Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TR/Agent.blmw and TR/Crypt.XPACK.Gen


  • This topic is locked This topic is locked
22 replies to this topic

#1 Yps

Yps

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 02 February 2009 - 02:16 AM

Hi,
My mchine is infected and as per your instructions I tried DDS.SCR but it is giving some garbage in the output text file hence I have attached the latest HJT.
Regards!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:59 PM, on 02/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nokia\PC Suite for the Nokia 6708\Device Manager\audevicemgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Nokia\PCSUIT~1\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\ups.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Speed+\Client\ventc.exe
C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Nokia\PC Suite for the Nokia 6708\Sync ML Desktop Server\SyncController.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUNGIL TELECOM\TATA Indicom Dialer\TATA Indicom Dialer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Nokia Device Manager.lnk = C:\Program Files\Nokia\PC Suite for the Nokia 6708\Device

Manager\audevicemgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INETREPL.DLL
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -

C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving

Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://pcmail.lntenc.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 202.54.29.5 202.54.10.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 202.54.29.5 202.54.10.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir

PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir

PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Speed+\Client\ventc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9191 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:31 AM

Posted 15 February 2009 - 09:39 AM

Hello Yps

Welcome to BleepingComputer :thumbup2:
========================
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
========
Then try dds again.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 16 February 2009 - 01:47 AM

Dear Kahdah,
Thanks for your reply. Before I try what you have adviced, I would like to mention that I am not getting those Virus pop-ups and something new has come up. I have posted my HJT under Trojan forum.

Problem with C:\WINDOWS\file.bat - BAT/FWDisable.MU and TR/Proxy.Small.VO.1

Here is today's HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:56 AM, on 16/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Speed+\Client\ventc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\msauc.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nokia\PC Suite for the Nokia 6708\Device Manager\audevicemgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\PROGRA~1\Nokia\PCSUIT~1\CONNEC~1\CONNMN~1.EXE
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\Nokia\PC Suite for the Nokia 6708\Sync ML Desktop Server\SyncController.exe
C:\Program Files\SUNGIL TELECOM\TATA Indicom Dialer\TATA Indicom Dialer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Nokia Device Manager.lnk = C:\Program Files\Nokia\PC Suite for the Nokia 6708\Device Manager\audevicemgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://pcmail.lntenc.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 202.54.29.5 202.54.10.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 202.54.29.5 202.54.10.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Speed+\Client\ventc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9123 bytes

Regards,
Yps

#4 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 16 February 2009 - 01:57 AM

The DAFT link is not working. It returns Page Not Available or Found.
Regards,
Yps

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:31 AM

Posted 16 February 2009 - 07:37 AM

Ok save the zip folder to your desktop then extract it then open it then double click on daft.exe run it.


After that try dds again.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 16 February 2009 - 08:19 AM

Hi,
I will run DAFT and try DDS again.

I ran Kaspersky online scan this afternoon and here is the report, in case you find it useful.

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, February 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 16, 2009 09:51:08
Records in database: 1802839


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
L:\

Scan statistics
Files scanned 138714
Threat name 11
Infected objects 26
Suspicious objects 0
Duration of the scan 03:03:17

File name Threat name Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

services.exe\services.exe/services.exe\services.exe Infected: Backdoor.Win32.Agent.srx 1

C:\Documents and Settings\User\Local Settings\Temp\ie3.tmp Infected: Packed.Win32.Krap.i 1

C:\Documents and Settings\User\Local Settings\Temp\ieE.tmp Infected: Packed.Win32.Krap.i 1

C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\WINDOWS\services.exe Infected: Trojan.Win32.Agent.bqld 1

C:\WINDOWS\system32\userinit.exe Infected: Trojan-Downloader.Win32.Agent.bhmh 1

D:\Backup-taken-Ext-HDD-2080828\Ipbleepa\Misc_Fwds\Various\SoftwareInstall.exe Infected: not-a-virus:AdWare.Win32.180Solutions.b 1

