Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with vundo and possibly rootkit


  • Please log in to reply
10 replies to this topic

#1 paul918

paul918

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 14 January 2009 - 10:14 PM

For the last five weeks I've been dealing with redirections and new window spawns from google and other search engines, and now my browser is being sent directly to some third party search engine. I'm leery of typing any information on the computer that is sensitive. I've run malwarebytes, norton, ad-aware and some other AV programs to no avail.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Paul at 18:44:15.78 on Wed 01/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3049 [GMT -8:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Paul\My Documents\new folder\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {382c9ea0-a83e-45b9-82ec-c28c9605624d} - c:\windows\system32\pmnoOIBq.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll
AppInit_DLLs: frwsfc.dll bhdohh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\mfcir6dv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fugue.com/pics/goodnews.html
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {CBAAEA95-EE07-4D76-91E5-1DEC3074AE42} - c:\windows\system32\config\systemprofile\local settings\application data\{cbaaea95-ee07-4d76-91e5-1dec3074ae42}\

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090113.003\IDSxpx86.sys [2009-1-14 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-18 99376]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-7-20 12032]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090114.017\naveng.sys [2009-1-14 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090114.017\navex15.sys [2009-1-14 876112]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-14 24652]
S3 gtermddo;gtermddo;\??\c:\docume~1\einhan~1\locals~1\temp\gtermddo.sys --> c:\docume~1\einhan~1\locals~1\temp\gtermddo.sys [?]
S3 ikfilesec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-21 40840]
S3 iksysflt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-21 66952]
S3 iksyssec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-21 81288]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-21 356920]
S3 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-21 1079176]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

=============== Created Last 30 ================

2009-01-13 01:21 1 a------- c:\windows\system32\uniq.tll
2009-01-13 01:21 31,232 a------- c:\windows\system32\pcload.exe
2009-01-09 21:59 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-09 20:48 <DIR> --d--r-- c:\program files\Norton Support
2009-01-09 20:24 52,224 a------- c:\windows\system32\awtuvVnK.dll
2009-01-09 20:22 133,120 a------- c:\windows\system32\wjecythf.dll
2009-01-06 08:05 <DIR> --d----- c:\docume~1\paul\applic~1\IsolatedStorage
2009-01-06 08:05 <DIR> --d----- c:\program files\ljArchive
2008-12-19 13:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MiKTeX
2008-12-19 13:30 <DIR> --d----- c:\program files\MiKTeX 2.7
2008-12-19 13:28 82,432 a------- c:\windows\system32\msxml4r.dll
2008-12-19 13:28 44,544 a------- c:\windows\system32\msxml4a.dll
2008-12-19 13:28 1,233,920 a------- c:\windows\system32\msxml4.dll
2008-12-19 13:28 <DIR> --d----- c:\program files\TeXnicCenter

==================== Find3M ====================

2009-01-14 18:44 112,210 a------- c:\windows\system32\drivers\de8a1d5.sys
2008-12-31 12:45 3,532 a------- C:\drmHeader.bin
2008-12-05 02:02 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-11-16 16:19 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-16 16:19 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-16 16:19 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-16 16:19 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-01 20:38 678,746 a------- c:\windows\unins000.exe
2008-09-11 14:30 55,976 a------- c:\docume~1\paul\applic~1\GDIPFONTCACHEV1.DAT
2008-05-25 12:40 22,328 a------- c:\docume~1\paul\applic~1\PnkBstrK.sys

============= FINISH: 18:44:34.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:25 AM

Posted 15 January 2009 - 05:01 AM

Hello Paul918 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 paul918

paul918
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 15 January 2009 - 02:15 PM

GooredFix v1.83 by jpshortstuff
Log created at 10:37 on 15/01/2009 running Option #2 (Paul)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====


ComboFix 09-01-13.04 - Paul 2009-01-15 10:58:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3218 [GMT -8:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaxutnbkqb.sys
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekastuyvuro.dll
c:\windows\system32\senekaudacdegn.dll
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-14 22:19 . 2009-01-14 22:21 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-14 22:19 . 2009-01-14 22:19 <DIR> d-------- c:\program files\Apex Fitness
2009-01-14 18:45 . 2009-01-14 18:45 250 --a------ c:\windows\gmer.ini
2009-01-13 01:21 . 2009-01-13 01:21 31,232 --a------ c:\windows\system32\pcload.exe
2009-01-10 16:15 . 2009-01-10 16:15 <DIR> d-------- c:\documents and settings\You!
2009-01-09 21:59 . 2009-01-09 21:59 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-09 20:48 . 2009-01-09 20:48 <DIR> dr------- c:\program files\Norton Support
2009-01-06 10:16 . 2009-01-06 10:16 <DIR> d-------- c:\documents and settings\Karin\Application Data\IsolatedStorage
2009-01-06 08:05 . 2009-01-06 08:05 <DIR> d-------- c:\program files\ljArchive
2009-01-06 08:05 . 2009-01-06 08:05 <DIR> d-------- c:\documents and settings\Paul\Application Data\IsolatedStorage
2008-12-25 01:55 . 2008-12-25 01:59 <DIR> d-------- c:\documents and settings\Paul\Application Data\U3
2008-12-19 13:35 . 2008-12-19 13:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\MiKTeX
2008-12-19 13:30 . 2008-12-19 13:33 <DIR> d-------- c:\program files\MiKTeX 2.7
2008-12-19 13:28 . 2008-12-19 13:28 <DIR> d-------- c:\program files\TeXnicCenter
2008-12-19 13:28 . 2008-08-02 11:58 1,233,920 --a------ c:\windows\system32\msxml4.dll
2008-12-19 13:28 . 2008-08-02 11:58 82,432 --a------ c:\windows\system32\msxml4r.dll
2008-12-19 13:28 . 2008-08-02 11:58 44,544 --a------ c:\windows\system32\msxml4a.dll
2008-12-16 16:19 . 2008-12-16 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 19:04 112,210 ----a-w c:\windows\system32\drivers\de8a1d5.sys
2009-01-15 06:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 02:34 --------- d-----w c:\documents and settings\Paul\Application Data\uTorrent
2008-12-31 20:45 3,532 ----a-w C:\drmHeader.bin
2008-12-21 00:34 --------- d-----w c:\documents and settings\Paul\Application Data\GetRight
2008-12-05 10:02 36,272 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-11-23 17:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 21:11 --------- d-----w c:\program files\iTunes
2008-11-22 21:11 --------- d-----w c:\program files\iPod
2008-11-22 21:11 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 21:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 21:07 --------- d-----w c:\program files\QuickTime
2008-11-22 18:41 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-22 18:41 --------- d-----w c:\documents and settings\Paul\Application Data\Malwarebytes
2008-11-22 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 18:34 --------- d-----w c:\program files\ERUNT
2008-11-22 16:25 --------- d-----w c:\program files\AIM6
2008-11-22 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-22 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-22 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-21 08:44 --------- d-----w c:\program files\Spyware Doctor
2008-11-21 08:23 --------- d-----w c:\documents and settings\Paul\Application Data\PC Tools
2008-11-19 07:54 --------- d-----w c:\program files\NCH Swift Sound
2008-11-19 07:53 --------- d-----w c:\documents and settings\Paul\Application Data\NCH Swift Sound
2008-11-19 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 00:38 --------- d-----w c:\program files\Lavasoft
2008-11-19 00:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 03:53 --------- d-----w c:\program files\Alwil Software
2008-11-17 18:22 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-17 17:51 --------- d-----w c:\program files\NCH Software
2008-11-17 17:51 --------- d-----w c:\documents and settings\Paul\Application Data\Recordpad
2008-11-17 17:48 --------- d-----w c:\documents and settings\Paul\Application Data\Ahead
2008-11-17 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-17 00:25 --------- d-----w c:\program files\Steam
2008-11-17 00:19 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-11-17 00:19 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-11-17 00:19 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-17 00:19 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-17 00:19 --------- d-----w c:\program files\Windows Sidebar
2008-11-17 00:19 --------- d-----w c:\program files\Symantec
2008-11-17 00:19 --------- d-----w c:\program files\Norton Internet Security
2008-11-17 00:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-17 00:19 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-11-17 00:18 --------- d-----w c:\program files\NortonInstaller
2008-11-17 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-03 23:34 94,912 ----a-w c:\windows\bmfirmwareapex4.dll
2008-11-03 23:34 78,528 ----a-w c:\windows\bmcommapex4.dll
2008-11-03 23:34 47,432 ----a-w c:\windows\system32\ftserui2.dll
2008-11-03 23:34 202,048 ----a-w c:\windows\system32\ftd2xx.dll
2008-11-03 23:34 2,671,296 ----a-w c:\windows\bmusbapex4.dll
2008-11-03 23:34 160,448 ----a-w c:\windows\bmupgradeapex24.dll
2008-11-03 23:34 156,352 ----a-w c:\windows\bmupgradeapex25.dll
2008-11-03 23:34 123,584 ----a-w c:\windows\bmserialapex25.dll
2008-11-03 23:34 119,488 ----a-w c:\windows\bmserialapex24.dll
2008-11-03 23:34 111,936 ----a-w c:\windows\system32\ftbusui.dll
2008-11-03 23:34 107,840 ----a-w c:\windows\system32\FTLang.dll
2008-11-03 23:32 147,456 ----a-w c:\windows\bmapex.dll
2008-11-03 23:32 135,168 ----a-w c:\windows\bmupgradeapex.dll
2008-11-03 23:08 62,144 ----a-w c:\windows\bmversionapex.dll
2008-11-02 04:38 678,746 ----a-w c:\windows\unins000.exe
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-11 22:30 55,976 ----a-w c:\documents and settings\Paul\Application Data\GDIPFONTCACHEV1.DAT
2008-05-25 20:40 22,328 ----a-w c:\documents and settings\Paul\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2008-01-03 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=frwsfc.dll bhdohh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m|\ [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2006-02-28 04:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 11:01 1037736 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 13:52 331830 c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-02 14:46 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2006-02-28 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2006-02-28 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-09 20:23 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\utorrent]
--a------ 2008-10-07 22:33 270128 c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 16:34 24576 c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-01-03 14:26 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-09-19 02:14 16844800 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! web scanner"=3 (0x3)
"avast! mail scanner"=3 (0x3)
"avast! antivirus"=2 (0x2)
"aswupdsv"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Python25\\pythonw.exe"=
"c:\\Program Files\\Steam\\SteamApps\\exurar\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090113.003\IDSxpx86.sys [2009-01-14 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-18 99376]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-07-20 12032]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-14 24652]
S3 gtermddo;gtermddo;\??\c:\docume~1\EINHAN~1\LOCALS~1\Temp\gtermddo.sys --> c:\docume~1\EINHAN~1\LOCALS~1\Temp\gtermddo.sys [?]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-21 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\autorun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{382c9ea0-a83e-45b9-82ec-c28c9605624d} - c:\windows\system32\pmnoOIBq.dll
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-brastk - c:\windows\system32\brastk.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\mfcir6dv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fugue.com/pics/goodnews.html
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 11:04:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\de8a1d5]
"ImagePath"="\SystemRoot\System32\drivers\de8a1d5.sys"
.
Completion time: 2009-01-15 11:07:53
ComboFix-quarantined-files.txt 2009-01-15 19:06:46

