30 21:35 . 2008-11-30 21:35 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-30 21:34 . 2008-11-30 21:34 <DIR> d-------- c:\windows\SHELLNEW
2008-11-30 21:34 . 2008-11-30 21:34 <DIR> dr-h----- C:\MSOCache
2008-11-30 21:34 . 2008-11-30 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-30 20:44 . 2008-11-30 20:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Notepad++
2008-11-30 20:18 . 2008-11-30 20:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 13:47 . 2008-11-30 13:47 <DIR> d-------- c:\program files\Spotify
2008-11-30 13:47 . 2008-11-30 19:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Spotify
2008-11-30 12:57 . 2008-11-30 12:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GretagMacbeth
2008-11-30 12:52 . 2005-09-08 09:35 4,743,168 --a------ c:\windows\system32\qt-mt335.dll
2008-11-30 12:52 . 2005-03-04 14:57 73,728 --a------ c:\windows\system32\FTD2XX.dll
2008-11-30 12:49 . 2008-11-30 12:49 <DIR> d-------- c:\program files\GretagMacbeth
2008-11-30 12:49 . 2004-07-16 18:12 126,976 --a------ c:\windows\system32\drivers\direci2c.dll
2008-11-30 12:49 . 2003-11-27 07:49 44,344 --a------ c:\windows\system32\drivers\EyeOneDp.sys
2008-11-30 12:49 . 2005-07-19 16:04 29,292 --a------ c:\windows\system32\drivers\FTD2XX.sys
2008-11-30 12:49 . 2006-01-30 05:10 26,045 --a------ c:\windows\system32\drivers\i1.sys
2008-11-30 12:49 . 2004-07-16 18:12 14,416 --a------ c:\windows\system32\drivers\pdihwctl.sys
2008-11-30 12:49 . 2008-11-30 12:52 30 --a------ c:\windows\AutoRun.ini
2008-11-30 12:42 . 2008-12-01 14:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\WTablet
2008-11-30 12:42 . 2008-10-10 11:59 6,525,736 --a------ c:\windows\system32\WacomTablet.cpl
2008-11-30 12:42 . 2008-09-30 13:38 1,651,788 --a------ c:\windows\system32\WacomTablet.znc
2008-11-30 12:42 . 2008-07-11 11:16 13,352 --a------ c:\windows\system32\drivers\wacomvhid.sys
2008-11-30 12:42 . 2007-02-15 16:11 11,440 --a------ c:\windows\system32\drivers\WacomVKHid.sys
2008-11-30 12:42 . 2007-02-16 11:12 11,312 --a------ c:\windows\system32\drivers\wacommousefilter.sys
2008-11-30 12:41 . 2008-11-30 12:41 <DIR> d-------- c:\windows\system32\WTablet
2008-11-30 12:41 . 2008-11-30 12:42 <DIR> d-------- c:\program files\Tablet
2008-11-30 12:41 . 2008-10-10 12:13 2,749,224 --a------ c:\windows\system32\Wacom_Tablet.exe
2008-11-30 12:41 . 2008-10-10 12:00 182,056 --a------ c:\windows\system32\Wacom_Tablet.dll
2008-11-30 12:41 . 2008-10-10 11:50 172,840 --a------ c:\windows\system32\Wintab32.dll
2008-11-30 12:41 . 2008-10-06 11:53 15,656 --a------ c:\windows\system32\drivers\wacmoumonitor.sys