E:\D backup\My Download Files\getrt42c.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 5

E:\D backup\My Download Files\patch_getright_42x_to_43.exe Infected: not-a-virus:AdWare.Win32.TimeSinc 1

E:\Neel_HDFCSEC\Cement\Cement\ISEC_C Result Press Release\Pers\ISEC\backup.pst Infected: Hoax.Win32.BadJoke.Small.a 1

E:\Neel_ISEC\CD1\Personal Folders(1).pst Infected: Hoax.Win32.BadJoke.Small.a 1

E:\Neel_ISEC\CD2\Pers\ISEC\backup.pst Infected: Hoax.Win32.BadJoke.Small.a 1

F:\Software\Cdvd.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1

F:\Software\Cdvd.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

F:\Software\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4

The selected area was scanned.


Rgds!

#7 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 16 February 2009 - 08:29 AM

Dear Kahdah,
Here is the DDS log and I have attached the Attach log file.
Thanks for your time and patience.
Best regards,
Yps

---------------

DDS (Ver_09-02-01.01) - NTFSx86
Run by User at 18:53:03.90 on 16/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.525 [GMT 5.5:30]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\Program Files\Speed+\Client\ventc.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Speed+\squid\ventcsquid.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\Program Files\Speed+\squid\ventcdnsserver.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\msauc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nokia\PC Suite for the Nokia 6708\Device Manager\audevicemgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Speed+\squid\ventcunlinkd.exe
C:\PROGRA~1\Nokia\PCSUIT~1\CONNEC~1\CONNMN~1.EXE
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\Nokia\PC Suite for the Nokia 6708\Sync ML Desktop Server\SyncController.exe
C:\Program Files\SUNGIL TELECOM\TATA Indicom Dialer\TATA Indicom Dialer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: DAP Bar: {62999427-33fc-4baf-9c9c-bce6bd127f08} - c:\program files\dap\DAPIEBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6253\SiteAdv.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [lsass driver] c:\windows\msauc.exe
mRun: [services] c:\windows\services.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.1\program\quickstart.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\nokiad~1.lnk - c:\program files\nokia\pc suite for the nokia 6708\device manager\audevicemgr.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\unh solutions\flash saving plugin\FlashSButton.dll/210
IE: {669695BC-A811-4A9D-8CDF-BA8C795F261C} - c:\progra~1\dap\DAP.EXE
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://pcmail.lntenc.com/dwa7W.cab
TCP: {7EE20FD1-2AA3-4386-9DC2-00F0344059AC} = 202.54.29.5 202.54.10.2
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6253\SiteAdv.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ax3abblf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\siteadvisor\6253\ff\components\FFHook.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.00.19
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-2-13 11840]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-2-13 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-2-13 151297]
R2 VenturiClient;Venturi Client;c:\program files\speed+\client\VentC.exe [2007-10-23 2475360]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-2-13 52032]
R3 komiceb;Nokia 6708 Cable Emulation Bus (WDM);c:\windows\system32\drivers\komiceb.sys [2007-11-13 41792]
R3 sit_bus;SIT_1x_usbmodem Device;c:\windows\system32\drivers\sit_bus.sys [2007-4-17 22144]
R3 sit_flt;SUNGIL USB Filter Service;c:\windows\system32\drivers\sit_flt.sys [2007-4-18 4352]
R3 sit_mdm;SIT_1x_usbmodem ;c:\windows\system32\drivers\sit_mdm.sys [2007-4-17 39680]
R3 sit_prt;SIT_1x_usbmodem Port;c:\windows\system32\drivers\sit_prt.sys [2007-4-17 38656]
R3 vwinter;Venturi Wireless Intercepter;c:\windows\system32\drivers\vwinter.sys [2007-10-23 47392]
R3 vwredir;Venturi Wireless Redirector;c:\windows\system32\drivers\vwredir.sys [2007-10-23 85792]
S3 komibus;Nokia 6708 Composite Device driver (WDM);c:\windows\system32\drivers\komibus.sys [2007-11-13 52384]
S3 komimdfl;Nokia 6708 VSC Modem (WDM) (Filter);c:\windows\system32\drivers\komimdfl.sys [2007-11-13 6000]
S3 komimdmc;Nokia 6708 mRouter Port (WDM);c:\windows\system32\drivers\komimdmc.sys [2007-11-13 85184]
S3 komisce;Nokia 6708 VSC Modem (WDM);c:\windows\system32\drivers\komisce.sys [2007-11-13 68112]

