Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FUvirus.exe


  • Please log in to reply
6 replies to this topic

#1 rex1104

rex1104

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 10 December 2008 - 11:27 PM

Hi!

I got infected with FUvirus.exe which I got from friend's flashdrive. I got 2 HDD both got infected. I have read some of the previous topics here regarding the instructions on how to get rid of the virus by using COMBOFIX. I have properly and carefully followed the instructions and had the virus deleted. my problem now is that I could no longer see the folders that got infected. Good thing I have a shortcut created on the desktop to access my important files (located on a folder which i could no longer see). In my main drive the only folder that is visible is the Program Files. All folders are hidden. below are the logs created before and after I used the combofix and and the CFscript.txt.

this is the log when i ran the combofix for the first time.

ComboFix 08-12-07.04 - Roznet 2008-12-10 11:53:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT 8:00]
Running from: c:\documents and settings\Roznet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roznet\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\Downloads.exe
c:\downloads\Downloads.exe
C:\hiberfil.sys.exe
C:\logs.exe
c:\logs\logs.exe
c:\mgtools\MGtools.exe
C:\Mp3 Output.exe
c:\mp3 output\Mp3 Output.exe
C:\New Folder.exe
c:\new folder\New Folder.exe
C:\OutputFolder.exe
c:\outputfolder\OutputFolder.exe
C:\pagefile.sys.exe
C:\PERepairData.exe
c:\perepairdata\PERepairData.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\WINDOWS.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\hiberfil.sys.exe
C:\pagefile.sys.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\temp.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\windows.exe
e:\recycler\RECYCLER.exe

----- File Replicators -----

C:\!KillBox.exe
c:\!killbox\!KillBox.exe
C:\32788R22FWJFW.exe
C:\Found files.exe
c:\found files\Found files.exe
C:\Kpcms.exe
c:\kpcms\Kpcms.exe
C:\MSOCache.exe
c:\msocache\MSOCache.exe
C:\spoolerlogs.exe
c:\spoolerlogs\spoolerlogs.exe
c:\temp\Temp.exe
E:\Arman.exe
e:\arman\Arman.exe
E:\Ate Meng.exe
e:\ate meng\Ate Meng.exe
E:\dwhelper.exe
e:\dwhelper\dwhelper.exe
E:\Epson Tools.exe
e:\epson tools\Epson Tools.exe
E:\FilePrinting.exe
e:\fileprinting\FilePrinting.exe
E:\Games.exe
e:\games\Games.exe
E:\Joc and Kim.exe
e:\joc and kim\Joc and Kim.exe
E:\kuya jonjon pix.exe
e:\kuya jonjon pix\kuya jonjon pix.exe
E:\Movies.exe
e:\movies\Movies.exe
E:\My docs.exe
e:\my docs\My docs.exe
E:\NBA LIVE 07.exe
e:\nba live 07\NBA LIVE 07.exe
E:\New Folder.exe
e:\new folder\New Folder.exe
E:\Qoobox.exe
e:\qoobox\Qoobox.exe
E:\RECYCLER.exe
E:\Reports.exe
e:\reports\Reports.exe
E:\ROZNET.exe
e:\roznet\ROZNET.exe
E:\System Volume Information.exe
.
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 11:53 . 2008-12-10 11:53 31,786 --a------ C:\ComboFix_error.dat
2008-12-10 10:41 . 2008-12-10 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-10 01:19 . 2007-03-25 13:27 43,399 --a------ c:\program files\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz.zip
2008-12-09 22:37 . 2008-12-10 01:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 21:40 . 2008-12-09 21:58 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-09 13:45 . 2008-12-09 13:46 <DIR> d-------- c:\program files\Magic Video Converter
2008-12-09 13:45 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-12-09 13:45 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-12-09 13:45 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-12-03 22:45 . 2008-12-03 22:46 <DIR> d-------- c:\program files\PowerISO
2008-12-03 12:34 . 2008-12-03 12:36 <DIR> d-------- c:\documents and settings\Roznet\Application Data\kalypte-msg
2008-12-03 12:29 . 2008-12-03 12:29 <DIR> d-------- c:\program files\Uzzap
2008-12-03 02:09 . 2008-12-10 11:56 <DIR> d--hs---- C:\Found files
2008-11-30 22:24 . 2008-11-30 22:24 9,662 --a------ c:\windows\EPISME00.SWB
2008-11-28 14:11 . 2008-11-28 14:15 <DIR> d-------- c:\program files\Unlocker
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-23 20:12 . 2008-12-10 11:56 <DIR> d--hs---- C:\spoolerlogs
2008-11-23 16:29 . 2004-04-30 16:07 122,880 --a------ c:\windows\system32\SAgent4.exe
2008-11-23 16:29 . 2004-02-19 17:03 65,536 --a------ c:\windows\system32\E_S00RP1.EXE
2008-11-20 16:13 . 2008-11-23 14:14 <DIR> d-------- c:\program files\DU Meter
2008-11-20 16:13 . 2008-11-20 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hagel Technologies
2008-11-16 11:38 . 2008-11-18 21:34 <DIR> d-------- c:\documents and settings\Roznet\temp
2008-11-16 11:38 . 2008-11-16 12:20 <DIR> d-------- c:\documents and settings\Roznet\Application Data\TeamViewer
2008-11-14 22:57 . 2008-11-14 22:57 <DIR> d-------- c:\temp\Ogif
2008-11-14 08:40 . 2008-11-25 10:06 322,560 --a------ c:\windows\system32\xobgcvku.kns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 16:03 --------- d-----w c:\program files\Warcraft III
2008-12-09 09:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-09 01:17 --------- d-----w c:\program files\MYGAME Launcher
2008-12-09 01:17 --------- d-----w c:\program files\Garena
2008-12-08 06:10 --------- d-----w c:\program files\Folder Lock
2008-12-02 15:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 01:55 --------- d-----w c:\documents and settings\Roznet\Application Data\U3
2008-11-17 06:20 --------- d-----w c:\program files\YIntai
2008-11-12 00:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 00:44 --------- d-----w c:\program files\NBA
2008-11-02 04:09 --------- d-----w c:\program files\Magic Music Editor
2008-11-02 04:09 --------- d-----w c:\program files\LimeWire
2008-11-02 04:09 --------- d-----w c:\program files\DivX
2008-11-02 04:09 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-10-25 04:04 --------- d-----w c:\documents and settings\Roznet\Application Data\DivX
2008-10-21 11:46 --------- d-----w c:\program files\Google
2008-10-20 00:26 --------- d-----w c:\program files\Macromedia
2008-10-03 01:30 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-09 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-09-29 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_anet"= c:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"msacm.msaudio1"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--------- 2005-10-03 11:23 20480 c:\windows\CameraFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-07-04 14:20 161064 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:07 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Restore]
--a------ 2004-08-04 09:07 114688 c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R230 Series (Copy 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R230"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6077:TCP"= 6077:TCP:*:Disabled:SolidNetworkManager
"6077:UDP"= 6077:UDP:*:Disabled:SolidNetworkManager
"22971:TCP"= 22971:TCP:*:Disabled:SolidNetworkManager
"22971:UDP"= 22971:UDP:*:Disabled:SolidNetworkManager
"3874:TCP"= 3874:TCP:*:Disabled:SolidNetworkManager
"3874:UDP"= 3874:UDP:*:Disabled:SolidNetworkManager

