got this virus from my friend's flashdrive. have read your instructions from other thread. will you help me since after doing your instructions i could not see my folders which were infected.
this is the log after i click and drag the CFscript.txt file over the combofix.
ComboFix 08-12-07.04 - Roznet 2008-12-10 11:53:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT 8:00]
Running from: c:\documents and settings\Roznet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roznet\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\Downloads.exe
c:\downloads\Downloads.exe
C:\hiberfil.sys.exe
C:\logs.exe
c:\logs\logs.exe
c:\mgtools\MGtools.exe
C:\Mp3 Output.exe
c:\mp3 output\Mp3 Output.exe
C:\New Folder.exe
c:\new folder\New Folder.exe
C:\OutputFolder.exe
c:\outputfolder\OutputFolder.exe
C:\pagefile.sys.exe
C:\PERepairData.exe
c:\perepairdata\PERepairData.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\WINDOWS.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\hiberfil.sys.exe
C:\pagefile.sys.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\temp.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\windows.exe
e:\recycler\RECYCLER.exe
----- File Replicators -----
C:\!KillBox.exe
c:\!killbox\!KillBox.exe
C:\32788R22FWJFW.exe
C:\Found files.exe
c:\found files\Found files.exe
C:\Kpcms.exe
c:\kpcms\Kpcms.exe
C:\MSOCache.exe
c:\msocache\MSOCache.exe
C:\spoolerlogs.exe
c:\spoolerlogs\spoolerlogs.exe
c:\temp\Temp.exe
E:\Arman.exe
e:\arman\Arman.exe
E:\Ate Meng.exe
e:\ate meng\Ate Meng.exe
E:\dwhelper.exe
e:\dwhelper\dwhelper.exe
E:\Epson Tools.exe
e:\epson tools\Epson Tools.exe
E:\FilePrinting.exe
e:\fileprinting\FilePrinting.exe
E:\Games.exe
e:\games\Games.exe
E:\Joc and Kim.exe
e:\joc and kim\Joc and Kim.exe
E:\kuya jonjon pix.exe
e:\kuya jonjon pix\kuya jonjon pix.exe
E:\Movies.exe
e:\movies\Movies.exe
E:\My docs.exe
e:\my docs\My docs.exe
E:\NBA LIVE 07.exe
e:\nba live 07\NBA LIVE 07.exe
E:\New Folder.exe
e:\new folder\New Folder.exe
E:\Qoobox.exe
e:\qoobox\Qoobox.exe
E:\RECYCLER.exe
E:\Reports.exe
e:\reports\Reports.exe
E:\ROZNET.exe
e:\roznet\ROZNET.exe
E:\System Volume Information.exe
.
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.
2008-12-10 11:53 . 2008-12-10 11:53 31,786 --a------ C:\ComboFix_error.dat
2008-12-10 10:41 . 2008-12-10 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-10 01:19 . 2007-03-25 13:27 43,399 --a------ c:\program files\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz.zip
2008-12-09 22:37 . 2008-12-10 01:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 21:40 . 2008-12-09 21:58 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-09 13:45 . 2008-12-09 13:46 <DIR> d-------- c:\program files\Magic Video Converter
2008-12-09 13:45 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-12-09 13:45 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-12-09 13:45 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-12-03 22:45 . 2008-12-03 22:46 <DIR> d-------- c:\program files\PowerISO
2008-12-03 12:34 . 2008-12-03 12:36 <DIR> d-------- c:\documents and settings\Roznet\Application Data\kalypte-msg
2008-12-03 12:29 . 2008-12-03 12:29 <DIR> d-------- c:\program files\Uzzap
2008-12-03 02:09 . 2008-12-10 11:56 <DIR> d--hs---- C:\Found files
2008-11-30 22:24 . 2008-11-30 22:24 9,662 --a------ c:\windows\EPISME00.SWB
2008-11-28 14:11 . 2008-11-28 14:15 <DIR> d-------- c:\program files\Unlocker
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-23 20:12 . 2008-12-10 11:56 <DIR> d--hs---- C:\spoolerlogs
2008-11-23 16:29 . 2004-04-30 16:07 122,880 --a------ c:\windows\system32\SAgent4.exe
2008-11-23 16:29 . 2004-02-19 17:03 65,536 --a------ c:\windows\system32\E_S00RP1.EXE
2008-11-20 16:13 . 2008-11-23 14:14 <DIR> d-------- c:\program files\DU Meter
2008-11-20 16:13 . 2008-11-20 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hagel Technologies
2008-11-16 11:38 . 2008-11-18 21:34 <DIR> d-------- c:\documents and settings\Roznet\temp
2008-11-16 11:38 . 2008-11-16 12:20 <DIR> d-------- c:\documents and settings\Roznet\Application Data\TeamViewer
2008-11-14 22:57 . 2008-11-14 22:57 <DIR> d-------- c:\temp\Ogif
2008-11-14 08:40 . 2008-11-25 10:06 322,560 --a------ c:\windows\system32\xobgcvku.kns
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 16:03 --------- d-----w c:\program files\Warcraft III
2008-12-09 09:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-09 01:17 --------- d-----w c:\program files\MYGAME Launcher
2008-12-09 01:17 --------- d-----w c:\program files\Garena
