Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Spyware/Malware/Virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 Dinamit04

Dinamit04

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 12 December 2008 - 08:26 PM

Hello,

I hope someone can help me,

I am infected with spyware, Ive been getting popups telling me if your computer is infected with spyware, with a browser opening showing that it is scanning my computer. A popup tells me everytime i startup "You have a security problem!" (If you click it, the things that i just said popup", and my computer randomly turns ff when i turn it on. I have a.exe and ACMON.exe running in my processes when I startup, i've never had them before and are suspicious. Anyways right now im now on safe mode, because I cant use my computer on normal mode, it keeps shutting off.

Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:16 PM, on 12/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\explorer.exe
C:\Users\ASUS\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {118C5306-19FA-479F-B1C6-8615BABBCF78} - C:\Windows\system32\khfFyXPi.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\Windows\system32\msxml71.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\Windows\system32\rqRkICRJ.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUSTPE] C:\Windows\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\rqRkICRJ.dll,#1
O4 - HKLM\..\Run: [9c2cd61b] rundll32.exe "C:\Windows\system32\bryfibnr.dll",b
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [jvsoft] C:\Windows\system32\j3ewro.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cognac] C:\Users\ASUS\AppData\Local\Temp\~tmpb.exe
O4 - HKCU\..\Run: [MSFox] C:\Users\ASUS\AppData\Local\Temp\a.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 10697 bytes



--------------------

Can someone Help me?
Thanks in advance

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 13 December 2008 - 05:50 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post these logs in your next reply..

1. ComboFix
2. A fresh HijackThis log
3. Attach GMER report


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Dinamit04

Dinamit04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 13 December 2008 - 05:25 PM

Hey, I just wanted to say first, thanks for helping me out =).

Anyways, I did what you said but I think the log file for ComboFix is not what you are going to expect. I ran it once and then everything went fine, in the blue console where it says stage 1, 2...and stuff, it said it deleted a few files, then it restarted, but when it booted up, while it was creating the log file, my computer randomly shuts off(it wasnt in safe mode). So I run it again, and enter safe mode on restart and here is the log file: Sorry for that.

The Hijackthis log is under it and I have attached a GMER Log.






ComboFix 08-12-12.05 - ASUS 2008-12-13 12:48:03.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1919.1549 [GMT -8:00]
Running from: d:\spyware\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\acovcnt.exe
c:\windows\system32\bryfibnr.dll
c:\windows\system32\bScA4p52.exe
c:\windows\system32\bScA4p52.exe.a_a
c:\windows\System32\fhkTEMoq.ini
c:\windows\System32\fhkTEMoq.ini2
c:\windows\System32\iPXyFfhk.ini
c:\windows\System32\iPXyFfhk.ini2
c:\windows\system32\j3ewro.exe
c:\windows\system32\jwedsfdo0.dll
c:\windows\system32\khfFyXPi.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\rjxmkrcf.ini
c:\windows\system32\rnbifyrb.ini
c:\windows\system32\rqRkICRJ.dll
c:\windows\system32\vwaaeryd.ini
c:\windows\system32\wvUNFwWp.dll
c:\windows\Tasks\At10.job
c:\windows\Tasks\gjthfnkk.job