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-09 15424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07853cad-8df7-11dd-ac26-00192188e187}]
\Shell\AutoRun\command - F:\g2lbn.cmd
\Shell\explore\Command - F:\g2lbn.cmd
\Shell\open\Command - F:\g2lbn.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08259ede-82d4-11dd-ac10-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de961-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de970-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de981-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de98e-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de991-6672-11dd-abdc-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a10001a-7a20-11dd-ac04-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eeab6d3-798d-11dd-ac03-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{229aada4-91b3-11dd-ac2c-00192188e187}]
\Shell\AutoRun\command - w00g.exe
\Shell\explore\Command - w00g.exe
\Shell\open\Command - w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a0-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a7-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - F:\unt3obe.bat
\Shell\explore\Command - F:\unt3obe.bat
\Shell\open\Command - F:\unt3obe.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3459c0b5-a3cb-11dd-bba2-00192188e187}]
\shelL\AutoplAy\COMmand - joijfa.cmd
\shelL\AutoRun\command - joijfa.cmd
\shelL\exPlorE\commaND - joijfa.cmd
\shelL\oPen\ComMaNd - joijfa.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f4d5ed-8d0a-11dd-ac22-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40e054ea-73ff-11dd-abf9-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4868b2d2-ad58-11dd-bbc1-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a321faa-7305-11dd-abf6-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3c75e6-8dc2-11dd-ac24-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9d0-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9da-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c4160eb-bf64-11dd-bbf9-00192188e187}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c51a95-9bdd-11dd-bb90-00192188e187}]
\Shell\AutoRun\command - G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b85099-9352-11dd-bb7b-806d6172696f}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a3422a-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a34235-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883ba095-7242-11dd-abf5-00192188e187}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c75d674-940e-11dd-bb80-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9160bc68-74aa-11dd-abfb-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94796bea-81f6-11dd-ac0f-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800c0-65f8-11dd-abdb-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800e4-65f8-11dd-abdb-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2a0cb7-8f52-11dd-ac28-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61a9103-6e75-11dd-abed-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b789ab30-6b2c-11dd-abe4-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - password_viewer.exe %1
\Shell\open\command - password_viewer.exe %1
\Shell\var1\command - F:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6ea49a5-68e1-11dd-abe0-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52d-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52f-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13510ff-788a-11dd-ac01-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1351101-788a-11dd-ac01-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7e6f124-89db-11dd-ac1b-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89d0bf7-77cc-11dd-ac00-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9135df9-76f8-11dd-abfe-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16ccd3b-6f1f-11dd-abee-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2ae6316-959a-11dd-bb85-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d0299-6d95-11dd-abea-00192188e187}]
\Shell\Auto\command - exp1orer.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d02ad-6d95-11dd-abea-00192188e187}]
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb15e6df-8c34-11dd-ac20-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e198a-8775-11dd-ac17-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e1995-8775-11dd-ac17-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
mWindow Title =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\windows\system32\imon.dll
TCP: {394227C8-5BFA-4E5F-B9FF-359556D41585} = 202.126.40.5,121.1.3.208
FireFox -: Profile - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\
FF -: plugin - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 11:57:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\E_S00RP1.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-10 11:59:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 03:59:48
ComboFix2.txt 2008-12-10 03:49:17

