Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    New Reconnaissance Tool Uses Code from Eight-Year-Old Comment Crew Implant

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Photo

FUvirus.exe

Started by rex1104 , Dec 10 2008 02:45 AM

  • This topic is locked This topic is locked
1 reply to this topic

#1 rex1104

rex1104

  • Members
  • 8 posts
  • OFFLINE
    •  
  • Local time:12:21 PM

Posted 10 December 2008 - 02:45 AM

got this virus from my friend's flashdrive. have read your instructions from other thread. will you help me since after doing your instructions i could not see my folders which were infected.
this is the log after i click and drag the CFscript.txt file over the combofix.


ComboFix 08-12-07.04 - Roznet 2008-12-10 11:53:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT 8:00]
Running from: c:\documents and settings\Roznet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roznet\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\Downloads.exe
c:\downloads\Downloads.exe
C:\hiberfil.sys.exe
C:\logs.exe
c:\logs\logs.exe
c:\mgtools\MGtools.exe
C:\Mp3 Output.exe
c:\mp3 output\Mp3 Output.exe
C:\New Folder.exe
c:\new folder\New Folder.exe
C:\OutputFolder.exe
c:\outputfolder\OutputFolder.exe
C:\pagefile.sys.exe
C:\PERepairData.exe
c:\perepairdata\PERepairData.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\WINDOWS.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\hiberfil.sys.exe
C:\pagefile.sys.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\temp.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\windows.exe
e:\recycler\RECYCLER.exe