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 20:36 --------- d-----w c:\users\ASUS\AppData\Roaming\skypePM
2008-12-13 20:36 --------- d-----w c:\users\ASUS\AppData\Roaming\Skype
2008-12-13 20:36 --------- d-----w c:\program files\Steam
2008-12-12 20:15 --------- d-----w c:\programdata\WinZip
2008-12-12 20:09 --------- d-----w c:\programdata\Google Updater
2008-12-12 15:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-11 11:18 --------- d-----w c:\program files\Windows Mail
2008-12-11 11:12 --------- d-----w c:\programdata\Microsoft Help
2008-12-07 21:36 --------- d-----w c:\users\ASUS\AppData\Roaming\Apple Computer
2008-12-06 22:11 --------- d-----w c:\program files\Robobombs
2008-12-03 20:31 --------- d-----w c:\program files\MSBuild
2008-12-03 20:24 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-12-01 04:24 --------- d-----w c:\users\ASUS\AppData\Roaming\AutoTransfer
2008-11-14 11:12 --------- d-----w c:\program files\McAfee
2008-11-14 11:11 --------- d-----w c:\program files\Google
2008-11-11 17:03 30 ----a-w c:\users\ASUS\jagex_runescape_preferences.dat
2008-11-10 19:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 19:19 --------- d-----w c:\program files\Common Files\Futuremark Shared
2008-11-09 21:17 --------- d-----w c:\program files\Counter-Strike Source
2008-11-09 19:47 --------- d-----w c:\users\ASUS\AppData\Roaming\SystemRequirementsLab
2008-11-09 19:47 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-03 00:19 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-11-03 00:19 --------- d-----w c:\program files\Java
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-30 16:36 --------- d-----w c:\program files\Common Files\Steam
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-28 01:57 --------- d-----w c:\programdata\ASUS
2008-10-22 05:42 --------- d-----w c:\program files\7-Zip
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-22 01:22 2,048 ----a-w c:\windows\System32\tzres.dll
2008-10-21 21:35 --------- d-----w c:\users\ASUS\AppData\Roaming\uTorrent
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 22:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 21:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-09-08 02:38 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-09-08 02:38 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-09-08 02:38 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-09-04 01:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008090320080904\index.dat
2008-09-06 19:42 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-13_12.38.54.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-13 20:35:56 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-13 20:43:15 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-13 20:35:58 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-13 20:43:15 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-12-13 06:06:45 101,610 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-13 20:50:30 101,610 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-13 06:06:45 597,602 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-13 20:50:30 597,602 ----a-w c:\windows\System32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{118C5306-19FA-479F-B1C6-8615BABBCF78}]
c:\windows\system32\khfFyXPi.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-01 4670968]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"Steam"="c:\program files\Steam\Steam.exe" [2007-09-12 1258744]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-09-02 630784]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 815104]
"ASUSTPE"="c:\windows\system32\ASUSTPE.exe" [2006-12-12 106496]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2008-06-16 37232]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2008-06-16 33136]
"PowerForPhone"="c:\program files\PowerForPhone\PowerForPhone.exe" [2007-06-26 778240]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-09-09 196608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-29 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-02 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-18 2752512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-11-07 14:31 21633320 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-29 02:26 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 10:49 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-01 17:11 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2640442689-1008175229-3361151706-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D2A164AC-C098-4B7C-9D19-0D6B55615FBF}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6579DE3C-F68B-4E47-B0DB-2CF08A5BA7EC}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C46B1D23-C70E-47C7-9913-C5E20D634EC3}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3F7B8AD8-7745-49F3-A2FD-915F74B7F637}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{04985E41-B6FA-4709-B03D-515294C9BA09}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C3903054-B263-4848-946D-C0B2CE0D246C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{67097761-B5C2-4F94-915C-BE00FD0904AD}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"TCP Query User{261DC405-BD6C-4FEE-87D9-01698BDA354C}d:\\program files\\counter-strike\\hl.exe"= UDP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"UDP Query User{52E862DE-8D67-4F78-BDB8-78D1EF087D83}d:\\program files\\counter-strike\\hl.exe"= TCP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"{69292C29-3DDC-4C99-8F48-0B885EF5814C}"= UDP:c:\program files\Paltalk Messenger\paltalk.exe:PaltalkScene
"{99391AD8-B42A-4A95-BB3B-A1C7504E0242}"= TCP:c:\program files\Paltalk Messenger\paltalk.exe:PaltalkScene
"{FFC960A8-27E2-41BD-B4B2-F3026593257D}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{6FF9E253-8313-4724-88A6-ADC2F12ED39A}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{C72A51F9-20DF-49BA-9FE7-47C0F0A1F5ED}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6AAD9489-9920-4BF8-A4A0-9E06909F3C3E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0EF8832F-D833-48AD-BF9D-139B0BDD37A1}"= UDP:d:\program files\Microsoft Games\Age of Mythology\aomx.exe:Age of Mythology - The Titans Expansion
"{3BE71184-F513-4F20-819F-5F8E92ADA72F}"= TCP:d:\program files\Microsoft Games\Age of Mythology\aomx.exe:Age of Mythology - The Titans Expansion
"TCP Query User{1BC03BA7-A4A5-415B-B70A-6B7A8D4C99A5}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= UDP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"UDP Query User{E269E84C-7048-4D37-9F30-35A67B480F78}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= TCP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"{80BAFA68-B672-4468-A234-8E11A0E1E238}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{6A5274C5-A07B-4971-B671-295BD28FEAEF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8DDB2A96-FEBD-45F3-9986-17A012BA9DBE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{89008ACA-2C79-4E18-A208-603929F763A6}c:\\program files\\smartlaunch\\server\\server.exe"= UDP:c:\program files\smartlaunch\server\server.exe:Smartlaunch Server