=============== Created Last 30 ================

2009-02-15 00:08 81,921 a------- c:\windows\system32\wpv461234083698.cpx
2009-02-15 00:08 81,921 a------- c:\windows\msauc.exe
2009-02-14 23:53 41,472 a------- c:\windows\services.exe
2009-02-14 23:51 22,016 a------- c:\documents and settings\user\svchost.exe
2009-02-14 23:51 24,576 a------- c:\windows\system32\stus.exe
2009-02-02 12:43 <DIR> --d----- C:\HijackThis
2009-01-31 13:23 12 a------- c:\windows\system32\shell31.dll
2009-01-30 19:57 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-30 19:57 1,409 a------- c:\windows\QTFont.for
2009-01-30 13:18 71,984 a---h--- c:\windows\system32\mlfcache.dat
2009-01-30 12:59 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-01-24 13:40 44,032 -------- c:\windows\system32\CTSVCCDA.EXE
2009-01-24 13:40 25,088 -------- c:\windows\system32\CTSVCCTL.EXE
2009-01-19 15:45 <DIR> --d----- C:\videooutput
2009-01-19 15:45 383,238 a------- c:\windows\system32\libmp3lame-0.dll
2009-01-19 15:45 3,086,336 a------- c:\windows\system32\NCMedia.dll
2009-01-19 15:45 3,086,336 a------- c:\windows\system32\flvvideo.dll
2009-01-19 15:45 <DIR> --d----- c:\program files\Smallvideosoft
2009-01-17 20:51 <DIR> --d----- c:\program files\MindFusion Limited

==================== Find3M ====================

2009-02-14 23:51 22,528 a------- c:\windows\system32\userinit.exe
2009-01-06 04:03 3,751,995 a------- c:\windows\system32\GPhotos.scr
2007-04-12 20:00 808 ac------ c:\program files\INSTALL.LOG

============= FINISH: 18:53:22.84 ===============

Attached Files



#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:31 AM

Posted 16 February 2009 - 08:39 AM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 16 February 2009 - 09:03 AM

Dear Kahdah,
Here is the Combofix Log.

ComboFix 09-02-15.01 - User 2009-02-16 19:27:49.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.497 [GMT 5.5:30]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\svchost.exe
c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt
c:\windows\msauc.exe
c:\windows\services.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\shell31.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wpv461234083698.cpx
c:\windows\system32\WS2Fix.exe
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://supertvist.com
.
((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-14 23:51 . 2004-08-04 00:56 24,576 --a------ c:\windows\system32\stus.exe
2009-02-02 12:43 . 2009-02-16 11:57 <DIR> d-------- C:\HijackThis
2009-01-30 19:57 . 2009-02-14 12:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-30 19:57 . 2009-01-30 19:57 1,409 --a------ c:\windows\QTFont.for
2009-01-30 13:18 . 2009-01-30 13:18 71,984 --ah----- c:\windows\system32\mlfcache.dat
2009-01-30 12:59 . 2009-01-30 12:59 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-01-24 13:40 . 1999-12-12 22:31 44,032 --------- c:\windows\system32\CTSVCCDA.EXE
2009-01-24 13:40 . 1999-11-17 22:30 25,088 --------- c:\windows\system32\CTSVCCTL.EXE
2009-01-24 13:34 . 2009-01-24 13:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Creative
2009-01-19 15:45 . 2009-01-19 15:45 <DIR> d-------- C:\videooutput
2009-01-19 15:45 . 2009-01-19 15:45 <DIR> d-------- c:\program files\Smallvideosoft
2009-01-19 15:45 . 2007-03-07 00:45 3,086,336 --a------ c:\windows\system32\NCMedia.dll
2009-01-19 15:45 . 2007-03-07 00:45 3,086,336 --a------ c:\windows\system32\flvvideo.dll
2009-01-19 15:45 . 2007-02-25 15:36 383,238 --a------ c:\windows\system32\libmp3lame-0.dll
2009-01-17 20:51 . 2009-01-17 20:51 <DIR> d-------- c:\program files\MindFusion Limited