----- File Replicators -----

C:\!KillBox.exe
c:\!killbox\!KillBox.exe
C:\32788R22FWJFW.exe
C:\Found files.exe
c:\found files\Found files.exe
C:\Kpcms.exe
c:\kpcms\Kpcms.exe
C:\MSOCache.exe
c:\msocache\MSOCache.exe
C:\spoolerlogs.exe
c:\spoolerlogs\spoolerlogs.exe
c:\temp\Temp.exe
E:\Arman.exe
e:\arman\Arman.exe
E:\Ate Meng.exe
e:\ate meng\Ate Meng.exe
E:\dwhelper.exe
e:\dwhelper\dwhelper.exe
E:\Epson Tools.exe
e:\epson tools\Epson Tools.exe
E:\FilePrinting.exe
e:\fileprinting\FilePrinting.exe
E:\Games.exe
e:\games\Games.exe
E:\Joc and Kim.exe
e:\joc and kim\Joc and Kim.exe
E:\kuya jonjon pix.exe
e:\kuya jonjon pix\kuya jonjon pix.exe
E:\Movies.exe
e:\movies\Movies.exe
E:\My docs.exe
e:\my docs\My docs.exe
E:\NBA LIVE 07.exe
e:\nba live 07\NBA LIVE 07.exe
E:\New Folder.exe
e:\new folder\New Folder.exe
E:\Qoobox.exe
e:\qoobox\Qoobox.exe
E:\RECYCLER.exe
E:\Reports.exe
e:\reports\Reports.exe
E:\ROZNET.exe
e:\roznet\ROZNET.exe
E:\System Volume Information.exe
.
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 11:53 . 2008-12-10 11:53 31,786 --a------ C:\ComboFix_error.dat
2008-12-10 10:41 . 2008-12-10 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-10 01:19 . 2007-03-25 13:27 43,399 --a------ c:\program files\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz.zip
2008-12-09 22:37 . 2008-12-10 01:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 21:40 . 2008-12-09 21:58 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-09 13:45 . 2008-12-09 13:46 <DIR> d-------- c:\program files\Magic Video Converter
2008-12-09 13:45 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-12-09 13:45 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-12-09 13:45 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-12-03 22:45 . 2008-12-03 22:46 <DIR> d-------- c:\program files\PowerISO
2008-12-03 12:34 . 2008-12-03 12:36 <DIR> d-------- c:\documents and settings\Roznet\Application Data\kalypte-msg
2008-12-03 12:29 . 2008-12-03 12:29 <DIR> d-------- c:\program files\Uzzap
2008-12-03 02:09 . 2008-12-10 11:56 <DIR> d--hs---- C:\Found files
2008-11-30 22:24 . 2008-11-30 22:24 9,662 --a------ c:\windows\EPISME00.SWB
2008-11-28 14:11 . 2008-11-28 14:15 <DIR> d-------- c:\program files\Unlocker
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-23 20:12 . 2008-12-10 11:56 <DIR> d--hs---- C:\spoolerlogs
2008-11-23 16:29 . 2004-04-30 16:07 122,880 --a------ c:\windows\system32\SAgent4.exe
2008-11-23 16:29 . 2004-02-19 17:03 65,536 --a------ c:\windows\system32\E_S00RP1.EXE
2008-11-20 16:13 . 2008-11-23 14:14 <DIR> d-------- c:\program files\DU Meter
2008-11-20 16:13 . 2008-11-20 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hagel Technologies
2008-11-16 11:38 . 2008-11-18 21:34 <DIR> d-------- c:\documents and settings\Roznet\temp
2008-11-16 11:38 . 2008-11-16 12:20 <DIR> d-------- c:\documents and settings\Roznet\Application Data\TeamViewer
2008-11-14 22:57 . 2008-11-14 22:57 <DIR> d-------- c:\temp\Ogif
2008-11-14 08:40 . 2008-11-25 10:06 322,560 --a------ c:\windows\system32\xobgcvku.kns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 16:03 --------- d-----w c:\program files\Warcraft III
2008-12-09 09:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-09 01:17 --------- d-----w c:\program files\MYGAME Launcher
2008-12-09 01:17 --------- d-----w c:\program files\Garena
2008-12-08 06:10 --------- d-----w c:\program files\Folder Lock
2008-12-02 15:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 01:55 --------- d-----w c:\documents and settings\Roznet\Application Data\U3
2008-11-17 06:20 --------- d-----w c:\program files\YIntai
2008-11-12 00:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 00:44 --------- d-----w c:\program files\NBA
2008-11-02 04:09 --------- d-----w c:\program files\Magic Music Editor
2008-11-02 04:09 --------- d-----w c:\program files\LimeWire
2008-11-02 04:09 --------- d-----w c:\program files\DivX
2008-11-02 04:09 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-10-25 04:04 --------- d-----w c:\documents and settings\Roznet\Application Data\DivX
2008-10-21 11:46 --------- d-----w c:\program files\Google
2008-10-20 00:26 --------- d-----w c:\program files\Macromedia
2008-10-03 01:30 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-09 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-09-29 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_anet"= c:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"msacm.msaudio1"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--------- 2005-10-03 11:23 20480 c:\windows\CameraFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-07-04 14:20 161064 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:07 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Restore]
--a------ 2004-08-04 09:07 114688 c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R230 Series (Copy 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R230"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6077:TCP"= 6077:TCP:*:Disabled:SolidNetworkManager
"6077:UDP"= 6077:UDP:*:Disabled:SolidNetworkManager
"22971:TCP"= 22971:TCP:*:Disabled:SolidNetworkManager
"22971:UDP"= 22971:UDP:*:Disabled:SolidNetworkManager
"3874:TCP"= 3874:TCP:*:Disabled:SolidNetworkManager
"3874:UDP"= 3874:UDP:*:Disabled:SolidNetworkManager