"UDP Query User{D80D10F4-BE57-420D-9330-1965E0B76311}c:\\program files\\smartlaunch\\server\\server.exe"= TCP:c:\program files\smartlaunch\server\server.exe:Smartlaunch Server
"TCP Query User{4795E279-F4E1-45D2-B995-3C4B60CCAC0A}d:\\program files\\microsoft games\\rise of nations\\nations.exe"= UDP:d:\program files\microsoft games\rise of nations\nations.exe:Rise of Nations
"UDP Query User{54C33CAA-3A27-4235-8C6D-DBDD8A3F1441}d:\\program files\\microsoft games\\rise of nations\\nations.exe"= TCP:d:\program files\microsoft games\rise of nations\nations.exe:Rise of Nations
"TCP Query User{CAC31DC9-BDA2-4BB2-B5F0-6D61DBED5920}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= UDP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"UDP Query User{5405D6D3-2F01-4C44-B612-257BCA05E3D1}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= TCP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"TCP Query User{1D592E6C-B6D3-4E61-8B62-D387BE9D0D5F}d:\\program files\\counter-strike\\hl.exe"= UDP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"UDP Query User{35885B5B-E828-44E2-B68A-7F32439A5856}d:\\program files\\counter-strike\\hl.exe"= TCP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"TCP Query User{B6E420B5-5A54-48C6-8044-45D055DE09FD}d:\\program files\\day of defeat source\\hl2.exe"= UDP:d:\program files\day of defeat source\hl2.exe:hl2
"UDP Query User{A14B4027-31B5-47A3-BF11-E7E8132A0374}d:\\program files\\day of defeat source\\hl2.exe"= TCP:d:\program files\day of defeat source\hl2.exe:hl2
"TCP Query User{C05E63EA-0D59-41F0-B738-864C608BE652}d:\\program files\\valve\\half-life\\hl.exe"= UDP:d:\program files\valve\half-life\hl.exe:Half-Life SpittStyle Edition
"UDP Query User{0FE97AF2-29A0-4023-A64C-BB1E58BD3FDD}d:\\program files\\valve\\half-life\\hl.exe"= TCP:d:\program files\valve\half-life\hl.exe:Half-Life SpittStyle Edition
"TCP Query User{C30CD09E-4A37-4222-80C2-B3468CC27FF0}d:\\program files\\counter-strike\\hlds.exe"= UDP:d:\program files\counter-strike\hlds.exe:HLDS Launcher
"UDP Query User{A1AF3CD8-78EE-4061-9EF1-C59D40B3085C}d:\\program files\\counter-strike\\hlds.exe"= TCP:d:\program files\counter-strike\hlds.exe:HLDS Launcher
"TCP Query User{17F5F64D-A862-485E-9889-4342B13BF0E0}c:\\users\\asus\\downloads\\baupnp.exe"= UDP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"UDP Query User{C5777744-D96C-4880-8605-5EE74647D7D1}c:\\users\\asus\\downloads\\baupnp.exe"= TCP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"TCP Query User{1C56EB5D-F569-4240-986D-FA7C8F93B953}c:\\users\\asus\\downloads\\baupnp.exe"= UDP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"UDP Query User{1C9401F5-D5EC-4DFA-ADBF-F99F92845AF7}c:\\users\\asus\\downloads\\baupnp.exe"= TCP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"TCP Query User{35FD4693-1EBE-4604-A852-7CAA1B7BA6A0}d:\\program files\\worms world party\\wp.exe"= UDP:d:\program files\worms world party\wp.exe:Worms World Party
"UDP Query User{7D0E2BD2-674D-4124-9513-C602AE5D81CD}d:\\program files\\worms world party\\wp.exe"= TCP:d:\program files\worms world party\wp.exe:Worms World Party
"TCP Query User{90389268-0C30-4AE1-8237-966C98D0D869}d:\\program files\\worms world party\\wp.exe"= UDP:d:\program files\worms world party\wp.exe:Worms World Party
"UDP Query User{21F4DF93-006F-4F3C-B09E-C3309422E1C9}d:\\program files\\worms world party\\wp.exe"= TCP:d:\program files\worms world party\wp.exe:Worms World Party
"TCP Query User{6E5CC74A-46F5-43AD-AF0E-C52FD75AF441}c:\\program files\\counter-strike source\\hl2.exe"= UDP:c:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{440379CB-8E3A-4DC5-87FA-DAA23BCA5FF9}c:\\program files\\counter-strike source\\hl2.exe"= TCP:c:\program files\counter-strike source\hl2.exe:hl2
"TCP Query User{DBD0BD7F-3A84-4210-9E48-E57C63C66B04}c:\\program files\\counter-strike source\\hl2.exe"= UDP:c:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{B441C768-A879-4BFF-9F96-BE6AA6A88C94}c:\\program files\\counter-strike source\\hl2.exe"= TCP:c:\program files\counter-strike source\hl2.exe:hl2
"{1FDE45E6-F9E2-4E27-BCB7-39EE1D121B7B}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{83A026EB-E1FD-4DD9-9FDD-BF1A2B6FEAA6}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{DF0BFD2C-6BAF-4FFE-8221-EF10904B8F62}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09B862E6-F7AC-4BB5-BF0D-85F4C408B71A}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{8CADB85D-572F-4161-8644-F2093B0459E2}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= UDP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{DF911E90-0A72-4972-84E6-590DF6C33AE2}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= TCP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{85F3983C-1F8B-4832-AAF1-0B88D65992FD}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= UDP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{B6EDA133-2CFF-4AEC-B63A-EE502563BBB2}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= TCP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"{0A72CCF9-A756-4E4D-A62E-F4E02AE36385}"= UDP:9941:BitComet 9941 TCP
"{5008D118-E571-4164-927C-BD1716E983F6}"= TCP:9941:BitComet 9941 UDP
"TCP Query User{C95B403D-20A8-4EA2-B441-B8D8791C4ECA}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{DABB44A3-8670-4580-9CB6-1DF3BA6852AF}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l260x86.sys [2007-08-16 28672]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-29 203280]
S2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\System32\StkCSrv.exe [2007-04-18 24576]
S3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\Drivers\StkCMini.sys [2007-06-05 1260672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47de052e-c549-11dd-a583-001fc67a559d}]
\shell\Auto\command - H:\autorun.bat
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\autorun.bat
\shell\explore\Command - H:\autorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47de0531-c549-11dd-a583-001fc67a559d}]
\shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fa1b09b-7f20-11dd-9177-001fc67a559d}]
\shell\AutoRun\command - F:\AutoTransfer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5291241-8bfa-11dd-a52b-001fc67a559d}]
\shell\AutoRun\command - I:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2008-12-12 c:\windows\Tasks\At11.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At12.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At13.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At14.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At15.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At16.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At17.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At18.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At19.job
- c:\windows\system32\bScA4p52.exe []