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 13:50 --------- d-----w c:\program files\PCFriendly
2009-02-16 06:09 --------- d-----w c:\documents and settings\User\Application Data\OpenOffice.org2
2009-02-14 18:21 22,528 ----a-w c:\windows\system32\userinit.exe
2009-02-08 09:29 --------- d-----w c:\documents and settings\User\Application Data\dvdcss
2009-02-01 14:34 --------- d-----w c:\program files\Mozilla Sunbird
2009-01-31 10:21 --------- d-----w c:\program files\Zoom Player
2009-01-30 07:28 --------- d-----w c:\program files\Google
2009-01-24 08:26 --------- d-----w c:\program files\Audible
2009-01-24 08:10 --------- d--h--w c:\program files\Creative Installation Information
2009-01-24 08:10 --------- d-----w c:\program files\Creative
2009-01-23 17:29 --------- d-----w c:\documents and settings\User\Application Data\Creative
2009-01-06 06:46 --------- d-----w c:\program files\Apperson
2009-01-06 06:45 --------- d-----w c:\program files\Sweet Home 3D
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-18 07:00 --------- d-----w c:\program files\Microsoft LifeCam
2008-12-18 06:44 --------- d-----w c:\documents and settings\User\Application Data\Sony Corporation
2008-12-18 06:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-18 06:41 --------- d-----w c:\program files\Sony
2008-12-18 06:41 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Sony Corporation
.