Pre-Run: 25,217,392,640 bytes free
Post-Run: 25,196,425,216 bytes free

532



_______________________________________________________________________________
after using combofix with CFscript.txt


ComboFix 08-12-07.04 - Roznet 2008-12-10 11:53:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT 8:00]
Running from: c:\documents and settings\Roznet\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roznet\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\Downloads.exe
c:\downloads\Downloads.exe
C:\hiberfil.sys.exe
C:\logs.exe
c:\logs\logs.exe
c:\mgtools\MGtools.exe
C:\Mp3 Output.exe
c:\mp3 output\Mp3 Output.exe
C:\New Folder.exe
c:\new folder\New Folder.exe
C:\OutputFolder.exe
c:\outputfolder\OutputFolder.exe
C:\pagefile.sys.exe
C:\PERepairData.exe
c:\perepairdata\PERepairData.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\WINDOWS.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cmdcons.exe
c:\cmdcons\cmdcons.exe
C:\ComboFix.exe
c:\combofix\32788R22FWJFW.exe
c:\combofix\ComboFix.exe
C:\Config.Msi.exe
c:\config.msi\Config.Msi.exe
C:\Documents and Settings.exe
c:\documents and settings\All Users\Desktop\Documents.exe
c:\documents and settings\Documents and Settings.exe
C:\hiberfil.sys.exe
C:\pagefile.sys.exe
C:\Program Files.exe
c:\program files\Program Files.exe
C:\Qoobox.exe
c:\qoobox\Qoobox.exe
C:\RECYCLER.exe
c:\recycler\RECYCLER.exe
C:\System Volume Information.exe
C:\temp.exe
C:\WINDOWS.exe
c:\windows\system32\FUvirus.exe
c:\windows\windows.exe
e:\recycler\RECYCLER.exe