2008-11-30 12:40 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-30 12:40 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-30 11:08 . 2008-11-30 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-30 11:05 . 2008-11-30 11:05 <DIR> d-------- c:\program files\Adobe Media Player
2008-11-30 11:03 . 2008-11-30 11:03 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-30 11:01 . 2008-11-30 11:01 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-30 10:59 . 2008-11-30 11:05 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-30 05:06 . 2008-11-30 05:06 <DIR> d-------- c:\program files\Realtek
2008-11-30 05:06 . 2008-05-16 07:39 16,862,720 -r------- c:\windows\RTHDCPL.exe
2008-11-30 05:06 . 2006-05-04 09:26 2,808,832 -r------- c:\windows\alcwzrd.exe
2008-11-30 05:06 . 2007-06-28 09:44 2,165,760 -r------- c:\windows\MicCal.exe
2008-11-30 05:06 . 2008-03-05 11:07 520,192 -r------- c:\windows\RtlExUpd.dll
2008-11-30 05:06 . 2008-11-30 05:06 315,392 --a------ c:\windows\HideWin.exe
2008-11-30 05:06 . 2005-09-21 03:25 299,008 -ra------ c:\windows\system32\ALSndMgr.cpl
2008-11-30 05:06 . 2005-05-03 11:43 69,632 -r------- c:\windows\Alcmtr.exe
2008-11-30 05:05 . 2008-11-30 05:05 <DIR> d-------- c:\windows\system32\Atheros_L1e
2008-11-30 05:05 . 2008-11-29 21:00 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-30 05:05 . 2008-03-11 12:37 36,864 -ra------ c:\windows\system32\drivers\l1e51x86.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 19:44 --------- d-----w c:\program files\Notepad++
2008-11-30 19:10 --------- d-----w c:\documents and settings\Administrator\Application Data\.ABC
2008-11-30 04:06 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-30 03:55 --------- d-----w c:\program files\Intel
2008-11-30 03:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-29 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 21:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 21:16 --------- d-----w c:\program files\Utilities
2008-11-29 21:11 --------- d-----w c:\documents and settings\Administrator\Application Data\ESET
2008-11-29 21:10 --------- d-----w c:\program files\ESET
2008-11-29 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-11-29 20:39 --------- d-----w c:\program files\XML Notepad 2007
2008-11-29 20:18 --------- d-----w c:\documents and settings\All Users\Application Data\ebay
2008-11-29 20:15 --------- d-----w c:\program files\ABC
2008-11-29 20:09 --------- d-----w c:\program files\MagicISO
2008-11-29 20:01 --------- d-----w c:\documents and settings\All Users\Application Data\GlobalSCAPE
2008-11-29 20:00 --------- d-----w c:\program files\GlobalSCAPE
2008-11-29 20:00 --------- d-----w c:\documents and settings\Administrator\Application Data\GlobalSCAPE
2008-11-29 19:07 --------- d-----w c:\program files\ASUS
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