Pre-Run: 359,775,834,112 bytes free
Post-Run: 360,523,530,240 bytes free

258 --- E O F --- 2008-11-12 11:01:35

#4 paul918

paul918
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 15 January 2009 - 02:18 PM

I should also say that I ran the tools recommended by techsupportforum but was unable to join because their image authentication process is broken (it feeds 1x1 pixel images instead of character string images).

Their tools said I was infected with a rootkit de8a1d5.sys, of which I had previously been warned by avast antivirus.

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:25 AM

Posted 16 January 2009 - 05:05 AM

Hello Paul,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/195259/infected-with-vundo-and-possibly-rootkit/
Collect::
c:\windows\system32\drivers\de8a1d5.sys
File::
c:\windows\system32\pcload.exe
c:\windows\system32\ffkuz.dll
c:\docume~1\EINHAN~1\LOCALS~1\Temp\gtermddo.sys
DirLook::
c:\documents and settings\You!
Driver::
gtermddo
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :thumbsup:

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the Download button to the right of Java SE Runtime Environment (JRE) 6 Update 11 (first option).
  • Select your Platform (Windows version) and check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click "Continue" and the page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 paul918

paul918
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 16 January 2009 - 02:51 PM

:thumbsup: Thanks for your help so far, Thunder.

DDS and combofix logs follow, with attach.txt attached. JRE has been updated. I don't know if combofix has uploaded the file, would you like me to attach it to a reply?

Web searches are still occasionally getting hijacked to shopica etc. EDIT: Windows' "Malicious Software Tool" removed Rustock.E over the course of last night and rebooted the system.

DDS (Ver_09-01-07.01) - NTFSx86
Run by Paul at 11:22:30.21 on Fri 01/16/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3010 [GMT -8:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\My Documents\new folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\mfcir6dv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fugue.com/pics/goodnews.html
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {CBAAEA95-EE07-4D76-91E5-1DEC3074AE42} - c:\windows\system32\config\systemprofile\local settings\application data\{cbaaea95-ee07-4d76-91e5-1dec3074ae42}\

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090115.001\IDSxpx86.sys [2009-1-15 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-18 99376]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-7-20 12032]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090116.004\naveng.sys [2009-1-16 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090116.004\navex15.sys [2009-1-16 876112]
R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-14 24652]
S3 ikfilesec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-21 40840]
S3 iksysflt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-21 66952]
S3 iksyssec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-21 81288]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-21 356920]
S3 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-21 1079176]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

=============== Created Last 30 ================

2009-01-15 10:46 <DIR> --d----- C:\cmdcons
2009-01-15 10:44 161,792 a------- c:\windows\SWREG.exe
2009-01-15 10:44 98,816 a------- c:\windows\sed.exe
2009-01-14 22:19 <DIR> --d----- c:\program files\Apex Fitness
2009-01-14 18:45 250 a------- c:\windows\gmer.ini
2009-01-09 20:48 <DIR> --d--r-- c:\program files\Norton Support
2009-01-06 08:05 <DIR> --d----- c:\docume~1\paul\applic~1\IsolatedStorage
2009-01-06 08:05 <DIR> --d----- c:\program files\ljArchive
2008-12-19 13:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MiKTeX
2008-12-19 13:30 <DIR> --d----- c:\program files\MiKTeX 2.7
2008-12-19 13:28 82,432 a------- c:\windows\system32\msxml4r.dll
2008-12-19 13:28 44,544 a------- c:\windows\system32\msxml4a.dll
2008-12-19 13:28 1,233,920 a------- c:\windows\system32\msxml4.dll
2008-12-19 13:28 <DIR> --d----- c:\program files\TeXnicCenter