----- File Replicators -----

C:\!KillBox.exe
c:\!killbox\!KillBox.exe
C:\32788R22FWJFW.exe
C:\Found files.exe
c:\found files\Found files.exe
C:\Kpcms.exe
c:\kpcms\Kpcms.exe
C:\MSOCache.exe
c:\msocache\MSOCache.exe
C:\spoolerlogs.exe
c:\spoolerlogs\spoolerlogs.exe
c:\temp\Temp.exe
E:\Arman.exe
e:\arman\Arman.exe
E:\Ate Meng.exe
e:\ate meng\Ate Meng.exe
E:\dwhelper.exe
e:\dwhelper\dwhelper.exe
E:\Epson Tools.exe
e:\epson tools\Epson Tools.exe
E:\FilePrinting.exe
e:\fileprinting\FilePrinting.exe
E:\Games.exe
e:\games\Games.exe
E:\Joc and Kim.exe
e:\joc and kim\Joc and Kim.exe
E:\kuya jonjon pix.exe
e:\kuya jonjon pix\kuya jonjon pix.exe
E:\Movies.exe
e:\movies\Movies.exe
E:\My docs.exe
e:\my docs\My docs.exe
E:\NBA LIVE 07.exe
e:\nba live 07\NBA LIVE 07.exe
E:\New Folder.exe
e:\new folder\New Folder.exe
E:\Qoobox.exe
e:\qoobox\Qoobox.exe
E:\RECYCLER.exe
E:\Reports.exe
e:\reports\Reports.exe
E:\ROZNET.exe
e:\roznet\ROZNET.exe
E:\System Volume Information.exe
.
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 11:53 . 2008-12-10 11:53 31,786 --a------ C:\ComboFix_error.dat
2008-12-10 10:41 . 2008-12-10 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-10 01:19 . 2007-03-25 13:27 43,399 --a------ c:\program files\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz.zip
2008-12-09 22:37 . 2008-12-10 01:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-09 21:40 . 2008-12-09 21:58 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-09 13:45 . 2008-12-09 13:46 <DIR> d-------- c:\program files\Magic Video Converter
2008-12-09 13:45 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-12-09 13:45 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-12-09 13:45 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-12-03 22:45 . 2008-12-03 22:46 <DIR> d-------- c:\program files\PowerISO
2008-12-03 12:34 . 2008-12-03 12:36 <DIR> d-------- c:\documents and settings\Roznet\Application Data\kalypte-msg
2008-12-03 12:29 . 2008-12-03 12:29 <DIR> d-------- c:\program files\Uzzap
2008-12-03 02:09 . 2008-12-10 11:56 <DIR> d--hs---- C:\Found files
2008-11-30 22:24 . 2008-11-30 22:24 9,662 --a------ c:\windows\EPISME00.SWB
2008-11-28 14:11 . 2008-11-28 14:15 <DIR> d-------- c:\program files\Unlocker
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-27 12:51 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-23 20:12 . 2008-12-10 11:56 <DIR> d--hs---- C:\spoolerlogs
2008-11-23 16:29 . 2004-04-30 16:07 122,880 --a------ c:\windows\system32\SAgent4.exe
2008-11-23 16:29 . 2004-02-19 17:03 65,536 --a------ c:\windows\system32\E_S00RP1.EXE
2008-11-20 16:13 . 2008-11-23 14:14 <DIR> d-------- c:\program files\DU Meter
2008-11-20 16:13 . 2008-11-20 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hagel Technologies
2008-11-16 11:38 . 2008-11-18 21:34 <DIR> d-------- c:\documents and settings\Roznet\temp
2008-11-16 11:38 . 2008-11-16 12:20 <DIR> d-------- c:\documents and settings\Roznet\Application Data\TeamViewer
2008-11-14 22:57 . 2008-11-14 22:57 <DIR> d-------- c:\temp\Ogif
2008-11-14 08:40 . 2008-11-25 10:06 322,560 --a------ c:\windows\system32\xobgcvku.kns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 16:03 --------- d-----w c:\program files\Warcraft III
2008-12-09 09:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-09 01:17 --------- d-----w c:\program files\MYGAME Launcher
2008-12-09 01:17 --------- d-----w c:\program files\Garena
2008-12-08 06:10 --------- d-----w c:\program files\Folder Lock
2008-12-02 15:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 01:55 --------- d-----w c:\documents and settings\Roznet\Application Data\U3
2008-11-17 06:20 --------- d-----w c:\program files\YIntai
2008-11-12 00:38 --------- d-----w c:\program files\Common Files\Adobe
2008-11-03 00:44 --------- d-----w c:\program files\NBA
2008-11-02 04:09 --------- d-----w c:\program files\Magic Music Editor
2008-11-02 04:09 --------- d-----w c:\program files\LimeWire
2008-11-02 04:09 --------- d-----w c:\program files\DivX
2008-11-02 04:09 --------- d-----w c:\program files\Acoustica CD Label Maker
2008-10-25 04:04 --------- d-----w c:\documents and settings\Roznet\Application Data\DivX
2008-10-21 11:46 --------- d-----w c:\program files\Google
2008-10-20 00:26 --------- d-----w c:\program files\Macromedia
2008-10-03 01:30 50,688 ----a-w c:\windows\system32\wbhelp2.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-09 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"snpstd3"="c:\windows\vsnpstd3.exe" [2005-09-05 339968]
"EPSON Stylus Photo R230 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE" [2005-03-09 98304]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-09-29 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.sl_anet"= c:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"msacm.msaudio1"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
--------- 2005-10-03 11:23 20480 c:\windows\CameraFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-07-04 14:20 161064 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:07 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Restore]
--a------ 2004-08-04 09:07 114688 c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPSON Stylus Photo R230 Series (Copy 1)"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R230"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6077:TCP"= 6077:TCP:*:Disabled:SolidNetworkManager
"6077:UDP"= 6077:UDP:*:Disabled:SolidNetworkManager
"22971:TCP"= 22971:TCP:*:Disabled:SolidNetworkManager
"22971:UDP"= 22971:UDP:*:Disabled:SolidNetworkManager
"3874:TCP"= 3874:TCP:*:Disabled:SolidNetworkManager
"3874:UDP"= 3874:UDP:*:Disabled:SolidNetworkManager