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-09 15424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07853cad-8df7-11dd-ac26-00192188e187}]
\Shell\AutoRun\command - F:\g2lbn.cmd
\Shell\explore\Command - F:\g2lbn.cmd
\Shell\open\Command - F:\g2lbn.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08259ede-82d4-11dd-ac10-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de961-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de970-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de981-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de98e-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de991-6672-11dd-abdc-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a10001a-7a20-11dd-ac04-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eeab6d3-798d-11dd-ac03-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{229aada4-91b3-11dd-ac2c-00192188e187}]
\Shell\AutoRun\command - w00g.exe
\Shell\explore\Command - w00g.exe
\Shell\open\Command - w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a0-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a7-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - F:\unt3obe.bat
\Shell\explore\Command - F:\unt3obe.bat
\Shell\open\Command - F:\unt3obe.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3459c0b5-a3cb-11dd-bba2-00192188e187}]
\shelL\AutoplAy\COMmand - joijfa.cmd
\shelL\AutoRun\command - joijfa.cmd
\shelL\exPlorE\commaND - joijfa.cmd
\shelL\oPen\ComMaNd - joijfa.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f4d5ed-8d0a-11dd-ac22-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40e054ea-73ff-11dd-abf9-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4868b2d2-ad58-11dd-bbc1-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a321faa-7305-11dd-abf6-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3c75e6-8dc2-11dd-ac24-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9d0-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9da-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c4160eb-bf64-11dd-bbf9-00192188e187}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c51a95-9bdd-11dd-bb90-00192188e187}]
\Shell\AutoRun\command - G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b85099-9352-11dd-bb7b-806d6172696f}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a3422a-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a34235-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883ba095-7242-11dd-abf5-00192188e187}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c75d674-940e-11dd-bb80-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9160bc68-74aa-11dd-abfb-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94796bea-81f6-11dd-ac0f-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800c0-65f8-11dd-abdb-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800e4-65f8-11dd-abdb-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2a0cb7-8f52-11dd-ac28-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61a9103-6e75-11dd-abed-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b789ab30-6b2c-11dd-abe4-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - password_viewer.exe %1
\Shell\open\command - password_viewer.exe %1
\Shell\var1\command - F:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6ea49a5-68e1-11dd-abe0-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52d-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52f-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13510ff-788a-11dd-ac01-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1351101-788a-11dd-ac01-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7e6f124-89db-11dd-ac1b-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89d0bf7-77cc-11dd-ac00-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9135df9-76f8-11dd-abfe-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16ccd3b-6f1f-11dd-abee-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2ae6316-959a-11dd-bb85-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d0299-6d95-11dd-abea-00192188e187}]
\Shell\Auto\command - exp1orer.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d02ad-6d95-11dd-abea-00192188e187}]
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb15e6df-8c34-11dd-ac20-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e198a-8775-11dd-ac17-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e1995-8775-11dd-ac17-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
mWindow Title =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\windows\system32\imon.dll
TCP: {394227C8-5BFA-4E5F-B9FF-359556D41585} = 202.126.40.5,121.1.3.208
FireFox -: Profile - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\
FF -: plugin - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 11:57:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\E_S00RP1.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-10 11:59:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 03:59:48
ComboFix2.txt 2008-12-10 03:49:17

Pre-Run: 25,217,392,640 bytes free
Post-Run: 25,196,425,216 bytes free

532




this is the log when i ran the combofix for the first time.

ComboFix 08-12-07.04 - Roznet 2008-12-10 11:53:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT 8:00]
Running from: c:\documents and settings\Roznet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roznet\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\Downloads.exe
c:\downloads\Downloads.exe
C:\hiberfil.sys.exe
C:\logs.exe
c:\logs\logs.exe
c:\mgtools\MGtools.exe
C:\Mp3 Output.exe
c:\mp3 output\Mp3 Output.exe
C:\New Folder.exe
c:\new folder\New Folder.exe
C:\OutputFolder.exe
c:\outputfolder\OutputFolder.exe
C:\pagefile.sys.exe
C:\PERepairData.exe
c:\perepairdata\PERepairData.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\WINDOWS.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\hiberfil.sys.exe
C:\pagefile.sys.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\temp.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\windows.exe
e:\recycler\RECYCLER.exe