==================== Find3M ====================

2009-01-16 11:22 112,210 a------- c:\windows\system32\drivers\de8a1d5.sys
2008-12-31 12:45 3,532 a------- C:\drmHeader.bin
2008-12-05 02:02 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-11-16 16:19 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-03 15:34 2,671,296 a------- c:\windows\bmusbapex4.dll
2008-11-03 15:34 156,352 a------- c:\windows\bmupgradeapex25.dll
2008-11-03 15:34 123,584 a------- c:\windows\bmserialapex25.dll
2008-11-03 15:34 160,448 a------- c:\windows\bmupgradeapex24.dll
2008-11-03 15:34 119,488 a------- c:\windows\bmserialapex24.dll
2008-11-03 15:34 94,912 a------- c:\windows\bmfirmwareapex4.dll
2008-11-03 15:34 78,528 a------- c:\windows\bmcommapex4.dll
2008-11-03 15:34 202,048 a------- c:\windows\system32\ftd2xx.dll
2008-11-03 15:34 111,936 a------- c:\windows\system32\ftbusui.dll
2008-11-03 15:34 107,840 a------- c:\windows\system32\FTLang.dll
2008-11-03 15:34 47,432 a------- c:\windows\system32\ftserui2.dll
2008-11-03 15:32 147,456 a------- c:\windows\bmapex.dll
2008-11-03 15:32 135,168 a------- c:\windows\bmupgradeapex.dll
2008-11-03 15:08 62,144 a------- c:\windows\bmversionapex.dll
2008-11-01 20:38 678,746 a------- c:\windows\unins000.exe
2008-09-11 14:30 55,976 a------- c:\docume~1\paul\applic~1\GDIPFONTCACHEV1.DAT
2008-05-25 12:40 22,328 a------- c:\docume~1\paul\applic~1\PnkBstrK.sys

============= FINISH: 11:22:41.96 ===============

ComboFix 09-01-13.04 - Paul 2009-01-16 11:06:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3057 [GMT -8:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
c:\docume~1\EINHAN~1\LOCALS~1\Temp\gtermddo.sys
c:\windows\system32\ffkuz.dll
c:\windows\system32\pcload.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\de8a1d5.sys
c:\windows\system32\ffkuz.dll
c:\windows\system32\pcload.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GTERMDDO
-------\Service_gtermddo
-------\Service_de8a1d5


((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-14 22:19 . 2009-01-14 22:19 <DIR> d-------- c:\program files\Apex Fitness
2009-01-14 18:45 . 2009-01-14 18:45 250 --a------ c:\windows\gmer.ini
2009-01-10 16:15 . 2009-01-10 16:15 <DIR> d-------- c:\documents and settings\You!
2009-01-09 20:48 . 2009-01-09 20:48 <DIR> dr------- c:\program files\Norton Support
2009-01-06 10:16 . 2009-01-06 10:16 <DIR> d-------- c:\documents and settings\Karin\Application Data\IsolatedStorage
2009-01-06 08:05 . 2009-01-06 08:05 <DIR> d-------- c:\program files\ljArchive
2009-01-06 08:05 . 2009-01-06 08:05 <DIR> d-------- c:\documents and settings\Paul\Application Data\IsolatedStorage
2008-12-25 01:55 . 2008-12-25 01:59 <DIR> d-------- c:\documents and settings\Paul\Application Data\U3
2008-12-19 13:35 . 2008-12-19 13:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\MiKTeX
2008-12-19 13:30 . 2008-12-19 13:33 <DIR> d-------- c:\program files\MiKTeX 2.7
2008-12-19 13:28 . 2008-12-19 13:28 <DIR> d-------- c:\program files\TeXnicCenter
2008-12-19 13:28 . 2008-08-02 11:58 1,233,920 --a------ c:\windows\system32\msxml4.dll
2008-12-19 13:28 . 2008-08-02 11:58 82,432 --a------ c:\windows\system32\msxml4r.dll
2008-12-19 13:28 . 2008-08-02 11:58 44,544 --a------ c:\windows\system32\msxml4a.dll
2008-12-16 16:19 . 2008-12-16 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 19:10 112,210 ----a-w c:\windows\system32\drivers\de8a1d5.sys
2009-01-15 06:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 02:34 --------- d-----w c:\documents and settings\Paul\Application Data\uTorrent
2008-12-31 20:45 3,532 ----a-w C:\drmHeader.bin
2008-12-21 00:34 --------- d-----w c:\documents and settings\Paul\Application Data\GetRight
2008-12-05 10:02 36,272 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-11-23 17:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 21:11 --------- d-----w c:\program files\iTunes
2008-11-22 21:11 --------- d-----w c:\program files\iPod
2008-11-22 21:11 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 21:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 21:07 --------- d-----w c:\program files\QuickTime
2008-11-22 18:41 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-22 18:41 --------- d-----w c:\documents and settings\Paul\Application Data\Malwarebytes
2008-11-22 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 18:34 --------- d-----w c:\program files\ERUNT
2008-11-22 16:25 --------- d-----w c:\program files\AIM6
2008-11-22 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-22 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-22 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-21 08:44 --------- d-----w c:\program files\Spyware Doctor
2008-11-21 08:23 --------- d-----w c:\documents and settings\Paul\Application Data\PC Tools
2008-11-19 07:54 --------- d-----w c:\program files\NCH Swift Sound
2008-11-19 07:53 --------- d-----w c:\documents and settings\Paul\Application Data\NCH Swift Sound
2008-11-19 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 00:38 --------- d-----w c:\program files\Lavasoft
2008-11-19 00:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 03:53 --------- d-----w c:\program files\Alwil Software
2008-11-17 18:22 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-17 17:51 --------- d-----w c:\program files\NCH Software
2008-11-17 17:51 --------- d-----w c:\documents and settings\Paul\Application Data\Recordpad
2008-11-17 17:48 --------- d-----w c:\documents and settings\Paul\Application Data\Ahead
2008-11-17 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-17 00:25 --------- d-----w c:\program files\Steam
2008-11-17 00:19 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-11-17 00:19 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-17 00:19 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-17 00:19 --------- d-----w c:\program files\Windows Sidebar
2008-11-17 00:19 --------- d-----w c:\program files\Symantec
2008-11-17 00:19 --------- d-----w c:\program files\Norton Internet Security
2008-11-17 00:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-17 00:19 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-11-17 00:18 --------- d-----w c:\program files\NortonInstaller
2008-11-17 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-03 23:34 94,912 ----a-w c:\windows\bmfirmwareapex4.dll
2008-11-03 23:34 78,528 ----a-w c:\windows\bmcommapex4.dll
2008-11-03 23:34 2,671,296 ----a-w c:\windows\bmusbapex4.dll
2008-11-03 23:34 160,448 ----a-w c:\windows\bmupgradeapex24.dll
2008-11-03 23:34 156,352 ----a-w c:\windows\bmupgradeapex25.dll
2008-11-03 23:34 123,584 ----a-w c:\windows\bmserialapex25.dll
2008-11-03 23:34 119,488 ----a-w c:\windows\bmserialapex24.dll
2008-11-03 23:32 147,456 ----a-w c:\windows\bmapex.dll
2008-11-03 23:32 135,168 ----a-w c:\windows\bmupgradeapex.dll
2008-11-03 23:08 62,144 ----a-w c:\windows\bmversionapex.dll
2008-11-02 04:38 678,746 ----a-w c:\windows\unins000.exe
2008-09-11 22:30 55,976 ----a-w c:\documents and settings\Paul\Application Data\GDIPFONTCACHEV1.DAT
2008-05-25 20:40 22,328 ----a-w c:\documents and settings\Paul\Application Data\PnkBstrK.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\You! ----