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-09 15424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07853cad-8df7-11dd-ac26-00192188e187}]
\Shell\AutoRun\command - F:\g2lbn.cmd
\Shell\explore\Command - F:\g2lbn.cmd
\Shell\open\Command - F:\g2lbn.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08259ede-82d4-11dd-ac10-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de961-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de970-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de981-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de98e-6672-11dd-abdc-00192188e187}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{156de991-6672-11dd-abdc-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a10001a-7a20-11dd-ac04-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eeab6d3-798d-11dd-ac03-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{229aada4-91b3-11dd-ac2c-00192188e187}]
\Shell\AutoRun\command - w00g.exe
\Shell\explore\Command - w00g.exe
\Shell\open\Command - w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a0-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3170a5a7-7e0c-11dd-ac0a-00192188e187}]
\Shell\AutoRun\command - F:\unt3obe.bat
\Shell\explore\Command - F:\unt3obe.bat
\Shell\open\Command - F:\unt3obe.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3459c0b5-a3cb-11dd-bba2-00192188e187}]
\shelL\AutoplAy\COMmand - joijfa.cmd
\shelL\AutoRun\command - joijfa.cmd
\shelL\exPlorE\commaND - joijfa.cmd
\shelL\oPen\ComMaNd - joijfa.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f4d5ed-8d0a-11dd-ac22-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40e054ea-73ff-11dd-abf9-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4868b2d2-ad58-11dd-bbc1-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a321faa-7305-11dd-abf6-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3c75e6-8dc2-11dd-ac24-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9d0-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c35b9da-6749-11dd-abdd-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c4160eb-bf64-11dd-bbf9-00192188e187}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c51a95-9bdd-11dd-bb90-00192188e187}]
\Shell\AutoRun\command - G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b85099-9352-11dd-bb7b-806d6172696f}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a3422a-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - F:\SilentSoftech.exe
\Shell\open\command - F:\SilentSoftech.exe
\Shell\var1\command - F:\SilentSoftech.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a34235-69a2-11dd-abe2-00192188e187}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{883ba095-7242-11dd-abf5-00192188e187}]
\Shell\AutoRun\command - F:\Auto.exe %1
\Shell\Explore\command - F:\Auto.exe %1
\Shell\Open\command - F:\Auto.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c75d674-940e-11dd-bb80-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9160bc68-74aa-11dd-abfb-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94796bea-81f6-11dd-ac0f-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800c0-65f8-11dd-abdb-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{948800e4-65f8-11dd-abdb-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f2a0cb7-8f52-11dd-ac28-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61a9103-6e75-11dd-abed-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b789ab30-6b2c-11dd-abe4-00192188e187}]
\Shell\AutoRun\command - F:\SilentSoftech.exe
\Shell\explore\command - password_viewer.exe %1
\Shell\open\command - password_viewer.exe %1
\Shell\var1\command - F:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6ea49a5-68e1-11dd-abe0-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52d-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - F:\ghk.bat
\Shell\explore\Command - F:\ghk.bat
\Shell\open\Command - F:\ghk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbf6b52f-756c-11dd-abfc-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13510ff-788a-11dd-ac01-00192188e187}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1351101-788a-11dd-ac01-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7e6f124-89db-11dd-ac1b-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89d0bf7-77cc-11dd-ac00-00192188e187}]
\Shell\AutoRun\command - F:\password_viewer.exe %1
\Shell\Explore\command - F:\password_viewer.exe %1
\Shell\Open\command - F:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9135df9-76f8-11dd-abfe-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e16ccd3b-6f1f-11dd-abee-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2ae6316-959a-11dd-bb85-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d0299-6d95-11dd-abea-00192188e187}]
\Shell\Auto\command - exp1orer.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exp1orer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d02ad-6d95-11dd-abea-00192188e187}]
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb15e6df-8c34-11dd-ac20-00192188e187}]
\Shell\AutoPlay\Command - wscript.exe ntidr.vbs
\Shell\AutoRun\command - wscript.exe ntidr.vbs
\Shell\Explore\Command - wscript.exe ntidr.vbs
\Shell\Open\Command - wscript.exe ntidr.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e198a-8775-11dd-ac17-00192188e187}]
\Shell\AutoRun\command - G:\password_viewer.exe %1
\Shell\Explore\command - G:\password_viewer.exe %1
\Shell\Open\command - G:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe4e1995-8775-11dd-ac17-00192188e187}]
\Shell\Auto\command - F:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - F:\Recycled/dllcache32.exe
\Shell\open\Command - F:\Recycled/dllcache32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
mWindow Title =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\windows\system32\imon.dll
TCP: {394227C8-5BFA-4E5F-B9FF-359556D41585} = 202.126.40.5,121.1.3.208
FireFox -: Profile - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\
FF -: plugin - c:\documents and settings\Roznet\Application Data\Mozilla\Firefox\Profiles\7wupe1lt.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 11:57:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\E_S00RP1.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-10 11:59:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 03:59:48
ComboFix2.txt 2008-12-10 03:49:17

Pre-Run: 25,217,392,640 bytes free
Post-Run: 25,196,425,216 bytes free

532

BC AdBot (Login to Remove)

 


#2 rex1104

rex1104
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 14 December 2008 - 08:18 PM

no reply yet??

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:46 PM

Posted 17 December 2008 - 06:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE


Please Hold on it may take us a day or so to get back with you.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 rex1104

rex1104
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 08 January 2009 - 11:01 PM

I have attached a screen shot of my netstat. i found several activities which seem like a port scanning.
please check. thanks so much!