------- Sigcheck -------

2009-02-14 23:51 22528 95417ba5efd21ea4b179499055843ef1 c:\windows\system32\userinit.exe
2004-08-04 00:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-06-29_15.07.26.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-09-22 13:15:36 480,768 -c----w c:\windows\$NtUninstallWMFDist11$\audiodev.dll
+ 2004-08-03 19:26:42 286,208 -c----w c:\windows\$NtUninstallWMFDist11$\blackbox.dll
+ 2004-10-11 05:50:30 161,792 -c----w c:\windows\$NtUninstallWMFDist11$\cewmdm.dll
+ 2004-08-03 19:27:04 695,296 -c----w c:\windows\$NtUninstallWMFDist11$\drmv2clt.dll
+ 2004-10-11 05:50:30 6,656 -c----w c:\windows\$NtUninstallWMFDist11$\laprxy.dll
+ 2004-10-11 05:50:30 96,768 -c----w c:\windows\$NtUninstallWMFDist11$\logagent.exe
+ 2004-08-03 19:26:44 310,272 -c----w c:\windows\$NtUninstallWMFDist11$\mp43dmod.dll
+ 2004-08-03 19:26:44 384,512 -c----w c:\windows\$NtUninstallWMFDist11$\mp4sdmod.dll
+ 2004-08-03 19:26:44 240,640 -c----w c:\windows\$NtUninstallWMFDist11$\mpg4dmod.dll
+ 2004-08-03 19:27:02 259,072 -c----w c:\windows\$NtUninstallWMFDist11$\msnetobj.dll
+ 2004-10-11 05:50:30 25,088 -c----w c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
+ 2004-10-11 05:50:30 169,472 -c----w c:\windows\$NtUninstallWMFDist11$\mspmsp.dll
+ 2004-10-11 05:50:30 360,176 -c----w c:\windows\$NtUninstallWMFDist11$\msscp.dll
+ 2004-10-11 05:50:30 311,296 -c----w c:\windows\$NtUninstallWMFDist11$\mswmdm.dll
+ 2004-10-11 05:50:30 221,184 -c----w c:\windows\$NtUninstallWMFDist11$\qasf.dll
+ 2006-08-11 14:44:00 213,216 -c----w c:\windows\$NtUninstallWMFDist11$\spuninst\spuninst.exe
+ 2006-08-11 14:44:00 371,424 -c----w c:\windows\$NtUninstallWMFDist11$\spuninst\updspapi.dll
+ 2006-08-24 17:12:14 13,312 -c----w c:\windows\$NtUninstallWMFDist11$\spuninst\wpdinstallutil.dll
+ 2004-10-11 05:50:30 47,104 -c----w c:\windows\$NtUninstallWMFDist11$\uwdf.exe
+ 2004-10-11 05:50:30 15,872 -c----w c:\windows\$NtUninstallWMFDist11$\wdfapi.dll
+ 2004-10-11 05:50:30 38,912 -c----w c:\windows\$NtUninstallWMFDist11$\wdfmgr.exe
+ 2004-10-11 05:50:30 379,120 -c----w c:\windows\$NtUninstallWMFDist11$\wmadmod.dll
+ 2004-10-11 05:50:30 712,704 -c----w c:\windows\$NtUninstallWMFDist11$\wmadmoe.dll
+ 2004-10-11 05:50:30 224,256 -c----w c:\windows\$NtUninstallWMFDist11$\wmasf.dll
+ 2004-10-11 05:50:32 28,160 -c----w c:\windows\$NtUninstallWMFDist11$\wmdmlog.dll
+ 2004-10-11 05:50:32 33,792 -c----w c:\windows\$NtUninstallWMFDist11$\wmdmps.dll
+ 2004-10-11 05:50:32 344,064 -c----w c:\windows\$NtUninstallWMFDist11$\wmdrmdev.dll
+ 2004-10-11 05:50:32 290,816 -c----w c:\windows\$NtUninstallWMFDist11$\wmdrmnet.dll
+ 2004-10-11 05:50:32 150,016 -c----w c:\windows\$NtUninstallWMFDist11$\wmidx.dll
+ 2004-10-11 05:50:32 1,026,048 -c----w c:\windows\$NtUninstallWMFDist11$\wmnetmgr.dll
+ 2004-10-11 05:50:34 773,368 -c----w c:\windows\$NtUninstallWMFDist11$\wmsdmod.dll