2009-01-16 07:28 1024 --ah----- c:\documents and settings\You!\NTUSER.DAT.LOG
2009-01-15 11:02 1024 --ah----- c:\documents and settings\You!\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2009-01-15 10:51 786432 --ah----- c:\documents and settings\You!\NTUSER.DAT
2009-01-15 10:51 178 --ahs---- c:\documents and settings\You!\ntuser.ini
2009-01-13 10:12 692 --a------ c:\documents and settings\You!\Local Settings\Application Data\Symantec\CEDUrl.txt
2009-01-13 10:12 62 --ahs---- c:\documents and settings\You!\Local Settings\desktop.ini
2009-01-13 10:12 32768 --a------ c:\documents and settings\You!\Local Settings\History\History.IE5\index.dat
2009-01-13 10:12 16384 --a------ c:\documents and settings\You!\Cookies\index.dat
2009-01-13 08:36 262144 --ah----- c:\documents and settings\You!\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2009-01-13 08:35 65536 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\cert8.db
2009-01-13 08:35 3341127 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\_CACHE_003_
2009-01-13 08:35 2046832 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\_CACHE_002_
2009-01-13 08:35 16384 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\key3.db
2009-01-13 08:35 15589376 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\urlclassifier3.sqlite
2009-01-13 08:35 13312 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\cookies.sqlite
2009-01-13 08:35 1278438 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\_CACHE_001_
2009-01-13 08:35 107216 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\places.sqlite-journal
2009-01-12 20:06 319488 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\places.sqlite
2009-01-12 16:39 1561 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\blocklist.xml
2009-01-11 14:49 17682 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A89F4DBCd01
2009-01-11 14:36 64432 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\sessionstore.js
2009-01-11 10:56 18786 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\44899CA2d01
2009-01-11 10:55 27887 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4E0E7211d01
2009-01-11 10:55 24802 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\3E6A6E0Cd01
2009-01-11 10:55 21479 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B1D89B0Ed01
2009-01-11 10:55 20041 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\E9FDC5ADd01
2009-01-11 10:55 19108 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D3CB2150d01
2009-01-11 10:55 18265 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\729D694Fd01
2009-01-11 10:35 22461 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\ABAD8A00d01
2009-01-11 10:35 18786 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4899CA0Bd01
2009-01-11 10:34 46707 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\906A3AE4d01
2009-01-11 10:34 45779 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\9A603A64d01
2009-01-11 10:34 44979 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\618C3A44d01
2009-01-11 10:34 44305 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\95883A84d01
2009-01-11 10:34 42071 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\65113BC4d01
2009-01-11 10:34 41247 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\642B2BE4d01
2009-01-11 10:34 38770 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\C49E3CC4d01
2009-01-11 10:34 38562 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\739F2BC4d01
2009-01-11 10:34 36690 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\DA403CA4d01
2009-01-11 10:34 36342 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\6A213B24d01
2009-01-11 10:34 35628 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D6993C84d01
2009-01-11 10:34 34580 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A6183804d01
2009-01-11 10:34 32097 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\61712B84d01
2009-01-11 10:34 30308 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A03B3C44d01
2009-01-11 10:34 28688 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D1383CA4d01
2009-01-11 10:33 42620 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\93413AC4d01
2009-01-11 10:33 29538 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\451011A8d01
2009-01-11 10:33 27858 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\85E2553Fd01
2009-01-11 09:59 72381 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AE5864B5d01
2009-01-11 09:59 60070 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\30B11BA3d01
2009-01-11 09:59 48723 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\C30CF7C9d01
2009-01-11 09:59 43738 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D478310Dd01
2009-01-11 09:59 41504 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D410F7F9d01
2009-01-11 09:59 30881 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\32118DE7d01
2009-01-11 09:59 22817 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BC0A2A8Cd01
2009-01-11 09:58 20283 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\26DFCB5Ed01
2009-01-11 09:12 34911 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\C74FC16Ad01
2009-01-11 09:10 43097 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\56F996A4d01
2009-01-11 09:10 41899 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D79B3CFBd01
2009-01-11 09:10 4096 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\formhistory.sqlite
2009-01-11 09:09 46669 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F338AD2Fd01
2009-01-11 08:09 864243 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\XUL.mfl
2009-01-11 08:09 28845 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A7F54334d01
2009-01-11 08:09 1111 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\localstore.rdf
2009-01-11 08:08 31477 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\92E348D6d01
2009-01-11 08:08 28401 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D7AA0568d01
2009-01-11 08:01 34874 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F3E24CAAd01
2009-01-11 08:01 31094 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\6270582Cd01
2009-01-11 08:01 17911 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\ACCC5223d01
2009-01-11 07:55 85 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#mail.google.com\settings.sol
2009-01-11 07:55 807 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\Content\CA0D73613D6B64246BFCA3B839EE4E43
2009-01-11 07:55 74940 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\7C11CF02d01
2009-01-11 07:55 72789 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\62B68D07d01
2009-01-11 07:55 472 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
2009-01-11 07:55 43333 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\488D60C1d01
2009-01-11 07:55 41460 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\27B11C6Dd01
2009-01-11 07:55 37800 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\6D091E3Ad01
2009-01-11 07:55 37 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\#SharedObjects\45LYVKF5\mail.google.com\wakeup.sol
2009-01-11 07:55 28497 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\288D9ACFd01
2009-01-11 07:55 196182 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\91D47CC2d01
2009-01-11 07:55 130 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\MetaData\CA0D73613D6B64246BFCA3B839EE4E43
2009-01-11 07:54 61 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\signons3.txt
2009-01-11 07:54 47868 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\1CC08BE6d01
2009-01-11 07:53 40408 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BD326553d01
2009-01-11 07:53 38592 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4C391234d01
2009-01-11 07:53 35774 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\834D0090d01
2009-01-11 07:53 33424 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F781DBA5d01
2009-01-11 07:53 32567 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BFD1CBC4d01
2009-01-11 07:53 30276 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4D810035d01
2009-01-11 07:53 28967 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4D973154d01
2009-01-11 07:53 28682 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\26F36E03d01
2009-01-11 07:53 27023 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
2009-01-11 07:53 26540 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\42B40E24d01
2009-01-11 07:53 25109 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\E0F5616Dd01
2009-01-11 07:53 25010 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B13F7BA3d01
2009-01-11 07:53 23344 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\3182CF87d01
2009-01-11 07:53 23098 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4D973C01d01
2009-01-11 07:53 22758 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\43C615EEd01
2009-01-11 07:53 22345 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\30DF7A0Dd01
2009-01-11 07:53 21938 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B8277541d01
2009-01-11 07:53 216 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
2009-01-11 07:53 216 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
2009-01-11 07:53 21176 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\76949FEBd01
2009-01-11 07:53 19478 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4D973175d01
2009-01-11 07:53 18383 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\C11C3B29d01
2009-01-11 07:53 18260 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B7358DD5d01
2009-01-11 07:53 18094 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\DA5C7269d01
2009-01-11 07:53 18 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
2009-01-11 07:53 17088 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\3A6655B1d01
2009-01-11 07:53 140 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\MetaData\33ECCD4EC2899E5F6A7E306662596E0F
2009-01-11 07:53 1184 --a-s---- c:\documents and settings\You!\Application Data\Microsoft\CryptnetUrlCache\Content\33ECCD4EC2899E5F6A7E306662596E0F
2009-01-11 07:53 114873 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AEEFED59d01
2009-01-11 07:52 62341 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\72694D3Dd01
2009-01-11 07:52 22461 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\3512707Fd01
2009-01-11 07:52 20702 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A913CC41d01
2009-01-11 07:52 20479 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\78DD8854d01
2009-01-11 07:52 19098 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\0FF1F2BDd01
2009-01-11 02:50 40298 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\485AEF3Dd01
2009-01-11 02:50 20109 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\6A96CF76d01
2009-01-11 00:44 29203 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\096577ABd01
2009-01-11 00:44 17160 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4EA8ECECd01
2009-01-11 00:44 16634 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\9B8611DEd01
2009-01-11 00:38 52545 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\54AD61EEd01
2009-01-11 00:38 41903 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\43E171AEd01
2009-01-11 00:38 34661 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\E91F35AFd01
2009-01-11 00:38 29374 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\DDA79EBDd01
2009-01-11 00:30 85 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#login.yahoo.com\settings.sol
2009-01-11 00:30 28636 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F700C943d01
2009-01-11 00:30 22822 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BA0A2A8Cd01
2009-01-11 00:30 20760 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\8B9EBB9Cd01
2009-01-11 00:30 19742 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\131FBCF7d01
2009-01-11 00:30 158 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\#SharedObjects\45LYVKF5\login.yahoo.com\loginCache.sol
2009-01-10 22:29 18913 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\C9C01822d01
2009-01-10 20:26 64721 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\1594FE3Bd01
2009-01-10 20:26 32354 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\221737E1d01
2009-01-10 20:26 22611 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\30E7E712d01
2009-01-10 20:26 20610 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\CB851D70d01
2009-01-10 20:26 20283 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\DAEC1B50d01
2009-01-10 20:26 20147 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F2E181C5d01
2009-01-10 20:26 18776 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\5EBD2AECd01
2009-01-10 19:09 5766 --a------ c:\documents and settings\You!\Application Data\Microsoft\Windows\Themes\Custom.theme
2009-01-10 19:09 4347054 --a------ c:\documents and settings\You!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
2009-01-10 19:09 2696 --ahs---- c:\documents and settings\You!\Application Data\Microsoft\Internet Explorer\Desktop.htt
2009-01-10 18:16 4174 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\bookmarkbackups\bookmarks-2009-01-10.json
2009-01-10 17:55 165491 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B5C90901d01
2009-01-10 17:55 140211 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\480A9306d01
2009-01-10 17:55 137197 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AECACC89d01
2009-01-10 17:22 187403 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\6D1B8CC4d01
2009-01-10 17:22 180687 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D8F84C1Cd01
2009-01-10 17:22 177574 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AAC16329d01
2009-01-10 17:22 174352 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AB7A311Fd01
2009-01-10 17:22 155438 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\ABA07953d01
2009-01-10 17:22 145341 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\ADE6553Fd01
2009-01-10 17:22 136008 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AA41915Bd01
2009-01-10 17:22 133441 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AE45D11Bd01
2009-01-10 17:22 131949 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AC87070Dd01
2009-01-10 17:22 110858 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F261F370d01