2008-12-08 06:10 --------- d-----w c:\program files\Folder Lock
2008-12-02 15:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 01:55 --------- d-----w c:\documents and settings\Roznet\Application Data\U3
2008-11-17 06:20 --------- d-----w c:\program files\YIntai
2008-11-12 00:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 00:44 --------- d-----w c:\program files\NBA
2008-11-02 04:09 --------- d-----w c:\program files\Magic Music Editor
2008-11-02 04:09 --------- d-----w c:\program files\LimeWire
2008-11-02 04:09 --------- d-----w c:\program files\DivX
2008-11-02 04:09 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-10-25 04:04 --------- d-----w c:\documents and settings\Roznet\Application Data\DivX
2008-10-21 11:46 --------- d-----w c:\program files\Google
2008-10-20 00:26 --------- d-----w c:\program files\Macromedia
2008-10-03 01:30 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-09 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-09-29 335872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_anet"= c:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"msacm.msaudio1"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--------- 2005-10-03 11:23 20480 c:\windows\CameraFixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-07-04 14:20 161064 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:07 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Restore]
--a------ 2004-08-04 09:07 114688 c:\windows\system32\wscript.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R230 Series (Copy 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R230"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6077:TCP"= 6077:TCP:*:Disabled:SolidNetworkManager
"6077:UDP"= 6077:UDP:*:Disabled:SolidNetworkManager
"22971:TCP"= 22971:TCP:*:Disabled:SolidNetworkManager
"22971:UDP"= 22971:UDP:*:Disabled:SolidNetworkManager
"3874:TCP"= 3874:TCP:*:Disabled:SolidNetworkManager
"3874:UDP"= 3874:UDP:*:Disabled:SolidNetworkManager
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-09 15424]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07853cad-8df7-11dd-ac26-00192188e187}]
\Shell\AutoRun\command - F:\g2lbn.cmd
\Shell\explore\Command - F:\g2lbn.cmd
\Shell\open\Command - F:\g2lbn.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08259ede-82d4-11dd-ac10-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de961-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de970-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de981-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de98e-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de991-6672-11dd-abdc-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a10001a-7a20-11dd-ac04-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eeab6d3-798d-11dd-ac03-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{229aada4-91b3-11dd-ac2c-00192188e187}]
\Shell\AutoRun\command - w00g.exe
\Shell\explore\Command - w00g.exe
\Shell\open\Command - w00g.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a0-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a7-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - F:\unt3obe.bat
\Shell\explore\Command - F:\unt3obe.bat
\Shell\open\Command - F:\unt3obe.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3459c0b5-a3cb-11dd-bba2-00192188e187}]
\shelL\AutoplAy\COMmand - joijfa.cmd
\shelL\AutoRun\command - joijfa.cmd
\shelL\exPlorE\commaND - joijfa.cmd
\shelL\oPen\ComMaNd - joijfa.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f4d5ed-8d0a-11dd-ac22-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40e054ea-73ff-11dd-abf9-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4868b2d2-ad58-11dd-bbc1-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a321faa-7305-11dd-abf6-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3c75e6-8dc2-11dd-ac24-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9d0-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9da-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c4160eb-bf64-11dd-bbf9-00192188e187}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c51a95-9bdd-11dd-bb90-00192188e187}]
\Shell\AutoRun\command - G:\USBNB.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b85099-9352-11dd-bb7b-806d6172696f}]
\Shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a3422a-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a34235-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883ba095-7242-11dd-abf5-00192188e187}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c75d674-940e-11dd-bb80-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9160bc68-74aa-11dd-abfb-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94796bea-81f6-11dd-ac0f-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800c0-65f8-11dd-abdb-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800e4-65f8-11dd-abdb-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2a0cb7-8f52-11dd-ac28-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61a9103-6e75-11dd-abed-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b789ab30-6b2c-11dd-abe4-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - password_viewer.exe %1
\Shell\open\command - password_viewer.exe %1
\Shell\var1\command - F:\
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6ea49a5-68e1-11dd-abe0-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52d-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52f-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13510ff-788a-11dd-ac01-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1351101-788a-11dd-ac01-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7e6f124-89db-11dd-ac1b-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89d0bf7-77cc-11dd-ac00-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9135df9-76f8-11dd-abfe-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16ccd3b-6f1f-11dd-abee-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2ae6316-959a-11dd-bb85-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d0299-6d95-11dd-abea-00192188e187}]
\Shell\Auto\command - exp1orer.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d02ad-6d95-11dd-abea-00192188e187}]
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb15e6df-8c34-11dd-ac20-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e198a-8775-11dd-ac17-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e1995-8775-11dd-ac17-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
mWindow Title =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\windows\system32\imon.dll
TCP: {394227C8-5BFA-4E5F-B9FF-359556D41585} = 202.126.40.5,121.1.3.208
FireFox -: Profile - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\
FF -: plugin - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 11:57:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\E_S00RP1.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-10 11:59:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 03:59:48
ComboFix2.txt 2008-12-10 03:49:17
Pre-Run: 25,217,392,640 bytes free
Post-Run: 25,196,425,216 bytes free
532
this is the log when i ran the combofix for the first time.
ComboFix 08-12-07.04 - Roznet 2008-12-10 11:53:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT 8:00]
Running from: c:\documents and settings\Roznet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roznet\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\Downloads.exe
c:\downloads\Downloads.exe
C:\hiberfil.sys.exe
C:\logs.exe
c:\logs\logs.exe
c:\mgtools\MGtools.exe
C:\Mp3 Output.exe
c:\mp3 output\Mp3 Output.exe
C:\New Folder.exe
c:\new folder\New Folder.exe
C:\OutputFolder.exe
c:\outputfolder\OutputFolder.exe
C:\pagefile.sys.exe
C:\PERepairData.exe
c:\perepairdata\PERepairData.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\WINDOWS.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\hiberfil.sys.exe
C:\pagefile.sys.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\temp.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\windows.exe
e:\recycler\RECYCLER.exe
----- File Replicators -----
C:\!KillBox.exe
c:\!killbox\!KillBox.exe
C:\32788R22FWJFW.exe
C:\Found files.exe
c:\found files\Found files.exe
C:\Kpcms.exe
c:\kpcms\Kpcms.exe
C:\MSOCache.exe
c:\msocache\MSOCache.exe
C:\spoolerlogs.exe
c:\spoolerlogs\spoolerlogs.exe
c:\temp\Temp.exe
E:\Arman.exe
e:\arman\Arman.exe
E:\Ate Meng.exe
e:\ate meng\Ate Meng.exe
E:\dwhelper.exe
e:\dwhelper\dwhelper.exe
E:\Epson Tools.exe
e:\epson tools\Epson Tools.exe
E:\FilePrinting.exe
e:\fileprinting\FilePrinting.exe
E:\Games.exe
e:\games\Games.exe
E:\Joc and Kim.exe
e:\joc and kim\Joc and Kim.exe
E:\kuya jonjon pix.exe
e:\kuya jonjon pix\kuya jonjon pix.exe
E:\Movies.exe
e:\movies\Movies.exe
E:\My docs.exe
e:\my docs\My docs.exe
E:\NBA LIVE 07.exe
e:\nba live 07\NBA LIVE 07.exe
E:\New Folder.exe
e:\new folder\New Folder.exe
E:\Qoobox.exe
e:\qoobox\Qoobox.exe
E:\RECYCLER.exe
E:\Reports.exe
e:\reports\Reports.exe
E:\ROZNET.exe
e:\roznet\ROZNET.exe
E:\System Volume Information.exe
.