----- File Replicators -----

C:\!KillBox.exe
c:\!killbox\!KillBox.exe
C:\32788R22FWJFW.exe
C:\Found files.exe
c:\found files\Found files.exe
C:\Kpcms.exe
c:\kpcms\Kpcms.exe
C:\MSOCache.exe
c:\msocache\MSOCache.exe
C:\spoolerlogs.exe
c:\spoolerlogs\spoolerlogs.exe
c:\temp\Temp.exe
E:\Arman.exe
e:\arman\Arman.exe
E:\Ate Meng.exe
e:\ate meng\Ate Meng.exe
E:\dwhelper.exe
e:\dwhelper\dwhelper.exe
E:\Epson Tools.exe
e:\epson tools\Epson Tools.exe
E:\FilePrinting.exe
e:\fileprinting\FilePrinting.exe
E:\Games.exe
e:\games\Games.exe
E:\Joc and Kim.exe
e:\joc and kim\Joc and Kim.exe
E:\kuya jonjon pix.exe
e:\kuya jonjon pix\kuya jonjon pix.exe
E:\Movies.exe
e:\movies\Movies.exe
E:\My docs.exe
e:\my docs\My docs.exe
E:\NBA LIVE 07.exe
e:\nba live 07\NBA LIVE 07.exe
E:\New Folder.exe
e:\new folder\New Folder.exe
E:\Qoobox.exe
e:\qoobox\Qoobox.exe
E:\RECYCLER.exe
E:\Reports.exe
e:\reports\Reports.exe
E:\ROZNET.exe
e:\roznet\ROZNET.exe
E:\System Volume Information.exe
.
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 11:53 . 2008-12-10 11:53 31,786 --a------ C:\ComboFix_error.dat
2008-12-10 10:41 . 2008-12-10 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-10 01:19 . 2007-03-25 13:27 43,399 --a------ c:\program files\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz.zip
2008-12-09 22:37 . 2008-12-10 01:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 21:40 . 2008-12-09 21:58 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-09 13:45 . 2008-12-09 13:46 <DIR> d-------- c:\program files\Magic Video Converter
2008-12-09 13:45 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-12-09 13:45 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-12-09 13:45 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-12-03 22:45 . 2008-12-03 22:46 <DIR> d-------- c:\program files\PowerISO
2008-12-03 12:34 . 2008-12-03 12:36 <DIR> d-------- c:\documents and settings\Roznet\Application Data\kalypte-msg
2008-12-03 12:29 . 2008-12-03 12:29 <DIR> d-------- c:\program files\Uzzap
2008-12-03 02:09 . 2008-12-10 11:56 <DIR> d--hs---- C:\Found files
2008-11-30 22:24 . 2008-11-30 22:24 9,662 --a------ c:\windows\EPISME00.SWB
2008-11-28 14:11 . 2008-11-28 14:15 <DIR> d-------- c:\program files\Unlocker
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-23 20:12 . 2008-12-10 11:56 <DIR> d--hs---- C:\spoolerlogs
2008-11-23 16:29 . 2004-04-30 16:07 122,880 --a------ c:\windows\system32\SAgent4.exe
2008-11-23 16:29 . 2004-02-19 17:03 65,536 --a------ c:\windows\system32\E_S00RP1.EXE
2008-11-20 16:13 . 2008-11-23 14:14 <DIR> d-------- c:\program files\DU Meter
2008-11-20 16:13 . 2008-11-20 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hagel Technologies
2008-11-16 11:38 . 2008-11-18 21:34 <DIR> d-------- c:\documents and settings\Roznet\temp
2008-11-16 11:38 . 2008-11-16 12:20 <DIR> d-------- c:\documents and settings\Roznet\Application Data\TeamViewer
2008-11-14 22:57 . 2008-11-14 22:57 <DIR> d-------- c:\temp\Ogif
2008-11-14 08:40 . 2008-11-25 10:06 322,560 --a------ c:\windows\system32\xobgcvku.kns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 16:03 --------- d-----w c:\program files\Warcraft III
2008-12-09 09:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-09 01:17 --------- d-----w c:\program files\MYGAME Launcher
2008-12-09 01:17 --------- d-----w c:\program files\Garena
2008-12-08 06:10 --------- d-----w c:\program files\Folder Lock
2008-12-02 15:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 01:55 --------- d-----w c:\documents and settings\Roznet\Application Data\U3
2008-11-17 06:20 --------- d-----w c:\program files\YIntai
2008-11-12 00:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 00:44 --------- d-----w c:\program files\NBA
2008-11-02 04:09 --------- d-----w c:\program files\Magic Music Editor
2008-11-02 04:09 --------- d-----w c:\program files\LimeWire
2008-11-02 04:09 --------- d-----w c:\program files\DivX
2008-11-02 04:09 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-10-25 04:04 --------- d-----w c:\documents and settings\Roznet\Application Data\DivX
2008-10-21 11:46 --------- d-----w c:\program files\Google
2008-10-20 00:26 --------- d-----w c:\program files\Macromedia
2008-10-03 01:30 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-09 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-09-29 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_anet"= c:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"msacm.msaudio1"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--------- 2005-10-03 11:23 20480 c:\windows\CameraFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-07-04 14:20 161064 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:07 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Restore]
--a------ 2004-08-04 09:07 114688 c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R230 Series (Copy 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R230"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6077:TCP"= 6077:TCP:*:Disabled:SolidNetworkManager
"6077:UDP"= 6077:UDP:*:Disabled:SolidNetworkManager
"22971:TCP"= 22971:TCP:*:Disabled:SolidNetworkManager
"22971:UDP"= 22971:UDP:*:Disabled:SolidNetworkManager
"3874:TCP"= 3874:TCP:*:Disabled:SolidNetworkManager
"3874:UDP"= 3874:UDP:*:Disabled:SolidNetworkManager