2009-01-10 17:22 109564 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\0145C84Dd01
2009-01-10 16:52 190155 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\74D5D500d01
2009-01-10 16:52 178325 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\9900F17Bd01
2009-01-10 16:52 157348 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\D1B54D3Cd01
2009-01-10 16:52 134649 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\7B8AE094d01
2009-01-10 16:52 118627 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A883474Dd01
2009-01-10 16:52 118206 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A9E2157Fd01
2009-01-10 16:52 112118 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A64D519Bd01
2009-01-10 16:52 110639 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A6CD2369d01
2009-01-10 16:52 100635 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\79D5B0DCd01
2009-01-10 16:28 9438047 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\028E67D4d01
2009-01-10 16:26 99351 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A47D4E08d01
2009-01-10 16:26 98208 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4EA556FAd01
2009-01-10 16:26 86767 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4E972E2Bd01
2009-01-10 16:26 85 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\#SharedObjects\45LYVKF5\s.ytimg.com\videostats.sol
2009-01-10 16:26 81 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\settings.sol
2009-01-10 16:26 60314 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B6138869d01
2009-01-10 16:26 58 --a------ c:\documents and settings\You!\Application Data\Macromedia\Flash Player\#SharedObjects\45LYVKF5\s.ytimg.com\soundData.sol
2009-01-10 16:26 47925 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\9576E455d01
2009-01-10 16:26 36075 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\33A0BE9Cd01
2009-01-10 16:26 35232 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\042F0EC9d01
2009-01-10 16:26 34334 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\86FFD21Fd01
2009-01-10 16:26 30293 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\8E243793d01
2009-01-10 16:26 20422 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A76715B9d01
2009-01-10 16:26 19769 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\22F9E3C7d01
2009-01-10 16:26 16605 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A7E1949Ad01
2009-01-10 16:24 35837 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\50742D88d01
2009-01-10 16:22 38715 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\37B282D9d01
2009-01-10 16:22 25992 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\02847400d01
2009-01-10 16:22 24207 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F23E2C66d01
2009-01-10 16:22 19751 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\432347EEd01
2009-01-10 16:22 188142 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BC56F03Bd01
2009-01-10 16:22 166364 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\30967502d01
2009-01-10 16:22 151728 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BCD64209d01
2009-01-10 16:22 122991 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\472366C1d01
2009-01-10 16:22 122094 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BFF5741Fd01
2009-01-10 16:22 114077 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B3B6E0A1d01
2009-01-10 16:22 113898 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BE95878Dd01
2009-01-10 16:22 113805 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\A7ACB993d01
2009-01-10 16:22 107390 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\75573DB1d01
2009-01-10 16:21 31331 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\2420FA72d01
2009-01-10 16:21 30333 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\48485E0Dd01
2009-01-10 16:21 19751 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\45956B20d01
2009-01-10 16:21 19751 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\3B5E8D34d01
2009-01-10 16:20 42014 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\7F903633d01
2009-01-10 16:20 29821 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\8C03B2FAd01
2009-01-10 16:20 28262 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\7B39F440d01
2009-01-10 16:20 20111 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\9ADFEAABd01
2009-01-10 16:20 19670 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\E2D56E9Ad01
2009-01-10 16:19 97106 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\xpti.dat
2009-01-10 16:19 7168 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\content-prefs.sqlite
2009-01-10 16:19 66261 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\CCA81825d01
2009-01-10 16:19 66045 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\AF7B1B9Ed01
2009-01-10 16:19 65365 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\200BFE4Ed01
2009-01-10 16:19 577 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\extensions.cache
2009-01-10 16:19 57253 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\2820CF1Bd01
2009-01-10 16:19 47801 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\556461D6d01
2009-01-10 16:19 475 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\extensions.ini
2009-01-10 16:19 42629 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\C0797A88d01
2009-01-10 16:19 37660 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\7C91B078d01
2009-01-10 16:19 3658 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\extensions.rdf
2009-01-10 16:19 36450 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B6CC71B1d01
2009-01-10 16:19 36 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Crash Reports\UserID
2009-01-10 16:19 35571 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\4908D927d01
2009-01-10 16:19 31187 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\9C8B5708d01
2009-01-10 16:19 276 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\_CACHE_MAP_
2009-01-10 16:19 2339 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\mimeTypes.rdf
2009-01-10 16:19 22819 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\B80A2A8Cd01
2009-01-10 16:19 22096 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\F1DD827Fd01
2009-01-10 16:19 21616 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\BB58AA43d01
2009-01-10 16:19 2048 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\search.sqlite
2009-01-10 16:19 2048 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\permissions.sqlite
2009-01-10 16:19 2048 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\downloads.sqlite
2009-01-10 16:19 2000314 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\XPC.mfl
2009-01-10 16:19 19401 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\49ED0E20d01
2009-01-10 16:19 179 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\compatibility.ini
2009-01-10 16:19 17264 --a------ c:\documents and settings\You!\Local Settings\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\Cache\6EB02897d01
2009-01-10 16:19 16384 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\secmod.db
2009-01-10 16:19 15579 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\pluginreg.dat
2009-01-10 16:19 154 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\urlclassifierkey3.txt
2009-01-10 16:19 144549 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\compreg.dat
2009-01-10 16:19 1186 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\prefs.js
2009-01-10 16:19 111 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\profiles.ini
2009-01-10 16:19 10 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008120122
2009-01-10 16:16 79 --a------ c:\documents and settings\You!\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
2009-01-10 16:16 788 --a------ c:\documents and settings\You!\Start Menu\Programs\Windows Media Player.lnk
2009-01-10 16:16 779 --a------ c:\documents and settings\You!\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
2009-01-10 16:16 774 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Address Book.lnk
2009-01-10 16:16 767 --a------ c:\documents and settings\You!\Start Menu\Programs\Internet Explorer.lnk
2009-01-10 16:16 75838 --a------ c:\documents and settings\You!\Local Settings\Application Data\Microsoft\Media Player\wmdbexport.xml
2009-01-10 16:16 75 --ahs---- c:\documents and settings\You!\My Documents\desktop.ini
2009-01-10 16:16 738 --a------ c:\documents and settings\You!\Start Menu\Programs\Outlook Express.lnk
2009-01-10 16:16 720896 --a------ c:\documents and settings\You!\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb
2009-01-10 16:16 67 ---hs---- c:\documents and settings\You!\Local Settings\Temporary Internet Files\desktop.ini
2009-01-10 16:16 668 --a------ c:\documents and settings\You!\My Documents\My Pictures\Sample Pictures.lnk
2009-01-10 16:16 638 --a------ c:\documents and settings\You!\My Documents\My Music\Sample Music.lnk
2009-01-10 16:16 542 --ahs---- c:\documents and settings\You!\Start Menu\Programs\Accessories\desktop.ini
2009-01-10 16:16 234 --ahs---- c:\documents and settings\You!\Start Menu\Programs\desktop.ini
2009-01-10 16:16 197 --a------ c:\documents and settings\You!\Favorites\Radio Station Guide.url
2009-01-10 16:16 182 --ahs---- c:\documents and settings\You!\My Documents\My Pictures\Desktop.ini
2009-01-10 16:16 180 --ahs---- c:\documents and settings\You!\My Documents\My Music\Desktop.ini
2009-01-10 16:16 169 --a------ c:\documents and settings\You!\Favorites\Links\Windows Marketplace.url
2009-01-10 16:16 150 --ahs---- c:\documents and settings\You!\Recent\Desktop.ini
2009-01-10 16:16 122 --ahs---- c:\documents and settings\You!\Favorites\Desktop.ini
2009-01-10 16:16 119 --ahs---- c:\documents and settings\You!\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
2009-01-10 16:16 119 --a------ c:\documents and settings\You!\Favorites\MSN.com.url
2009-01-10 16:16 119 --a------ c:\documents and settings\You!\Favorites\Links\Customize Links.url
2009-01-10 16:16 118 --a------ c:\documents and settings\You!\Favorites\Links\Windows Media.url
2009-01-10 16:16 113 --a------ c:\documents and settings\You!\Favorites\Links\Windows.url
2009-01-10 16:16 113 --a------ c:\documents and settings\You!\Favorites\Links\Free Hotmail.url
2009-01-10 16:16 113 ---hs---- c:\documents and settings\You!\Local Settings\History\desktop.ini
2009-01-10 16:16 10272 --a------ c:\documents and settings\You!\Application Data\Microsoft\Internet Explorer\brndlog.txt
2009-01-10 16:16 0 --a------ c:\documents and settings\You!\SendTo\My Documents.mydocs
2008-08-28 20:02 7139 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\bookmarks.html
2008-08-28 20:02 663 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\chrome\userContent-example.css
2008-08-28 20:02 1078 --a------ c:\documents and settings\You!\Application Data\Mozilla\Firefox\Profiles\n060jbq7.default\chrome\userChrome-example.css
2008-05-09 10:03 62 --ahs---- c:\documents and settings\You!\Start Menu\desktop.ini
2008-05-09 10:03 62 --ahs---- c:\documents and settings\You!\Application Data\desktop.ini
2008-05-09 07:24 113 --ahs---- c:\documents and settings\You!\Local Settings\History\History.IE5\desktop.ini
2008-05-09 07:22 84 --ahs---- c:\documents and settings\You!\Start Menu\Programs\Startup\desktop.ini
2008-05-09 07:22 84 --ahs---- c:\documents and settings\You!\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2008-05-09 07:22 498 --a------ c:\documents and settings\You!\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD
2008-05-09 07:22 386 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2008-05-09 07:22 348 --ahs---- c:\documents and settings\You!\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2008-05-09 07:22 181 --ahs---- c:\documents and settings\You!\SendTo\desktop.ini
2008-05-09 07:22 1599 --a------ c:\documents and settings\You!\Start Menu\Programs\Remote Assistance.lnk
2008-05-09 07:22 1555 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Command Prompt.lnk
2008-05-09 07:22 1539 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2008-05-09 07:22 1532 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2008-05-09 07:22 1527 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2008-05-09 07:22 1525 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2008-05-09 07:22 1519 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Synchronize.lnk
2008-05-09 07:22 1519 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Notepad.lnk
2008-05-09 07:22 1501 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2008-05-09 07:22 141 --a------ c:\documents and settings\You!\Application Data\Microsoft\Internet Explorer\brndlog.bak
2008-05-09 07:22 12784 --a------ c:\documents and settings\You!\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
2008-05-09 07:22 0 --a------ c:\documents and settings\You!\SendTo\Mail Recipient.MAPIMail
2008-05-09 07:22 0 --a------ c:\documents and settings\You!\SendTo\Desktop (create shortcut).DeskLink
2008-05-09 07:22 0 --a------ c:\documents and settings\You!\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2008-05-09 07:21 1487 --a------ c:\documents and settings\You!\Start Menu\Programs\Accessories\Windows Explorer.lnk
2006-02-28 04:00 58 --a------ c:\documents and settings\You!\Templates\sndrec.wav
2006-02-28 04:00 57 -ra------ c:\documents and settings\You!\Templates\wordpfct.wpg
2006-02-28 04:00 5632 --a------ c:\documents and settings\You!\Templates\excel.xls
2006-02-28 04:00 461 --a------ c:\documents and settings\You!\Templates\presenta.shw
2006-02-28 04:00 4608 --a------ c:\documents and settings\You!\Templates\winword.doc
2006-02-28 04:00 4570 --a------ c:\documents and settings\You!\Templates\amipro.sam
2006-02-28 04:00 4017 --a------ c:\documents and settings\You!\Templates\quattro.wb2
2006-02-28 04:00 30 -ra------ c:\documents and settings\You!\Templates\wordpfct.wpd
2006-02-28 04:00 2448 --a------ c:\documents and settings\You!\Templates\lotus.wk4
2006-02-28 04:00 1769 --a------ c:\documents and settings\You!\Templates\winword2.doc
2006-02-28 04:00 1518 --a------ c:\documents and settings\You!\Templates\excel4.xls
2006-02-28 04:00 12288 --a------ c:\documents and settings\You!\Templates\powerpnt.ppt