2008-05-21 16:19 361344 68f06fe0021b01e670af37b8c5964fdf c:\windows\system32\drivers\tcpip.sys

2008-05-21 16:35 547328 a55b8899d2ea2e800061bcfd456e34dc c:\windows\system32\winlogon.exe

2008-05-21 16:33 1551872 c26978d5f821a7330439dd7f0aaaf678 c:\windows\explorer.exe

2008-05-21 16:33 25088 b5e8782d4af1b3756f38e11e7c157bbe c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-05-21 25088]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-05-15 5958656]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-11-30 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-11-30 954368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bhdcun.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 PDIHWCTL;PDIHWCTL;\??\c:\windows\system32\drivers\pdihwctl.sys [2008-11-30 14416]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-30 2749224]
R3 eyeonedp;eye-one display;c:\windows\system32\DRIVERS\eyeonedp.sys [2008-11-30 44344]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-11-30 36864]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-11-30 15656]
R3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [2008-11-30 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;c:\windows\system32\DRIVERS\wacomvhid.sys [2008-11-30 13352]
R3 WacomVKHid;Virtual Keyboard Driver;c:\windows\system32\DRIVERS\WacomVKHid.sys [2008-11-30 11440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\AutoRun/AutoRun.exe

*Newly Created Service* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-12-01 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-30 11:19]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0A46AA04-5E93-4695-9E24-40B11F4EC6C6} - (no file)
BHO-{1729116E-F895-454D-8E46-F55EAF2B79B0} - (no file)
BHO-{18449B9B-5D71-49F8-BE48-034F3FD2FBF3} - (no file)
BHO-{433D3CAA-AAB1-410D-9360-00B5604D9308} - (no file)
BHO-{53ab38d3-9e8f-4dbc-9cba-655abb3580a2} - c:\windows\system32\bhdcun.dll
BHO-{5557547C-2D6F-411C-8EAD-01964C4FC213} - (no file)
BHO-{5EF0D143-06A3-44AC-A23C-7ACE97A0F7C4} - (no file)
BHO-{62B02D9C-0E1C-4D83-B80D-5AFF8CB3E585} - (no file)
BHO-{BC2EC90F-3787-4194-BC2E-2768E1BA2886} - (no file)
BHO-{F109F96B-09F9-4AF8-9B67-7EBD3686390A} - c:\windows\system32\vtuVMEvW.dll
Notify-urqNHBuS - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 14:32:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\windows\system32\sfc_os.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ESET\ESET Smart Security\ekrn.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
.
**************************************************************************
.
Completion time: 2008-12-01 14:33:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 13:33:12

Pre-Run: 26,516,852,736 bytes free
Post-Run: 26,460,897,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

219 --- E O F --- 2008-11-29 20:32:20


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:20 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Notepad++\notepad++.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: bhdcun.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 4389 bytes

#4 arstudio

arstudio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 01 December 2008 - 03:59 PM

OK sorry the first time I did this I forgot to disable Spybots SD helper. Dont know if it matters but i did it again. After a spybot scan smitfraud was still there. But when i removed it, it stayed gone. So im all clean now, thanks.

SDFix: Version 1.240
Run by Administrator on Mon 12/01/2008 at 08:59 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 21:03:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Spotify\\spotify.exe"="C:\\Program Files\\Spotify\\spotify.exe:*:Enabled:Spotify"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

Finished!