DDS (Ver_09-01-07.01) - NTFSx86
Run by Roznet at 9:54:13.53 on Fri 01/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.604 [GMT 8:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Edigitaledge\TimerServer\TimerServer.exe
svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Roznet\Desktop\dds.com
C:\Documents and Settings\Roznet\Desktop\Virus Removal Tool\unins000.exe
C:\DOCUME~1\Roznet\LOCALS~1\Temp\_iu14D2N.tmp
C:\Documents and Settings\Roznet\Desktop\Virus Removal Tool\is-1FM6U\minst.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\runonce.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [EPSON Stylus Photo R230 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIP.EXE /P30 "EPSON Stylus Photo R230

Series" /M "Stylus Photo R230" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [EPSON Stylus Photo R230 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIP.EXE /P30 "EPSON Stylus Photo R230

Series" /O6 "USB001" /M "Stylus Photo R230"
mRun: [DU Meter] c:\program files\du meter\DUMeter.exe
mRun: [HttpDetect]
StartupFolder: c:\docume~1\roznet\startm~1\programs\startup\is-1fm6u.lnk - c:\documents and settings\roznet\desktop\virus

removal tool\is-1fm6u\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard

5\ScannerFinder.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
uPolicies-explorer: NoFileAssociate = 0 (0x0)
uPolicies-explorer: RestrictCpl = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-explorer: RestrictCpl = 0 (0x0)
mPolicies-explorer: NoThemesTab = 0 (0x0)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program

files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
TCP: {394227C8-5BFA-4E5F-B9FF-359556D41585} = 202.126.40.5,202.95.226.66

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\roznet\applic~1\mozilla\firefox\profiles\7wupe1lt.default\
FF - plugin: c:\documents and settings\roznet\application

data\mozilla\firefox\profiles\7wupe1lt.default\extensions\solidstateion@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll

============= SERVICES / DRIVERS ===============

R4 is-1FM6Udrv;is-1FM6Udrv; [x]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-12-28 138112]

=============== Created Last 30 ================

2009-01-09 09:51 <DIR> --d-h--- c:\windows\PIF
2009-01-09 01:00 <DIR> --d----- c:\program files\COMODO
2009-01-08 22:10 9,314,336 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-08 22:10 47,384 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-07 13:04 <DIR> --d----- c:\program files\e-Games
2009-01-06 13:04 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-28 13:12 25,600 ac------ c:\windows\system32\dllcache\usbser.sys
2008-12-28 13:12 25,600 a------- c:\windows\system32\drivers\usbser.sys
2008-12-28 13:12 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2008-12-28 13:12 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-28 13:12 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2008-12-28 13:12 23,856 a------- c:\windows\system32\spupdsvc.exe
2008-12-28 13:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nokia
2008-12-28 13:09 8,064 a------- c:\windows\system32\drivers\usbser_lowerfltj.sys
2008-12-28 13:09 8,064 a------- c:\windows\system32\drivers\usbser_lowerflt.sys
2008-12-28 13:09 22,016 a------- c:\windows\system32\drivers\ccdcmbo.sys
2008-12-28 13:09 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2008-12-28 13:09 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2008-12-28 13:09 17,664 a------- c:\windows\system32\drivers\ccdcmb.sys
2008-12-28 13:08 8,320 a------- c:\windows\system32\drivers\nmwcdnsuc.sys
2008-12-28 13:08 138,112 a------- c:\windows\system32\drivers\nmwcdnsu.sys
2008-12-28 13:08 91,136 a------- c:\windows\system32\nmwcdcls.dll
2008-12-28 13:08 <DIR> --d----- c:\program files\common files\Nokia
2008-12-28 13:08 <DIR> --d----- c:\program files\Nokia
2008-12-28 13:07 <DIR> --d----- c:\program files\MSXML 6.0
2008-12-25 16:34 <DIR> --d----- c:\program files\EdgeStream
2008-12-22 07:54 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-22 07:54 1,409 a------- c:\windows\QTFont.for
2008-12-17 09:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IJJIGame
2008-12-17 09:07 <DIR> --d----- C:\ijji
2008-12-16 10:11 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2008-12-15 12:30 4 a------- c:\windows\system32\proc625010911.bin
2008-12-15 12:25 <DIR> --d----- c:\docume~1\roznet\applic~1\GanymedeNet
2008-12-11 08:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 08:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-10 20:43 <DIR> --d----- c:\program files\Sling Media
2008-12-10 16:07 10,044 a------- c:\windows\system32\mspriv32.dll
2008-12-10 16:07 <DIR> --d----- c:\program files\Advanced Spyware Remover Pro
2008-12-10 16:01 <DIR> --d----- c:\program files\Only PCTools All-in-One
2008-12-10 15:57 <DIR> --d----- c:\windows\setup.pss
2008-12-10 15:52 1,905 a------- c:\windows\diagwrn.xml
2008-12-10 15:52 1,905 a------- c:\windows\diagerr.xml
2008-12-10 11:39 <DIR> --dsh--- C:\cmdcons
2008-12-10 11:36 161,792 a------- c:\windows\SWREG.exe
2008-12-10 11:36 98,816 a------- c:\windows\sed.exe
2008-12-10 10:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com

==================== Find3M ====================

2008-12-09 10:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 10:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 10:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 10:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-11-07 00:37 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-07 00:37 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-07 00:35 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-07 00:35 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-07 00:33 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-11-07 00:33 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-11-07 00:33 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-11-07 00:33 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-11-07 00:33 684,032 a------- c:\windows\system32\DivX.dll
2008-11-07 00:33 12,288 a------- c:\windows\system32\DivXWMPExtType.dll