((((((((((((((((((((((((((((( snapshot@2009-01-15_11.05.34.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-01-16 19:10:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"nwiz"="nwiz.exe" [2008-01-03 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2008-01-03 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m|\ [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2006-02-28 04:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 11:01 1037736 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 13:52 331830 c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-02 14:46 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2006-02-28 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2006-02-28 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-09 20:23 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\utorrent]
--a------ 2008-10-07 22:33 270128 c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 16:34 24576 c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-01-03 14:26 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-09-19 02:14 16844800 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! web scanner"=3 (0x3)
"avast! mail scanner"=3 (0x3)
"avast! antivirus"=2 (0x2)
"aswupdsv"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Python25\\pythonw.exe"=
"c:\\Program Files\\Steam\\SteamApps\\exurar\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090115.001\IDSxpx86.sys [2009-01-15 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-18 99376]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-07-20 12032]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-14 24652]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-21 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\autorun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\mfcir6dv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fugue.com/pics/goodnews.html
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 11:10:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\de8a1d5]
"ImagePath"="\SystemRoot\System32\drivers\de8a1d5.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\158e67e5edd92c78c30c06dd18cea563\update\update.exe
.
**************************************************************************
.
Completion time: 2009-01-16 11:13:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 19:13:47
ComboFix2.txt 2009-01-15 19:07:54