2008-12-08 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 13:50]

2008-12-13 c:\windows\Tasks\At20.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At21.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At22.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At23.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At24.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At25.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At26.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At27.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At28.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At29.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At3.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At30.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At31.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At32.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At33.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At34.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At35.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At36.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At37.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At38.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At39.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At4.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At40.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At41.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At42.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\At43.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At5.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At6.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At7.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At8.job
- c:\windows\system32\bScA4p52.exe []

2008-12-12 c:\windows\Tasks\At9.job
- c:\windows\system32\bScA4p52.exe []

2008-12-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 12:51:05
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\ASUS\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-13 12:55:32
ComboFix-quarantined-files.txt 2008-12-13 20:55:30

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 66,935,713,792 bytes free

372 --- E O F --- 2008-12-11 11:12:13


--------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:39 PM, on 12/13/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\system32\wbem\unsecapp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {118C5306-19FA-479F-B1C6-8615BABBCF78} - C:\Windows\system32\khfFyXPi.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUSTPE] C:\Windows\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 9217 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 13 December 2008 - 11:20 PM

Hello.. Where's the GMER report? Just start your computer in Normal mode please :thumbsup:


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :files
    c:\windows\system32\khfFyXPi.dll
    c:\windows\system32\bScA4p52.exe
    c:\windows\Tasks\At*.job
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{118C5306-19FA-479F-B1C6-8615BABBCF78}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47de052e-c549-11dd-a583-001fc67a559d}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47de0531-c549-11dd-a583-001fc67a559d}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fa1b09b-7f20-11dd-9177-001fc67a559d}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5291241-8bfa-11dd-a52b-001fc67a559d}]
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Run GMER again as per previous instruction.. Post these logs in your next reply..

1. OTMoveIt3
2. Malwarebytes'
3. Attach GMER report

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Dinamit04

Dinamit04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 14 December 2008 - 03:47 PM

Attached New and OLD GMER Logs, Pasted OTMOVEIT LOG, and Pasted MalwareBytes Log.



Attached File  OLD_GMER_Log.txt   91.86KB   3 downloads

Attached File  NEW_GMER_LOG.txt   9.76KB   1 downloads


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\windows\system32\khfFyXPi.dll not found.
File/Folder c:\windows\system32\bScA4p52.exe not found.
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{118C5306-19FA-479F-B1C6-8615BABBCF78}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47de052e-c549-11dd-a583-001fc67a559d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47de0531-c549-11dd-a583-001fc67a559d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fa1b09b-7f20-11dd-9177-001fc67a559d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5291241-8bfa-11dd-a52b-001fc67a559d}\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\Users\ASUS\AppData\Local\Temp\etilqs_SpXL2QCr1nrm5dbbMvrc scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\mcmsc_0XNDmrZpwPsFeap scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_Ev1G25Iz8RAWan1 scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_qyF7PSIwYfEedjI scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_qyF7PSIwYfEedjI-journal scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\sqlite_4ubQp3CryeWsEVM scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\sqlite_aqxxIWCCzvlplqQ scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\sqlite_aYs7CgNfCGQ5ERy scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.


Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12132008_224115

Files moved on Reboot...
File C:\Users\ASUS\AppData\Local\Temp\etilqs_SpXL2QCr1nrm5dbbMvrc not found!
File C:\Windows\temp\mcmsc_0XNDmrZpwPsFeap not found!
File C:\Windows\temp\mcmsc_Ev1G25Iz8RAWan1 not found!
File C:\Windows\temp\mcmsc_qyF7PSIwYfEedjI not found!
File C:\Windows\temp\mcmsc_qyF7PSIwYfEedjI-journal not found!
C:\Windows\temp\sqlite_4ubQp3CryeWsEVM moved successfully.
C:\Windows\temp\sqlite_aqxxIWCCzvlplqQ moved successfully.
C:\Windows\temp\sqlite_aYs7CgNfCGQ5ERy moved successfully.
C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_001_ moved successfully.
C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_002_ moved successfully.
C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_003_ moved successfully.
C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\urlclassifier3.sqlite moved successfully.
C:\Users\ASUS\AppData\Local\Mozilla\Firefox\Profiles\70ep9bop.default\XUL.mfl moved successfully.


---------------------------------------------------------------------



Malwarebytes' Anti-Malware 1.31
Database version: 1498
Windows 6.0.6001 Service Pack 1

12/14/2008 11:07:19 AM
mbam-log-2008-12-14 (11-07-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 255446
Time elapsed: 2 hour(s), 4 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 15 December 2008 - 03:06 AM

Looks very good.. Run ComboFix again and post the log here.. Tell me, how is the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Dinamit04

Dinamit04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 15 December 2008 - 03:20 PM

THANK YOU!! NO ANNOYING POPUPS, PC SPEED GOOD, NO SLOW DOWNS, NO RANDOM SHUT DOWNS! THANKS ALOT

Here is my log report you asked for by the way:

ComboFix 08-12-12.05 - ASUS 2008-12-15 13:03:34.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1919.949 [GMT -8:00]
Running from: c:\users\ASUS\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\acovcnt.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 13:02 . 2008-12-15 13:02 <DIR> d-------- C:\32788R22FWJFW
2008-12-13 23:01 . 2008-12-13 23:01 <DIR> d-------- c:\users\ASUS\AppData\Roaming\Malwarebytes
2008-12-13 23:01 . 2008-12-13 23:01 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-13 23:01 . 2008-12-13 23:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 23:01 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-13 23:01 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-13 22:41 . 2008-12-13 22:41 <DIR> d-------- C:\_OTMoveIt
2008-12-13 15:33 . 2008-12-14 14:24 250 --a------ c:\windows\gmer.ini
2008-12-13 15:29 . 2008-12-13 15:29 <DIR> d-------- c:\program files\Trend Micro
2008-12-11 03:05 . 2008-10-21 17:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 22:59 . 2008-10-31 17:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 22:59 . 2008-10-20 21:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 22:59 . 2008-10-31 19:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-10 15:21 . 2008-12-10 15:23 <DIR> d-------- C:\Downloads
2008-12-06 14:11 . 2008-12-06 14:11 <DIR> d-------- c:\program files\Robobombs
2008-12-03 12:34 . 2006-10-26 19:56 32,592 --a------ c:\windows\System32\msonpmon.dll
2008-12-03 12:24 . 2008-12-03 12:24 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-01 03:07 . 2008-12-01 03:07 268 --ah----- C:\sqmdata03.sqm
2008-12-01 03:07 . 2008-12-01 03:07 244 --ah----- C:\sqmnoopt03.sqm
2008-11-30 20:24 . 2008-11-30 20:24 <DIR> d-------- c:\users\ASUS\AppData\Roaming\AutoTransfer
2008-11-30 15:08 . 2008-10-20 21:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-30 15:08 . 2008-08-27 19:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-30 15:08 . 2008-08-27 19:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-30 15:08 . 2008-08-27 19:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-30 15:08 . 2008-10-21 19:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-30 14:58 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-30 14:58 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-30 14:58 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-30 14:58 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-30 14:57 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-30 14:57 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-30 14:57 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-30 14:56 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-30 14:56 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-22 15:46 . 2008-12-12 17:52 450,918,900 --a------ c:\windows\MEMORY.DMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 21:01 --------- d-----w c:\users\ASUS\AppData\Roaming\Skype
2008-12-15 21:00 --------- d-----w c:\program files\Steam
2008-12-15 17:08 --------- d-----w c:\users\ASUS\AppData\Roaming\skypePM
2008-12-15 01:07 --------- d-----w c:\programdata\Google Updater
2008-12-12 20:15 --------- d-----w c:\programdata\WinZip
2008-12-12 15:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-11 11:18 --------- d-----w c:\program files\Windows Mail
2008-12-11 11:12 --------- d-----w c:\programdata\Microsoft Help
2008-12-07 21:36 --------- d-----w c:\users\ASUS\AppData\Roaming\Apple Computer
2008-12-03 20:31 --------- d-----w c:\program files\MSBuild
2008-11-14 11:12 --------- d-----w c:\program files\McAfee
2008-11-14 11:11 --------- d-----w c:\program files\Google
2008-11-11 17:03 30 ----a-w c:\users\ASUS\jagex_runescape_preferences.dat
2008-11-10 19:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 19:19 --------- d-----w c:\program files\Common Files\Futuremark Shared
2008-11-09 21:17 --------- d-----w c:\program files\Counter-Strike Source
2008-11-09 19:47 --------- d-----w c:\users\ASUS\AppData\Roaming\SystemRequirementsLab
2008-11-09 19:47 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-03 00:19 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-11-03 00:19 --------- d-----w c:\program files\Java
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-30 16:36 --------- d-----w c:\program files\Common Files\Steam
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-28 01:57 --------- d-----w c:\programdata\ASUS
2008-10-22 05:42 --------- d-----w c:\program files\7-Zip
2008-10-21 21:35 --------- d-----w c:\users\ASUS\AppData\Roaming\uTorrent
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-09-08 02:38 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-09-08 02:38 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-09-08 02:38 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-09-04 01:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008090320080904\index.dat
2008-09-06 19:42 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-13_12.38.54.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-13 23:33:22 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-15 20:59:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-15 20:59:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-13 20:35:56 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-15 21:02:30 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-13 20:35:58 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-15 21:01:52 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-10-15 04:39:47 130,616 ----a-w c:\windows\System32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
+ 2008-12-15 03:35:31 130,616 ----a-w c:\windows\System32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
- 2008-12-13 01:44:34 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-15 20:46:04 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-13 01:44:34 65,536 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-15 20:46:04 65,536 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-13 01:44:34 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-15 20:46:04 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-15 20:33:03 5,822 ----a-w c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\3A3C5F7CC9415160B34912634CB95978E99A7DDE\3A3C5F7CC9415160B34912634CB95978E99A7DDE\Data.dat