============= FINISH: 9:55:22.39 ===============

#5 rex1104

rex1104
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 08 January 2009 - 11:05 PM

the site wont allow me to attach.


anyway it looks like this

C:\Documents and Settings\Roznet>netstat

Active Connections

Proto Local Address Foreign Address State
TCP server:1707 localhost:1708 ESTABLISHED -----
TCP server:1708 localhost:1707 ESTABLISHED !
TCP server:1709 localhost:1710 ESTABLISHED !
TCP server:1710 localhost:1709 ESTABLISHED ! ----- what are these?
TCP server:1728 localhost:1729 ESTABLISHED !
TCP server:1729 localhost:1728 ESTABLISHED !
TCP server:1798 localhost:1797 TIME_WAIT --------
TCP server:1716 www.04.05.sf2p.facebook.com:http ESTABLISHED
TCP server:1718 www2.02.07.facebook.com:http ESTABLISHED
TCP server:1719 125.56.199.16:http TIME_WAIT
TCP server:1720 125.56.199.16:http ESTABLISHED
TCP server:1726 125.56.199.16:http ESTABLISHED
TCP server:1736 cs123.msg.sp1.yahoo.com:5050 ESTABLISHED
TCP server:1746 sip14.voice.re2.yahoo.com:5050 ESTABLISHED
TCP server:1765 69.63.178.23:https ESTABLISHED
TCP server:1766 125.56.199.40:http ESTABLISHED
TCP server:1768 125.56.199.43:http ESTABLISHED
TCP server:1769 125.56.199.43:http ESTABLISHED
TCP server:1770 125.56.199.43:http ESTABLISHED
TCP server:1771 125.56.199.43:http ESTABLISHED
TCP server:1772 125.56.199.43:http ESTABLISHED
TCP server:1773 125.56.199.43:http ESTABLISHED
TCP server:1774 125.56.199.9:http ESTABLISHED
TCP server:1775 125.56.199.9:http ESTABLISHED
TCP server:1776 125.56.199.9:http ESTABLISHED
TCP server:1777 125.56.199.9:http ESTABLISHED
TCP server:1778 125.56.199.9:http ESTABLISHED
TCP server:1779 125.56.199.9:http ESTABLISHED
TCP server:1782 www.04.05.sf2p.facebook.com:http ESTABLISHED
TCP server:1790 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1791 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1802 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1803 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1804 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1805 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1806 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1807 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1808 www.bleepingcomputer.com:http TIME_WAIT
TCP server:1815 channel36.01.05.sf2p.facebook.com:http ESTABLISHED
TCP server:1816 channel36.01.05.sf2p.facebook.com:http ESTABLISHED
TCP server:2005 192.168.1.3:1756 ESTABLISHED
TCP server:2005 192.168.1.4:1025 ESTABLISHED
TCP server:2005 192.168.1.5:1025 ESTABLISHED
TCP server:2005 192.168.1.6:1026 ESTABLISHED
TCP server:2005 192.168.1.7:3040 ESTABLISHED
TCP server:2005 192.168.1.8:1026 ESTABLISHED
TCP server:2005 192.168.1.14:1027 ESTABLISHED
TCP server:2005 192.168.1.18:1147 ESTABLISHED
TCP server:2005 192.168.1.19:1155 ESTABLISHED


it seems there is a replicator and port scanner.. my antivirus cant detect it. im using NOD32 and SPYBOT

#6 rex1104

rex1104
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 08 January 2009 - 11:08 PM

this should be the other notepad that is needed to be attached with the DDS LOG file

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/9/2008 4:25:53 PM
System Uptime: 1/9/2009 7:53:43 AM (2 hours ago)

Motherboard: | | 865G-M8
Processor: Intel® Pentium® 4 CPU 3.00GHz | Socket 478 | 2994/200mhz
Processor: Intel® Pentium® 4 CPU 3.00GHz | Socket 478 | 2994/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 32.872 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 75 GiB total, 21.629 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP14: 12/10/2008 8:43:35 PM - Installed SlingPlayer
RP15: 12/15/2008 1:13:06 PM - Restore Operation
RP16: 12/15/2008 1:34:50 PM - Installed SlingPlayer
RP17: 12/17/2008 1:50:52 AM - System Checkpoint
RP18: 12/17/2008 9:07:39 AM - Installed Soldier Front
RP19: 12/20/2008 8:56:23 AM - System Checkpoint
RP20: 12/22/2008 8:25:22 AM - System Checkpoint
RP21: 12/28/2008 1:12:23 PM - Installed Windows XP Wdf01007.
RP22: 1/1/2009 5:26:18 PM - System Checkpoint
RP23: 1/4/2009 2:27:55 AM - System Checkpoint
RP24: 1/6/2009 1:04:07 PM - Installed Windows Media Player 11
RP25: 1/6/2009 1:05:01 PM - Installed Windows Media Player 11
RP26: 1/7/2009 12:25:17 PM - Installed Garena