Pre-Run: 360,319,897,600 bytes free
Post-Run: 360,165,064,704 bytes free

564 --- E O F --- 2008-11-12 11:01:35

Attached Files


Edited by paul918, 17 January 2009 - 12:50 PM.


#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:25 AM

Posted 17 January 2009 - 01:58 PM

Hello Paul,

I'd like you to download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...say NO.
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and make sure the Show all box is unchecked.
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post the contents in your next reply.
Then, please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with the Kaspersky report and the Gmer log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 paul918

paul918
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 18 January 2009 - 02:31 AM

Kapersky and GMER reports follow.

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 18, 2009 00:40:47
Records in database: 1639202
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
G:\
Scan statistics
Files scanned 443965
Threat name 7
Infected objects 9
Suspicious objects 0
Duration of the scan 03:34:05

File name Threat name Threats count
C:\Documents and Settings\Paul\My Documents\new folder\neue leben\Death Cab For Cutie - Narrow Stairs\03 No Sunlight.mp3 Infected: Trojan-Downloader.WMA.GetCodec.i 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\de8a1d5.sys.vir Infected: Rootkit.Win32.Agent.evf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_de8a1d5_.sys.zip Infected: Rootkit.Win32.Agent.evf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ffkuz.dll.vir Infected: Trojan-Downloader.Win32.Murlo.vn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pcload.exe.vir Infected: Trojan-Downloader.Win32.Agent.bcst 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaudacdegn.dll.vir Infected: Trojan-Downloader.Win32.Agent.bdqo 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-16@11.06.zip Infected: Rootkit.Win32.Agent.evf 1
G:\Documents and Settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-30c8b9da.zip Infected: Exploit.Java.Gimsh.a 1
G:\Documents and Settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-3571517f.zip Infected: Exploit.Java.Gimsh.b 1
The selected area was scanned.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-17 18:11:08
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8AAAD130 ZwAlertResumeThread
SSDT 8AB75130 ZwAlertThread
SSDT 8AE08A20 ZwAllocateVirtualMemory
SSDT 8AC6D110 ZwAssignProcessToJobObject
SSDT 8ADBB508 ZwConnectPort
SSDT \SystemRoot\System32\drivers\de8a1d5.sys ZwCreateEvent [0xB637FC3F] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\de8a1d5.sys ZwCreateKey [0xB637DE05] <-- ROOTKIT !!!
SSDT 8AE8E9A0 ZwCreateMutant
SSDT 8AC3BA78 ZwCreateSymbolicLinkObject
SSDT 8AB9C130 ZwCreateThread
SSDT 8AB5D110 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB65802A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6580800]
SSDT 8AE08CF8 ZwDuplicateObject
SSDT 8AC32A70 ZwFreeVirtualMemory
SSDT 8AAD0110 ZwImpersonateAnonymousToken
SSDT 8AF0BB78 ZwImpersonateThread
SSDT 8ACAE0B0 ZwLoadDriver
SSDT 8AC80740 ZwMapViewOfSection
SSDT 8AB3F110 ZwOpenEvent
SSDT \SystemRoot\System32\drivers\de8a1d5.sys ZwOpenKey [0xB637DEB9] <-- ROOTKIT !!!
SSDT 8AB38500 ZwOpenProcess
SSDT 8AC81118 ZwOpenProcessToken
SSDT 8AB4D110 ZwOpenSection
SSDT 8AB38370 ZwOpenThread
SSDT 8AA97C40 ZwProtectVirtualMemory
SSDT 8AD33CD8 ZwResumeThread
SSDT 8AC78110 ZwSetContextThread
SSDT 8AD49F80 ZwSetInformationProcess
SSDT 8AB49110 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6580A50]
SSDT 8AC65110 ZwSuspendProcess
SSDT 8AAB2110 ZwSuspendThread
SSDT 8AAC4130 ZwTerminateProcess
SSDT 8AC7F120 ZwTerminateThread
SSDT 8AC31E98 ZwUnmapViewOfSection
SSDT 8AC32EC0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C0A 805044A6 2 Bytes [ E0, 8A ]
? SYMEFA.SYS The system cannot find the file specified. !
? System32\drivers\de8a1d5.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip de8a1d5.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp de8a1d5.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp de8a1d5.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp de8a1d5.sys

Device \Driver\SYMTDI \Device\SymTDI de8a1d5.sys

---- Services - GMER 1.0.14 ----

Service System32\drivers\de8a1d5.sys (*** hidden *** ) [SYSTEM] de8a1d5 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\de8a1d5@ImagePath \SystemRoot\System32\drivers\de8a1d5.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\de8a1d5@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\de8a1d5@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\de8a1d5@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\de8a1d5@ImagePath \SystemRoot\System32\drivers\de8a1d5.sys
Reg HKLM\SYSTEM\ControlSet003\Services\de8a1d5@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\de8a1d5@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\de8a1d5@ErrorControl 1

---- EOF - GMER 1.0.14 ----

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:25 AM

Posted 18 January 2009 - 06:31 AM

Hello Paul,

Let's see if we can get rid of that remaining rootkit :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/195259/infected-with-vundo-and-possibly-rootkit/
KillAll::
Collect::
c:\windows\system32\drivers\de8a1d5.sys
Rootkit::
c:\windows\system32\drivers\de8a1d5.sys
File::
C:\Documents and Settings\Paul\My Documents\new folder\neue leben\Death Cab For Cutie - Narrow Stairs\03 No Sunlight.mp3
G:\Documents and Settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-30c8b9da.zip
G:\Documents and Settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-3571517f.zip
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\de8a1d5]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :thumbsup:

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 paul918

paul918
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 18 January 2009 - 02:23 PM

Combofix report follows. There seems to be no problem with the browser anymore so I'm cautiously optimistic, but I'd still like to run a Norton full scan if this combofix report seems okay.

Also, what's the best way to prevent getting rootkits like de8a1d5 in the future?