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.
2008-12-10 11:53 . 2008-12-10 11:53 31,786 --a------ C:\ComboFix_error.dat
2008-12-10 10:41 . 2008-12-10 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-10 01:19 . 2007-03-25 13:27 43,399 --a------ c:\program files\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz.zip
2008-12-09 22:37 . 2008-12-10 01:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 21:40 . 2008-12-09 21:58 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-09 13:45 . 2008-12-09 13:46 <DIR> d-------- c:\program files\Magic Video Converter
2008-12-09 13:45 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-12-09 13:45 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-12-09 13:45 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-12-03 22:45 . 2008-12-03 22:46 <DIR> d-------- c:\program files\PowerISO
2008-12-03 12:34 . 2008-12-03 12:36 <DIR> d-------- c:\documents and settings\Roznet\Application Data\kalypte-msg
2008-12-03 12:29 . 2008-12-03 12:29 <DIR> d-------- c:\program files\Uzzap
2008-12-03 02:09 . 2008-12-10 11:56 <DIR> d--hs---- C:\Found files
2008-11-30 22:24 . 2008-11-30 22:24 9,662 --a------ c:\windows\EPISME00.SWB
2008-11-28 14:11 . 2008-11-28 14:15 <DIR> d-------- c:\program files\Unlocker
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-23 20:12 . 2008-12-10 11:56 <DIR> d--hs---- C:\spoolerlogs
2008-11-23 16:29 . 2004-04-30 16:07 122,880 --a------ c:\windows\system32\SAgent4.exe
2008-11-23 16:29 . 2004-02-19 17:03 65,536 --a------ c:\windows\system32\E_S00RP1.EXE
2008-11-20 16:13 . 2008-11-23 14:14 <DIR> d-------- c:\program files\DU Meter
2008-11-20 16:13 . 2008-11-20 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hagel Technologies
2008-11-16 11:38 . 2008-11-18 21:34 <DIR> d-------- c:\documents and settings\Roznet\temp
2008-11-16 11:38 . 2008-11-16 12:20 <DIR> d-------- c:\documents and settings\Roznet\Application Data\TeamViewer
2008-11-14 22:57 . 2008-11-14 22:57 <DIR> d-------- c:\temp\Ogif
2008-11-14 08:40 . 2008-11-25 10:06 322,560 --a------ c:\windows\system32\xobgcvku.kns
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 16:03 --------- d-----w c:\program files\Warcraft III
2008-12-09 09:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-09 01:17 --------- d-----w c:\program files\MYGAME Launcher
2008-12-09 01:17 --------- d-----w c:\program files\Garena
2008-12-08 06:10 --------- d-----w c:\program files\Folder Lock
2008-12-02 15:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 01:55 --------- d-----w c:\documents and settings\Roznet\Application Data\U3
2008-11-17 06:20 --------- d-----w c:\program files\YIntai
2008-11-12 00:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 00:44 --------- d-----w c:\program files\NBA
2008-11-02 04:09 --------- d-----w c:\program files\Magic Music Editor
2008-11-02 04:09 --------- d-----w c:\program files\LimeWire
2008-11-02 04:09 --------- d-----w c:\program files\DivX
2008-11-02 04:09 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-10-25 04:04 --------- d-----w c:\documents and settings\Roznet\Application Data\DivX
2008-10-21 11:46 --------- d-----w c:\program files\Google
2008-10-20 00:26 --------- d-----w c:\program files\Macromedia
2008-10-03 01:30 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-09 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-09-29 335872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_anet"= c:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"msacm.msaudio1"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--------- 2005-10-03 11:23 20480 c:\windows\CameraFixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-07-04 14:20 161064 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:07 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Restore]
--a------ 2004-08-04 09:07 114688 c:\windows\system32\wscript.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R230 Series (Copy 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R230"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6077:TCP"= 6077:TCP:*:Disabled:SolidNetworkManager
"6077:UDP"= 6077:UDP:*:Disabled:SolidNetworkManager
"22971:TCP"= 22971:TCP:*:Disabled:SolidNetworkManager
"22971:UDP"= 22971:UDP:*:Disabled:SolidNetworkManager
"3874:TCP"= 3874:TCP:*:Disabled:SolidNetworkManager
"3874:UDP"= 3874:UDP:*:Disabled:SolidNetworkManager
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-09 15424]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07853cad-8df7-11dd-ac26-00192188e187}]
\Shell\AutoRun\command - F:\g2lbn.cmd
\Shell\explore\Command - F:\g2lbn.cmd