+ 2004-10-11 05:50:34 1,116,160 -c----w c:\windows\$NtUninstallWMFDist11$\wmsdmoe2.dll
+ 2005-08-03 17:29:52 819,200 -c----w c:\windows\$NtUninstallWMFDist11$\wmsetsdk.exe
+ 2004-10-11 05:50:34 531,192 -c----w c:\windows\$NtUninstallWMFDist11$\wmspdmod.dll
+ 2004-10-11 05:50:36 936,960 -c----w c:\windows\$NtUninstallWMFDist11$\wmspdmoe.dll
+ 2004-10-11 05:50:36 1,181,944 -c----w c:\windows\$NtUninstallWMFDist11$\wmvadvd.dll
+ 2004-10-11 05:50:36 1,509,376 -c----w c:\windows\$NtUninstallWMFDist11$\wmvadve.dll
+ 2004-10-11 05:50:36 2,362,104 -c----w c:\windows\$NtUninstallWMFDist11$\wmvcore.dll
+ 2004-10-11 05:50:36 868,600 -c----w c:\windows\$NtUninstallWMFDist11$\wmvdmod.dll
+ 2004-10-11 05:50:38 999,424 -c----w c:\windows\$NtUninstallWMFDist11$\wmvdmoe2.dll
+ 2004-10-11 05:50:38 38,912 -c----w c:\windows\$NtUninstallWMFDist11$\wpd_ci.dll
+ 2004-10-11 05:50:38 61,952 -c----w c:\windows\$NtUninstallWMFDist11$\wpdconns.dll
+ 2004-10-11 05:50:38 114,176 -c----w c:\windows\$NtUninstallWMFDist11$\wpdmtp.dll
+ 2004-10-11 05:50:38 66,560 -c----w c:\windows\$NtUninstallWMFDist11$\wpdmtpus.dll
+ 2004-10-11 05:50:38 327,680 -c----w c:\windows\$NtUninstallWMFDist11$\wpdsp.dll
+ 2004-10-11 05:50:38 18,944 -c----w c:\windows\$NtUninstallWMFDist11$\wpdusb.sys
+ 2007-06-14 08:57:30 288,512 ----a-w c:\windows\Downloaded Program Files\dwa7W.dll
+ 2008-12-18 07:00:18 49,334 ----a-r c:\windows\Installer\{63AFACBC-4795-4A1B-8037-5085DC03FC54}\_3B39D466F97F59A5D83D68.exe
+ 2008-12-18 07:00:18 49,334 ----a-r c:\windows\Installer\{63AFACBC-4795-4A1B-8037-5085DC03FC54}\_638BCDEA3B33CA68073C66.exe
+ 2008-12-18 07:00:18 287,934 ----a-r c:\windows\Installer\{63AFACBC-4795-4A1B-8037-5085DC03FC54}\_93458484A917975E9CF2AA.exe
+ 2008-12-18 07:00:18 29,926 ----a-r c:\windows\Installer\{63AFACBC-4795-4A1B-8037-5085DC03FC54}\_CB6C72A2F50662445A5776.exe
+ 2008-12-18 07:00:18 287,934 ----a-r c:\windows\Installer\{63AFACBC-4795-4A1B-8037-5085DC03FC54}\_E35C8803599553ABBDC417.exe
+ 2008-11-03 11:45:39 33,466 ----a-r c:\windows\Installer\{722AED08-B149-423F-8B86-8453643B61E5}\ARPPRODUCTICON.exe
+ 2008-11-03 11:45:39 73,728 ----a-r c:\windows\Installer\{722AED08-B149-423F-8B86-8453643B61E5}\pes2009.exe_7A18388D0401418BB2B2AE3847D90930.exe
+ 2008-11-03 11:45:39 86,016 ----a-r c:\windows\Installer\{722AED08-B149-423F-8B86-8453643B61E5}\settings.exe_62CFF94D1C884E91B34C01B4469BF591.exe
- 2000-08-31 02:30:00 28,672 ----a-w c:\windows\Nircmd.exe
+ 2000-08-31 02:30:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2008-09-15 11:19:22 3,939,328 ----a-w c:\windows\Photo! 3D ScreenSaver.scr
- 2004-09-22 13:15:36 480,768 ----a-w c:\windows\system32\Audiodev.dll
+ 2006-08-24 17:00:12 276,480 ----a-w c:\windows\system32\audiodev.dll
- 2004-08-03 19:26:42 286,208 ----a-w c:\windows\system32\blackbox.dll