ComboFix 09-01-17.04 - Paul 2009-01-18 10:48:12.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2915 [GMT -8:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point

FILE ::
c:\documents and settings\Paul\My Documents\new folder\neue leben\Death Cab For Cutie - Narrow Stairs\03 No Sunlight.mp3
g:\documents and settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-30c8b9da.zip
g:\documents and settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-3571517f.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\de8a1d5.sys
g:\documents and settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-30c8b9da.zip
g:\documents and settings\Admin Paul\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-3571517f.zip

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 03:01 . 2009-01-17 03:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-17 03:01 . 2009-01-17 03:01 127 --a------ c:\windows\system32\MRT.INI
2009-01-16 11:42 . 2009-01-16 11:42 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-16 11:42 . 2009-01-16 11:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-14 22:19 . 2009-01-14 22:19 <DIR> d-------- c:\program files\Apex Fitness
2009-01-14 18:45 . 2009-01-17 17:21 250 --a------ c:\windows\gmer.ini
2009-01-10 16:15 . 2009-01-10 16:15 <DIR> d-------- c:\documents and settings\You!
2009-01-09 20:48 . 2009-01-09 20:48 <DIR> dr------- c:\program files\Norton Support
2009-01-06 10:16 . 2009-01-06 10:16 <DIR> d-------- c:\documents and settings\Karin\Application Data\IsolatedStorage
2009-01-06 08:05 . 2009-01-06 08:05 <DIR> d-------- c:\program files\ljArchive
2009-01-06 08:05 . 2009-01-06 08:05 <DIR> d-------- c:\documents and settings\Paul\Application Data\IsolatedStorage
2008-12-25 01:55 . 2008-12-25 01:59 <DIR> d-------- c:\documents and settings\Paul\Application Data\U3
2008-12-19 13:35 . 2008-12-19 13:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\MiKTeX
2008-12-19 13:30 . 2008-12-19 13:33 <DIR> d-------- c:\program files\MiKTeX 2.7
2008-12-19 13:28 . 2008-12-19 13:28 <DIR> d-------- c:\program files\TeXnicCenter
2008-12-19 13:28 . 2008-08-02 11:58 82,432 --a------ c:\windows\system32\msxml4r.dll
2008-12-19 13:28 . 2008-08-02 11:58 44,544 --a------ c:\windows\system32\msxml4a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 19:42 --------- d-----w c:\program files\Java
2009-01-15 06:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-15 02:34 --------- d-----w c:\documents and settings\Paul\Application Data\uTorrent
2008-12-31 20:45 3,532 ----a-w C:\drmHeader.bin
2008-12-21 00:34 --------- d-----w c:\documents and settings\Paul\Application Data\GetRight
2008-12-17 00:21 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-05 10:02 36,272 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-11-23 17:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 21:11 --------- d-----w c:\program files\iTunes
2008-11-22 21:11 --------- d-----w c:\program files\iPod
2008-11-22 21:11 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 21:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 21:07 --------- d-----w c:\program files\QuickTime
2008-11-22 18:41 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-22 18:41 --------- d-----w c:\documents and settings\Paul\Application Data\Malwarebytes
2008-11-22 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-22 18:34 --------- d-----w c:\program files\ERUNT
2008-11-22 16:25 --------- d-----w c:\program files\AIM6
2008-11-22 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-22 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-22 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-21 08:44 --------- d-----w c:\program files\Spyware Doctor
2008-11-21 08:23 --------- d-----w c:\documents and settings\Paul\Application Data\PC Tools
2008-11-19 07:54 --------- d-----w c:\program files\NCH Swift Sound
2008-11-19 07:53 --------- d-----w c:\documents and settings\Paul\Application Data\NCH Swift Sound
2008-11-19 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-19 00:38 --------- d-----w c:\program files\Lavasoft
2008-11-19 00:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 03:53 --------- d-----w c:\program files\Alwil Software
2008-11-03 23:34 94,912 ----a-w c:\windows\bmfirmwareapex4.dll
2008-11-03 23:34 78,528 ----a-w c:\windows\bmcommapex4.dll
2008-11-03 23:34 2,671,296 ----a-w c:\windows\bmusbapex4.dll
2008-11-03 23:34 160,448 ----a-w c:\windows\bmupgradeapex24.dll
2008-11-03 23:34 156,352 ----a-w c:\windows\bmupgradeapex25.dll
2008-11-03 23:34 123,584 ----a-w c:\windows\bmserialapex25.dll
2008-11-03 23:34 119,488 ----a-w c:\windows\bmserialapex24.dll
2008-11-03 23:32 147,456 ----a-w c:\windows\bmapex.dll
2008-11-03 23:32 135,168 ----a-w c:\windows\bmupgradeapex.dll
2008-11-03 23:08 62,144 ----a-w c:\windows\bmversionapex.dll
2008-11-02 04:38 678,746 ----a-w c:\windows\unins000.exe
2008-09-11 22:30 55,976 ----a-w c:\documents and settings\Paul\Application Data\GDIPFONTCACHEV1.DAT
2008-05-25 20:40 22,328 ----a-w c:\documents and settings\Paul\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-15_11.05.34.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-01-17 11:01:50 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2008-10-23 12:36:14 286,720 -c----w c:\windows\system32\dllcache\gdi32.dll
- 2006-10-19 03:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 09:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:30:53 3,067,904 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-20 05:30:51 1,499,136 -c----w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 -c----w c:\windows\system32\dllcache\shdocvw.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-04-14 00:12:07 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-20 05:30:52 619,520 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 01:00:11 619,520 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:30:51 666,112 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 01:00:11 666,112 -c----w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 04:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 04:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-04-14 00:11:54 285,184 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\system32\gdi32.dll
- 2008-06-10 08:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-16 19:42:38 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 08:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-16 19:42:38 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 09:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-16 19:42:38 148,888 ----a-w c:\windows\system32\javaws.exe
- 2006-10-19 03:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:30:53 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-02 19:58:58 1,233,920 ----a-w c:\windows\system32\msxml4.dll
+ 2008-10-01 00:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2008-08-20 05:30:51 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-07-08 13:02:01 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:07 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-04-14 00:12:38 60,416 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-08-20 05:30:52 619,520 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 01:00:11 619,520 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:30:51 666,112 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 01:00:11 666,112 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 04:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 04:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
+ 2009-01-18 18:52:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_25c.dat
+ 2009-01-18 18:53:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_278.dat
+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"nwiz"="nwiz.exe" [2008-01-03 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2008-01-03 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m|\ [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2006-02-28 04:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 11:01 1037736 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 13:52 331830 c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-02 14:46 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2006-02-28 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2006-02-28 04:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-09 20:23 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\utorrent]
--a------ 2008-10-07 22:33 270128 c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 16:34 24576 c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-01-03 14:26 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-09-19 02:14 16844800 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! web scanner"=3 (0x3)
"avast! mail scanner"=3 (0x3)
"avast! antivirus"=2 (0x2)
"aswupdsv"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Python25\\pythonw.exe"=
"c:\\Program Files\\Steam\\SteamApps\\exurar\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090115.001\IDSxpx86.sys [2009-01-15 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-18 99376]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-07-20 12032]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-14 24652]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-21 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\autorun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://bodybugg.com/login.php
mStart Page = hxxp://www.google.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\mfcir6dv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.fugue.com/pics/goodnews.html
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 10:53:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-18 10:56:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 18:56:07
ComboFix2.txt 2009-01-16 19:13:51
ComboFix3.txt 2009-01-15 19:07:54

Pre-Run: 359,175,639,040 bytes free
Post-Run: 359,288,750,080 bytes free

303 --- E O F --- 2009-01-17 11:03:09

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:25 AM

Posted 18 January 2009 - 05:48 PM

Hello Paul,

It looks like we got it, your log is clean. :thumbsup:

Unfortunately, ComboFix didn't upload any file, so it's probably still in the C:\Qoobox\Quarantine folder.
Could you upload it please ? Either using the CF-Submit.htm file or by direct upload to :
http://www.bleepingcomputer.com/submit-malware.php?channel=9

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Preventing a rootkit infection is difficult.
It can either be packed in a music download, a video codec, or as a side-effect of a script execution in a drive by infection.
Main thing is to keep your security software up to date and be carefull what to visit, download and open. :)

No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users