==== Installed Programs ======================


305
AAC Decoder
ABBYY FineReader 5.0 Sprint
ABBYY FineReader 6.0
ABBYY FineReader OCR Engine for Microtek
ACE Mega CoDecS Pack
Acoustica CD Label Maker 1.10
Acoustica CD/DVD Label Maker
Adobe Acrobat 7.0 Professional
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 8.1.3
AutoUpdate
BitLord 1.1
CABAL Online (PH) 1.0
Compatibility Pack for the 2007 Office system
ConvertHelper 2.1
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DU Meter
EdgeStreamClient 2.2.6.7
EPSON Easy Photo Print
EPSON Print CD
EPSON Printer Software
FLV Player
Folder Lock
Garena
Google Earth
Google Updater
H.264 Decoder
HijackThis 2.0.2
ijji FireFox Launcher 1.0
iTunes
J2SE Runtime Environment 5.0 Update 6
LightScribe 1.8.13.1
LimeWire 4.12.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia FlashPaper 2
Magic Music Editor v5.3.0
Magic Video Converter Trial Version (English) 8.0.2.18
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Mozilla Firefox (3.0.5)
MSXML 6.0 Parser
MYGAME Launcher(Remove Only)
Nero 7 Essentials
NOD32 antivirus system
NOD32 FiX
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
Nokia Software Updater
NVIDIA Drivers
PowerISO
QuickTime
Radmin Viewer 3.0
Realtek AC'97 Audio
ScanWizard 5
Security Update for Windows XP (KB926255)
Soldier Front
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SSC Service Utility v4.30
Unlocker 1.8.7
VC80CRTRedist - 8.0.50727.762
VeryPDF PDF2Word v2.0
VideoLAN VLC media player 0.8.6i
WebFldrs XP
Windows Media Format Runtime
Windows XP Hotfix - KB884020
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/4/2009 11:04:20 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\D.
1/9/2009 7:38:44 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ROZNET09 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{394227C8-5BFA-4E5F-. The master browser is stopping or an election is being forced.

==== End Of File ===========================

#7 rex1104

rex1104
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 09 January 2009 - 02:27 AM

can you explain why do i find local host in my netstat and that i see some multiple connections for one request. thanks

C:\Documents and Settings\Roznet>netstat

Active Connections

Proto Local Address Foreign Address State
TCP server:2112 localhost:2113 ESTABLISHED
TCP server:2113 localhost:2112 ESTABLISHED
TCP server:2115 localhost:2116 ESTABLISHED
TCP server:2116 localhost:2115 ESTABLISHED
TCP server:2597 localhost:2598 ESTABLISHED
TCP server:2598 localhost:2597 ESTABLISHED
TCP server:2005 192.168.1.3:1756 ESTABLISHED
TCP server:2005 192.168.1.4:1025 ESTABLISHED
TCP server:2005 192.168.1.5:1025 ESTABLISHED
TCP server:2005 192.168.1.6:1026 ESTABLISHED
TCP server:2005 192.168.1.7:1026 ESTABLISHED
TCP server:2005 192.168.1.8:1026 ESTABLISHED
TCP server:2005 192.168.1.9:1033 ESTABLISHED
TCP server:2005 192.168.1.10:1025 ESTABLISHED
TCP server:2005 192.168.1.11:1025 ESTABLISHED
TCP server:2005 192.168.1.14:1027 ESTABLISHED
TCP server:2005 192.168.1.18:1147 ESTABLISHED
TCP server:2005 192.168.1.19:1155 ESTABLISHED
TCP server:2606 74.197.6.70:37277 ESTABLISHED
TCP server:2607 ip68-9-231-52.ri.ri.cox.net:41422 ESTABLISHED
TCP server:2611 pool-71-251-29-179.nycmny.fios.verizon.net:51661 ESTABLISHED
TCP server:2646 cpe-98-27-235-122.neo.res.rr.com:9212 TIME_WAIT
TCP server:2652 ip70-188-111-127.lf.br.cox.net:38170 TIME_WAIT
TCP server:2655 173-19-176-91.client.mchsi.com:50444 FIN_WAIT_2
TCP server:2657 c-69-248-117-59.hsd1.pa.comcast.net:45876 TIME_WAIT
TCP server:2664 static65-87-249-163.regina.accesscomm.ca:24799 ESTABLISHED
TCP server:2667 c-98-235-20-99.hsd1.pa.comcast.net:10541 TIME_WAIT
TCP server:2668 channel36.01.05.sf2p.facebook.com:http ESTABLISHED
TCP server:2669 www.bleepingcomputer.com:http TIME_WAIT
TCP server:2670 www.bleepingcomputer.com:http TIME_WAIT
TCP server:2676 www2.02.07.facebook.com:http ESTABLISHED
TCP server:2678 www.bleepingcomputer.com:http TIME_WAIT
TCP server:2681 www.bleepingcomputer.com:http ESTABLISHED
TCP server:2682 www.bleepingcomputer.com:http ESTABLISHED




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users