+ 2006-08-24 17:00:12 537,600 ----a-w c:\windows\system32\blackbox.dll
- 2004-10-11 05:50:30 161,792 ----a-w c:\windows\system32\cewmdm.dll
+ 2006-08-24 17:00:12 228,352 ----a-w c:\windows\system32\cewmdm.dll
+ 2007-04-10 21:46:52 185,704 ----a-w c:\windows\system32\cVX1000.dll
+ 2007-03-12 11:12:30 1,123,696 ----a-w c:\windows\system32\D3DCompiler_33.dll
+ 2007-03-15 11:27:58 443,752 ----a-w c:\windows\system32\d3dx10_33.dll
+ 2005-02-05 14:15:26 2,222,800 ----a-w c:\windows\system32\d3dx9_24.dll
+ 2005-03-18 11:49:58 2,337,488 ----a-w c:\windows\system32\d3dx9_25.dll
+ 2005-05-26 10:04:52 2,297,552 ----a-w c:\windows\system32\d3dx9_26.dll
+ 2005-07-22 14:29:04 2,319,568 ----a-w c:\windows\system32\d3dx9_27.dll
+ 2005-12-05 12:39:18 2,323,664 ----a-w c:\windows\system32\d3dx9_28.dll
+ 2006-02-03 03:13:16 2,332,368 ----a-w c:\windows\system32\d3dx9_29.dll
+ 2006-03-31 07:10:58 2,388,176 ----a-w c:\windows\system32\d3dx9_30.dll
+ 2006-09-28 10:35:20 2,414,360 ----a-w c:\windows\system32\d3dx9_31.dll
+ 2006-11-29 07:36:18 3,426,072 ----a-w c:\windows\system32\d3dx9_32.dll
+ 2007-03-12 11:12:30 3,495,784 ----a-w c:\windows\system32\d3dx9_33.dll
- 2004-08-03 19:26:42 286,208 -c--a-w c:\windows\system32\dllcache\blackbox.dll
+ 2006-08-24 17:00:12 537,600 -c--a-w c:\windows\system32\dllcache\blackbox.dll
+ 2004-08-03 17:40:18 17,024 -c--a-w c:\windows\system32\dllcache\ccdecode.sys
- 2004-10-11 05:50:30 161,792 -c--a-w c:\windows\system32\dllcache\cewmdm.dll
+ 2006-08-24 17:00:12 228,352 -c--a-w c:\windows\system32\dllcache\cewmdm.dll
- 2004-08-03 19:27:04 695,296 -c--a-w c:\windows\system32\dllcache\drmv2clt.dll
+ 2006-08-24 17:00:14 990,208 -c--a-w c:\windows\system32\dllcache\drmv2clt.dll
+ 2001-08-17 08:32:20 9,600 -c--a-w c:\windows\system32\dllcache\hidusb.sys
- 2004-10-11 05:50:30 6,656 -c--a-w c:\windows\system32\dllcache\laprxy.dll
+ 2006-08-24 17:00:16 11,264 -c--a-w c:\windows\system32\dllcache\LAPRXY.dll
- 2004-10-11 05:50:30 96,768 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2006-08-24 15:01:04 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2001-08-17 08:18:00 12,160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
- 2004-08-03 19:26:44 310,272 -c--a-w c:\windows\system32\dllcache\mp43dmod.dll
+ 2006-08-24 17:00:18 4,096 -c--a-w c:\windows\system32\dllcache\MP43DMOD.dll
- 2004-08-03 19:26:44 384,512 -c--a-w c:\windows\system32\dllcache\mp4sdmod.dll
+ 2006-08-24 17:00:18 4,096 -c--a-w c:\windows\system32\dllcache\MP4SDMOD.dll
- 2004-08-03 19:26:44 240,640 -c--a-w c:\windows\system32\dllcache\mpg4dmod.dll
+ 2006-08-24 17:00:18 4,096 -c--a-w c:\windows\system32\dllcache\MPG4DMOD.dll
- 2004-08-03 19:27:02 259,072 -c--a-w c:\windows\system32\dllcache\msnetobj.dll
+ 2006-08-24 17:00:18 179,712 -c--a-w c:\windows\system32\dllcache\msnetobj.dll
- 2004-10-11 05:50:30 25,088 -c--a-w c:\windows\system32\dllcache\mspmsnsv.dll