ComboFix 08-11-30.02 - Administrator 2008-12-01 21:07:33.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3043 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 20:52 . 2008-12-01 21:04 <DIR> d-------- C:\SDFix
2008-12-01 14:24 . 2008-12-01 14:24 <DIR> d-------- c:\windows\system32\xircom
2008-12-01 14:24 . 2008-12-01 14:24 <DIR> d-------- c:\program files\microsoft frontpage
2008-12-01 14:16 . 2008-12-01 14:16 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-01 14:15 . 2008-12-01 14:15 <DIR> d-------- c:\windows\ERUNT
2008-12-01 09:35 . 2008-12-01 09:35 <DIR> d-------- c:\program files\Phase One
2008-12-01 09:35 . 2008-12-01 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Phase One
2008-12-01 09:35 . 2008-10-13 14:50 23,808 --a------ c:\windows\system32\drivers\p1c1394.sys
2008-12-01 09:30 . 2008-12-01 09:30 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-01 09:29 . 2008-12-01 09:29 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-01 09:29 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-11-30 21:45 . 2008-11-30 21:45 <DIR> d-------- c:\documents and settings\LocalService\Application Data\WTablet
2008-11-30 21:36 . 2008-12-01 09:31 <DIR> d-------- c:\program files\MSBuild
2008-11-30 21:36 . 2008-11-30 21:36 <DIR> d-------- c:\program files\Microsoft.NET
2008-11-30 21:36 . 2008-11-30 21:36 <DIR> d-------- c:\program files\Microsoft Works
2008-11-30 21:35 . 2008-11-30 21:35 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-30 21:34 . 2008-11-30 21:34 <DIR> d-------- c:\windows\SHELLNEW
2008-11-30 21:34 . 2008-11-30 21:34 <DIR> dr-h----- C:\MSOCache
2008-11-30 21:34 . 2008-11-30 21:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-30 20:44 . 2008-11-30 20:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Notepad++
2008-11-30 20:18 . 2008-11-30 20:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 13:47 . 2008-11-30 13:47 <DIR> d-------- c:\program files\Spotify
2008-11-30 13:47 . 2008-12-01 20:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Spotify
2008-11-30 12:57 . 2008-11-30 12:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GretagMacbeth
2008-11-30 12:52 . 2005-09-08 09:35 4,743,168 --a------ c:\windows\system32\qt-mt335.dll
2008-11-30 12:52 . 2005-03-04 14:57 73,728 --a------ c:\windows\system32\FTD2XX.dll
2008-11-30 12:49 . 2008-11-30 12:49 <DIR> d-------- c:\program files\GretagMacbeth
2008-11-30 12:49 . 2004-07-16 18:12 126,976 --a------ c:\windows\system32\drivers\direci2c.dll
2008-11-30 12:49 . 2003-11-27 07:49 44,344 --a------ c:\windows\system32\drivers\EyeOneDp.sys
2008-11-30 12:49 . 2005-07-19 16:04 29,292 --a------ c:\windows\system32\drivers\FTD2XX.sys
2008-11-30 12:49 . 2006-01-30 05:10 26,045 --a------ c:\windows\system32\drivers\i1.sys
2008-11-30 12:49 . 2004-07-16 18:12 14,416 --a------ c:\windows\system32\drivers\pdihwctl.sys
2008-11-30 12:49 . 2008-11-30 12:52 30 --a------ c:\windows\AutoRun.ini
2008-11-30 12:42 . 2008-12-01 14:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\WTablet
2008-11-30 12:42 . 2008-10-10 11:59 6,525,736 --a------ c:\windows\system32\WacomTablet.cpl
2008-11-30 12:42 . 2008-09-30 13:38 1,651,788 --a------ c:\windows\system32\WacomTablet.znc
2008-11-30 12:42 . 2008-07-11 11:16 13,352 --a------ c:\windows\system32\drivers\wacomvhid.sys
2008-11-30 12:42 . 2007-02-15 16:11 11,440 --a------ c:\windows\system32\drivers\WacomVKHid.sys
2008-11-30 12:42 . 2007-02-16 11:12 11,312 --a------ c:\windows\system32\drivers\wacommousefilter.sys
2008-11-30 12:41 . 2008-11-30 12:41 <DIR> d-------- c:\windows\system32\WTablet
2008-11-30 12:41 . 2008-11-30 12:42 <DIR> d-------- c:\program files\Tablet
2008-11-30 12:41 . 2008-10-10 12:13 2,749,224 --a------ c:\windows\system32\Wacom_Tablet.exe
2008-11-30 12:41 . 2008-10-10 12:00 182,056 --a------ c:\windows\system32\Wacom_Tablet.dll
2008-11-30 12:41 . 2008-10-10 11:50 172,840 --a------ c:\windows\system32\Wintab32.dll
2008-11-30 12:41 . 2008-10-06 11:53 15,656 --a------ c:\windows\system32\drivers\wacmoumonitor.sys
2008-11-30 12:40 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-30 12:40 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-30 11:08 . 2008-12-01 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-30 11:05 . 2008-11-30 11:05 <DIR> d-------- c:\program files\Adobe Media Player
2008-11-30 11:03 . 2008-11-30 11:03 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-30 11:01 . 2008-11-30 11:01 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-30 10:59 . 2008-11-30 11:05 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-30 05:06 . 2008-11-30 05:06 <DIR> d-------- c:\program files\Realtek
2008-11-30 05:06 . 2008-05-16 07:39 16,862,720 -r------- c:\windows\RTHDCPL.exe
2008-11-30 05:06 . 2006-05-04 09:26 2,808,832 -r------- c:\windows\alcwzrd.exe
2008-11-30 05:06 . 2007-06-28 09:44 2,165,760 -r------- c:\windows\MicCal.exe
2008-11-30 05:06 . 2008-03-05 11:07 520,192 -r------- c:\windows\RtlExUpd.dll
2008-11-30 05:06 . 2008-11-30 05:06 315,392 --a------ c:\windows\HideWin.exe