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-09 15424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07853cad-8df7-11dd-ac26-00192188e187}]
\Shell\AutoRun\command - F:\g2lbn.cmd
\Shell\explore\Command - F:\g2lbn.cmd
\Shell\open\Command - F:\g2lbn.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08259ede-82d4-11dd-ac10-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de961-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de970-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de981-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de98e-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de991-6672-11dd-abdc-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a10001a-7a20-11dd-ac04-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eeab6d3-798d-11dd-ac03-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{229aada4-91b3-11dd-ac2c-00192188e187}]
\Shell\AutoRun\command - w00g.exe
\Shell\explore\Command - w00g.exe
\Shell\open\Command - w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a0-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a7-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - F:\unt3obe.bat
\Shell\explore\Command - F:\unt3obe.bat
\Shell\open\Command - F:\unt3obe.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3459c0b5-a3cb-11dd-bba2-00192188e187}]
\shelL\AutoplAy\COMmand - joijfa.cmd
\shelL\AutoRun\command - joijfa.cmd
\shelL\exPlorE\commaND - joijfa.cmd
\shelL\oPen\ComMaNd - joijfa.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f4d5ed-8d0a-11dd-ac22-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40e054ea-73ff-11dd-abf9-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4868b2d2-ad58-11dd-bbc1-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a321faa-7305-11dd-abf6-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3c75e6-8dc2-11dd-ac24-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9d0-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9da-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c4160eb-bf64-11dd-bbf9-00192188e187}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c51a95-9bdd-11dd-bb90-00192188e187}]
\Shell\AutoRun\command - G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b85099-9352-11dd-bb7b-806d6172696f}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a3422a-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a34235-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883ba095-7242-11dd-abf5-00192188e187}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c75d674-940e-11dd-bb80-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9160bc68-74aa-11dd-abfb-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94796bea-81f6-11dd-ac0f-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800c0-65f8-11dd-abdb-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800e4-65f8-11dd-abdb-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2a0cb7-8f52-11dd-ac28-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61a9103-6e75-11dd-abed-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b789ab30-6b2c-11dd-abe4-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - password_viewer.exe %1
\Shell\open\command - password_viewer.exe %1
\Shell\var1\command - F:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6ea49a5-68e1-11dd-abe0-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52d-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52f-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13510ff-788a-11dd-ac01-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1351101-788a-11dd-ac01-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7e6f124-89db-11dd-ac1b-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89d0bf7-77cc-11dd-ac00-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9135df9-76f8-11dd-abfe-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16ccd3b-6f1f-11dd-abee-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2ae6316-959a-11dd-bb85-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d0299-6d95-11dd-abea-00192188e187}]
\Shell\Auto\command - exp1orer.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d02ad-6d95-11dd-abea-00192188e187}]
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb15e6df-8c34-11dd-ac20-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e198a-8775-11dd-ac17-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e1995-8775-11dd-ac17-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
mWindow Title =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\windows\system32\imon.dll
TCP: {394227C8-5BFA-4E5F-B9FF-359556D41585} = 202.126.40.5,121.1.3.208
FireFox -: Profile - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\
FF -: plugin - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 11:57:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\E_S00RP1.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-10 11:59:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 03:59:48
ComboFix2.txt 2008-12-10 03:49:17

Pre-Run: 25,217,392,640 bytes free
Post-Run: 25,196,425,216 bytes free

532

BC AdBot (Login to Remove)

 

#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:21 AM

Posted 10 December 2008 - 09:16 AM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I Infected forum, explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter
Back to Anti-Virus, Anti-Malware, and Privacy Software


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Anti-Virus, Anti-Malware, and Privacy Software
  4. Privacy Policy
  5. Rules ·