+ 2008-12-15 20:48:16 10,778 ----a-w c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\732E825ED19A44BC9AF3D946329D8A4812B525F6\732E825ED19A44BC9AF3D946329D8A4812B525F6\Data.dat
+ 2008-12-15 20:20:47 6,254 ----a-w c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\9BEC04A6ED930E74027DDF093A52D0E0B2A5F98A\9BEC04A6ED930E74027DDF093A52D0E0B2A5F98A\Data.dat
- 2008-12-13 01:23:35 6,338 ----a-w c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\AFA0228517D559C72225EDC64521ED7E04459E89\AFA0228517D559C72225EDC64521ED7E04459E89\Data.dat
+ 2008-12-15 20:19:43 6,338 ----a-w c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\AFA0228517D559C72225EDC64521ED7E04459E89\AFA0228517D559C72225EDC64521ED7E04459E89\Data.dat
+ 2008-12-15 20:50:18 6,584 ----a-w c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\EB5AF50E0B263C13B3D628ADA3AC42B02C51003D\EB5AF50E0B263C13B3D628ADA3AC42B02C51003D\Data.dat
+ 2008-12-15 20:20:46 5,668 ----a-w c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\FA012B14218639947C42F513122741CA07F5982D\FA012B14218639947C42F513122741CA07F5982D\Data.dat
+ 2008-12-13 23:33:22 85,969 ----a-w c:\windows\System32\drivers\gmer.sys
- 2008-10-16 10:12:32 439,696 ----a-w c:\windows\System32\FNTCACHE.DAT
+ 2008-12-14 06:49:16 439,696 ----a-w c:\windows\System32\FNTCACHE.DAT
- 2008-12-13 06:06:45 101,610 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-15 21:05:22 102,194 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-13 06:06:45 597,602 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-15 21:05:22 598,588 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-13 02:37:03 5,522 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2640442689-1008175229-3361151706-1000_UserData.bin
+ 2008-12-15 21:02:46 5,618 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2640442689-1008175229-3361151706-1000_UserData.bin
- 2008-12-13 02:37:03 80,860 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-15 21:02:46 81,744 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-05 19:57:06 50,422 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-14 22:44:48 50,462 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-17 2289664]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-01 4670968]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"Steam"="c:\program files\Steam\Steam.exe" [2007-09-12 1258744]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-09-02 630784]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 815104]
"ASUSTPE"="c:\windows\system32\ASUSTPE.exe" [2006-12-12 106496]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2008-06-16 37232]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2008-06-16 33136]
"PowerForPhone"="c:\program files\PowerForPhone\PowerForPhone.exe" [2007-06-26 778240]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-09-09 196608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-29 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-02 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 c:\windows\RtHDVCpl.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-18 2752512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-11-07 14:31 21633320 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-29 02:26 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 10:49 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-01 17:11 4670968 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2640442689-1008175229-3361151706-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D2A164AC-C098-4B7C-9D19-0D6B55615FBF}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6579DE3C-F68B-4E47-B0DB-2CF08A5BA7EC}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C46B1D23-C70E-47C7-9913-C5E20D634EC3}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3F7B8AD8-7745-49F3-A2FD-915F74B7F637}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{04985E41-B6FA-4709-B03D-515294C9BA09}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C3903054-B263-4848-946D-C0B2CE0D246C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{67097761-B5C2-4F94-915C-BE00FD0904AD}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"TCP Query User{261DC405-BD6C-4FEE-87D9-01698BDA354C}d:\\program files\\counter-strike\\hl.exe"= UDP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"UDP Query User{52E862DE-8D67-4F78-BDB8-78D1EF087D83}d:\\program files\\counter-strike\\hl.exe"= TCP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"{69292C29-3DDC-4C99-8F48-0B885EF5814C}"= UDP:c:\program files\Paltalk Messenger\paltalk.exe:PaltalkScene
"{99391AD8-B42A-4A95-BB3B-A1C7504E0242}"= TCP:c:\program files\Paltalk Messenger\paltalk.exe:PaltalkScene
"{FFC960A8-27E2-41BD-B4B2-F3026593257D}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{6FF9E253-8313-4724-88A6-ADC2F12ED39A}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{C72A51F9-20DF-49BA-9FE7-47C0F0A1F5ED}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6AAD9489-9920-4BF8-A4A0-9E06909F3C3E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0EF8832F-D833-48AD-BF9D-139B0BDD37A1}"= UDP:d:\program files\Microsoft Games\Age of Mythology\aomx.exe:Age of Mythology - The Titans Expansion
"{3BE71184-F513-4F20-819F-5F8E92ADA72F}"= TCP:d:\program files\Microsoft Games\Age of Mythology\aomx.exe:Age of Mythology - The Titans Expansion
"TCP Query User{1BC03BA7-A4A5-415B-B70A-6B7A8D4C99A5}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= UDP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"UDP Query User{E269E84C-7048-4D37-9F30-35A67B480F78}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= TCP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"{80BAFA68-B672-4468-A234-8E11A0E1E238}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{6A5274C5-A07B-4971-B671-295BD28FEAEF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8DDB2A96-FEBD-45F3-9986-17A012BA9DBE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{89008ACA-2C79-4E18-A208-603929F763A6}c:\\program files\\smartlaunch\\server\\server.exe"= UDP:c:\program files\smartlaunch\server\server.exe:Smartlaunch Server
"UDP Query User{D80D10F4-BE57-420D-9330-1965E0B76311}c:\\program files\\smartlaunch\\server\\server.exe"= TCP:c:\program files\smartlaunch\server\server.exe:Smartlaunch Server