2008-11-30 05:06 . 2005-09-21 03:25 299,008 -ra------ c:\windows\system32\ALSndMgr.cpl
2008-11-30 05:06 . 2005-05-03 11:43 69,632 -r------- c:\windows\Alcmtr.exe
2008-11-30 05:05 . 2008-11-30 05:05 <DIR> d-------- c:\windows\system32\Atheros_L1e
2008-11-30 05:05 . 2008-11-29 21:00 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-30 05:05 . 2008-03-11 12:37 36,864 -ra------ c:\windows\system32\drivers\l1e51x86.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 19:44 --------- d-----w c:\program files\Notepad++
2008-11-30 19:10 --------- d-----w c:\documents and settings\Administrator\Application Data\.ABC
2008-11-30 04:06 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-30 03:55 --------- d-----w c:\program files\Intel
2008-11-30 03:38 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-29 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 21:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 21:16 --------- d-----w c:\program files\Utilities
2008-11-29 21:11 --------- d-----w c:\documents and settings\Administrator\Application Data\ESET
2008-11-29 21:10 --------- d-----w c:\program files\ESET
2008-11-29 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-11-29 20:39 --------- d-----w c:\program files\XML Notepad 2007
2008-11-29 20:18 --------- d-----w c:\documents and settings\All Users\Application Data\ebay
2008-11-29 20:15 --------- d-----w c:\program files\ABC
2008-11-29 20:09 --------- d-----w c:\program files\MagicISO
2008-11-29 20:01 --------- d-----w c:\documents and settings\All Users\Application Data\GlobalSCAPE
2008-11-29 20:00 --------- d-----w c:\program files\GlobalSCAPE
2008-11-29 20:00 --------- d-----w c:\documents and settings\Administrator\Application Data\GlobalSCAPE
2008-11-29 19:07 --------- d-----w c:\program files\ASUS
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\dllcache\msxml3.dll
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-01_14.33.01.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-01 13:15:40 4,767,744 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-12-01 19:58:34 4,767,744 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-12-01 13:15:40 40,960 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-12-01 19:58:34 40,960 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-07-31 03:19:10 271,224 ----a-w c:\windows\system32\mucltui.dll
+ 2008-07-18 21:07:34 270,880 ----a-w c:\windows\system32\mucltui.dll
- 2007-09-23 19:52:58 207,736 ----a-w c:\windows\system32\muweb.dll
+ 2008-07-18 21:07:32 210,976 ----a-w c:\windows\system32\muweb.dll
- 2008-12-01 13:29:10 67,220 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-01 13:57:29 67,220 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-01 13:29:10 430,496 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-01 13:57:29 430,496 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-05-21 25088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-05-15 5958656]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-11-30 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-11-30 954368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bhdcun.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-11-30 15656]
R3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [2008-11-30 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;c:\windows\system32\DRIVERS\wacomvhid.sys [2008-11-30 13352]
R3 WacomVKHid;Virtual Keyboard Driver;c:\windows\system32\DRIVERS\WacomVKHid.sys [2008-11-30 11440]
S2 PDIHWCTL;PDIHWCTL;\??\c:\windows\system32\drivers\pdihwctl.sys [2008-11-30 14416]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-30 2749224]
S3 eyeonedp;eye-one display;c:\windows\system32\DRIVERS\eyeonedp.sys [2008-11-30 44344]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-11-30 36864]
.
Contents of the 'Scheduled Tasks' folder

2008-12-01 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-30 11:19]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 21:08:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(248)
c:\windows\system32\sfc_os.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
Completion time: 2008-12-01 21:08:47
ComboFix-quarantined-files.txt 2008-12-01 20:08:32

Pre-Run: 26,373,447,680 bytes free
Post-Run: 26,363,318,272 bytes free

198 --- E O F --- 2008-11-29 20:32:20



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:54 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: bhdcun.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 3512 bytes

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 01 December 2008 - 06:44 PM

Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :files
    D:\AutoRun
    
    :reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



NEXT


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply..

1. OTMoveIt3
2. Malwarebytes'
3. ESET Online Scanner
4. Tell me, how is your computer now?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 06 December 2008 - 02:21 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users