\Shell\open\Command - F:\g2lbn.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08259ede-82d4-11dd-ac10-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de961-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de970-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de981-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de98e-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de991-6672-11dd-abdc-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a10001a-7a20-11dd-ac04-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eeab6d3-798d-11dd-ac03-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{229aada4-91b3-11dd-ac2c-00192188e187}]
\Shell\AutoRun\command - w00g.exe
\Shell\explore\Command - w00g.exe
\Shell\open\Command - w00g.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a0-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a7-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - F:\unt3obe.bat
\Shell\explore\Command - F:\unt3obe.bat
\Shell\open\Command - F:\unt3obe.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3459c0b5-a3cb-11dd-bba2-00192188e187}]
\shelL\AutoplAy\COMmand - joijfa.cmd
\shelL\AutoRun\command - joijfa.cmd
\shelL\exPlorE\commaND - joijfa.cmd
\shelL\oPen\ComMaNd - joijfa.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f4d5ed-8d0a-11dd-ac22-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40e054ea-73ff-11dd-abf9-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4868b2d2-ad58-11dd-bbc1-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a321faa-7305-11dd-abf6-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3c75e6-8dc2-11dd-ac24-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9d0-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9da-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c4160eb-bf64-11dd-bbf9-00192188e187}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c51a95-9bdd-11dd-bb90-00192188e187}]
\Shell\AutoRun\command - G:\USBNB.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b85099-9352-11dd-bb7b-806d6172696f}]
\Shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a3422a-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a34235-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883ba095-7242-11dd-abf5-00192188e187}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c75d674-940e-11dd-bb80-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9160bc68-74aa-11dd-abfb-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94796bea-81f6-11dd-ac0f-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800c0-65f8-11dd-abdb-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800e4-65f8-11dd-abdb-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2a0cb7-8f52-11dd-ac28-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61a9103-6e75-11dd-abed-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b789ab30-6b2c-11dd-abe4-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - password_viewer.exe %1
\Shell\open\command - password_viewer.exe %1
\Shell\var1\command - F:\
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6ea49a5-68e1-11dd-abe0-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52d-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52f-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13510ff-788a-11dd-ac01-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1351101-788a-11dd-ac01-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7e6f124-89db-11dd-ac1b-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89d0bf7-77cc-11dd-ac00-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9135df9-76f8-11dd-abfe-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16ccd3b-6f1f-11dd-abee-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2ae6316-959a-11dd-bb85-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d0299-6d95-11dd-abea-00192188e187}]
\Shell\Auto\command - exp1orer.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d02ad-6d95-11dd-abea-00192188e187}]
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb15e6df-8c34-11dd-ac20-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e198a-8775-11dd-ac17-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e1995-8775-11dd-ac17-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
mWindow Title =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\windows\system32\imon.dll
TCP: {394227C8-5BFA-4E5F-B9FF-359556D41585} = 202.126.40.5,121.1.3.208
FireFox -: Profile - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\
FF -: plugin - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 11:57:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\E_S00RP1.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-10 11:59:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 03:59:48
ComboFix2.txt 2008-12-10 03:49:17
Pre-Run: 25,217,392,640 bytes free
Post-Run: 25,196,425,216 bytes free
532