"TCP Query User{4795E279-F4E1-45D2-B995-3C4B60CCAC0A}d:\\program files\\microsoft games\\rise of nations\\nations.exe"= UDP:d:\program files\microsoft games\rise of nations\nations.exe:Rise of Nations
"UDP Query User{54C33CAA-3A27-4235-8C6D-DBDD8A3F1441}d:\\program files\\microsoft games\\rise of nations\\nations.exe"= TCP:d:\program files\microsoft games\rise of nations\nations.exe:Rise of Nations
"TCP Query User{CAC31DC9-BDA2-4BB2-B5F0-6D61DBED5920}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= UDP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"UDP Query User{5405D6D3-2F01-4C44-B612-257BCA05E3D1}d:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= TCP:d:\program files\ea games\command & conquer generals zero hour\game.dat:game.dat
"TCP Query User{1D592E6C-B6D3-4E61-8B62-D387BE9D0D5F}d:\\program files\\counter-strike\\hl.exe"= UDP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"UDP Query User{35885B5B-E828-44E2-B68A-7F32439A5856}d:\\program files\\counter-strike\\hl.exe"= TCP:d:\program files\counter-strike\hl.exe:Half-Life SpittStyle Edition
"TCP Query User{B6E420B5-5A54-48C6-8044-45D055DE09FD}d:\\program files\\day of defeat source\\hl2.exe"= UDP:d:\program files\day of defeat source\hl2.exe:hl2
"UDP Query User{A14B4027-31B5-47A3-BF11-E7E8132A0374}d:\\program files\\day of defeat source\\hl2.exe"= TCP:d:\program files\day of defeat source\hl2.exe:hl2
"TCP Query User{C05E63EA-0D59-41F0-B738-864C608BE652}d:\\program files\\valve\\half-life\\hl.exe"= UDP:d:\program files\valve\half-life\hl.exe:Half-Life SpittStyle Edition
"UDP Query User{0FE97AF2-29A0-4023-A64C-BB1E58BD3FDD}d:\\program files\\valve\\half-life\\hl.exe"= TCP:d:\program files\valve\half-life\hl.exe:Half-Life SpittStyle Edition
"TCP Query User{C30CD09E-4A37-4222-80C2-B3468CC27FF0}d:\\program files\\counter-strike\\hlds.exe"= UDP:d:\program files\counter-strike\hlds.exe:HLDS Launcher
"UDP Query User{A1AF3CD8-78EE-4061-9EF1-C59D40B3085C}d:\\program files\\counter-strike\\hlds.exe"= TCP:d:\program files\counter-strike\hlds.exe:HLDS Launcher
"TCP Query User{17F5F64D-A862-485E-9889-4342B13BF0E0}c:\\users\\asus\\downloads\\baupnp.exe"= UDP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"UDP Query User{C5777744-D96C-4880-8605-5EE74647D7D1}c:\\users\\asus\\downloads\\baupnp.exe"= TCP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"TCP Query User{1C56EB5D-F569-4240-986D-FA7C8F93B953}c:\\users\\asus\\downloads\\baupnp.exe"= UDP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"UDP Query User{1C9401F5-D5EC-4DFA-ADBF-F99F92845AF7}c:\\users\\asus\\downloads\\baupnp.exe"= TCP:c:\users\asus\downloads\baupnp.exe:baupnp.exe
"TCP Query User{35FD4693-1EBE-4604-A852-7CAA1B7BA6A0}d:\\program files\\worms world party\\wp.exe"= UDP:d:\program files\worms world party\wp.exe:Worms World Party
"UDP Query User{7D0E2BD2-674D-4124-9513-C602AE5D81CD}d:\\program files\\worms world party\\wp.exe"= TCP:d:\program files\worms world party\wp.exe:Worms World Party
"TCP Query User{90389268-0C30-4AE1-8237-966C98D0D869}d:\\program files\\worms world party\\wp.exe"= UDP:d:\program files\worms world party\wp.exe:Worms World Party
"UDP Query User{21F4DF93-006F-4F3C-B09E-C3309422E1C9}d:\\program files\\worms world party\\wp.exe"= TCP:d:\program files\worms world party\wp.exe:Worms World Party
"TCP Query User{6E5CC74A-46F5-43AD-AF0E-C52FD75AF441}c:\\program files\\counter-strike source\\hl2.exe"= UDP:c:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{440379CB-8E3A-4DC5-87FA-DAA23BCA5FF9}c:\\program files\\counter-strike source\\hl2.exe"= TCP:c:\program files\counter-strike source\hl2.exe:hl2
"TCP Query User{DBD0BD7F-3A84-4210-9E48-E57C63C66B04}c:\\program files\\counter-strike source\\hl2.exe"= UDP:c:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{B441C768-A879-4BFF-9F96-BE6AA6A88C94}c:\\program files\\counter-strike source\\hl2.exe"= TCP:c:\program files\counter-strike source\hl2.exe:hl2
"{1FDE45E6-F9E2-4E27-BCB7-39EE1D121B7B}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{83A026EB-E1FD-4DD9-9FDD-BF1A2B6FEAA6}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{DF0BFD2C-6BAF-4FFE-8221-EF10904B8F62}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09B862E6-F7AC-4BB5-BF0D-85F4C408B71A}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{8CADB85D-572F-4161-8644-F2093B0459E2}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= UDP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{DF911E90-0A72-4972-84E6-590DF6C33AE2}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= TCP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{85F3983C-1F8B-4832-AAF1-0B88D65992FD}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= UDP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{B6EDA133-2CFF-4AEC-B63A-EE502563BBB2}c:\\program files\\robobombs\\robombs\\jre1.6.0_07\\bin\\javaw.exe"= TCP:c:\program files\robobombs\robombs\jre1.6.0_07\bin\javaw.exe:Java™ Platform SE binary
"{0A72CCF9-A756-4E4D-A62E-F4E02AE36385}"= UDP:9941:BitComet 9941 TCP
"{5008D118-E571-4164-927C-BD1716E983F6}"= TCP:9941:BitComet 9941 UDP
"TCP Query User{C95B403D-20A8-4EA2-B441-B8D8791C4ECA}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{DABB44A3-8670-4580-9CB6-1DF3BA6852AF}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-29 203280]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\System32\StkCSrv.exe [2007-04-18 24576]
R3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l260x86.sys [2007-08-16 28672]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\Drivers\StkCMini.sys [2007-06-05 1260672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fa1b09b-7f20-11dd-9177-001fc67a559d}]
\shell\AutoRun\command - H:\AutoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 13:23:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-15 14:16:23
ComboFix-quarantined-files.txt 2008-12-15 22:16:07
ComboFix2.txt 2008-12-13 20:55:33

Pre-Run: 54,198,304,768 bytes free
Post-Run: 53,964,771,328 bytes free

300 --- E O F --- 2008-12-11 11:12:13



Does everything look good?

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 15 December 2008 - 10:13 PM

yup.. looks awesome!


Lets do this...

Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users