+ 2006-08-24 17:00:20 27,648 -c--a-w c:\windows\system32\dllcache\mspmsnsv.dll
- 2004-10-11 05:50:30 169,472 -c--a-w c:\windows\system32\dllcache\mspmsp.dll
+ 2006-08-24 17:00:20 175,104 -c--a-w c:\windows\system32\dllcache\mspmsp.dll
- 2004-10-11 05:50:30 360,176 -c--a-w c:\windows\system32\dllcache\msscp.dll
+ 2006-08-24 17:00:20 414,208 -c--a-w c:\windows\system32\dllcache\msscp.dll
+ 2004-08-03 17:28:40 5,504 -c--a-w c:\windows\system32\dllcache\mstee.sys
- 2004-10-11 05:50:30 311,296 -c--a-w c:\windows\system32\dllcache\mswmdm.dll
+ 2006-08-24 17:00:20 320,512 -c--a-w c:\windows\system32\dllcache\mswmdm.dll
+ 2004-08-03 17:40:30 85,376 -c--a-w c:\windows\system32\dllcache\nabtsfec.sys
+ 2004-08-03 17:40:14 10,880 -c--a-w c:\windows\system32\dllcache\ndisip.sys
- 2004-10-11 05:50:30 221,184 -c--a-w c:\windows\system32\dllcache\qasf.dll
+ 2006-08-24 17:00:22 210,432 -c--a-w c:\windows\system32\dllcache\qasf.dll
+ 2004-08-03 17:40:18 11,136 -c--a-w c:\windows\system32\dllcache\slip.sys
+ 2004-08-03 17:40:14 15,360 -c--a-w c:\windows\system32\dllcache\streamip.sys
+ 2004-08-03 17:37:56 59,264 -c--a-w c:\windows\system32\dllcache\usbaudio.sys
+ 2004-08-03 17:38:48 31,616 -c--a-w c:\windows\system32\dllcache\usbccgp.sys
+ 2004-08-03 19:26:48 53,760 -c--a-w c:\windows\system32\dllcache\vfwwdm32.dll
- 2004-10-11 05:50:30 379,120 -c--a-w c:\windows\system32\dllcache\wmadmod.dll
+ 2006-08-24 17:00:22 757,248 -c--a-w c:\windows\system32\dllcache\WMADMOD.dll
- 2004-10-11 05:50:30 712,704 -c--a-w c:\windows\system32\dllcache\wmadmoe.dll
+ 2006-08-24 17:00:22 1,118,208 -c--a-w c:\windows\system32\dllcache\WMADMOE.dll
- 2004-10-11 05:50:30 224,256 -c--a-w c:\windows\system32\dllcache\wmasf.dll
+ 2006-08-24 17:00:22 222,208 -c--a-w c:\windows\system32\dllcache\WMASF.dll
- 2004-10-11 05:50:32 28,160 -c--a-w c:\windows\system32\dllcache\wmdmlog.dll
+ 2006-08-24 17:00:22 33,792 -c--a-w c:\windows\system32\dllcache\wmdmlog.dll
- 2004-10-11 05:50:32 33,792 -c--a-w c:\windows\system32\dllcache\wmdmps.dll
+ 2006-08-24 17:00:22 37,376 -c--a-w c:\windows\system32\dllcache\wmdmps.dll
- 2004-10-11 05:50:32 150,016 -c--a-w c:\windows\system32\dllcache\wmidx.dll
+ 2006-08-24 17:00:24 157,184 -c--a-w c:\windows\system32\dllcache\wmidx.dll
- 2004-10-11 05:50:32 1,026,048 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2006-08-24 17:00:24 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
- 2004-10-11 05:50:34 773,368 -c--a-w c:\windows\system32\dllcache\wmsdmod.dll
+ 2006-08-24 17:00:26 4,096 -c--a-w c:\windows\system32\dllcache\wmsdmod.dll
- 2004-10-11 05:50:34 1,116,160 -c--a-w c:\windows\system32\dllcache\wmsdmoe2.dll
+ 2006-08-24 17:00:26 4,096 -c--a-w c:\windows\system32\dllcache\wmsdmoe2.dll
- 2004-10-11 05:50:34 531,192 -c--a-w c:\windows\system32\dllcache\wmspdmod.dll
+ 2006-08-24 17:00:26 603,648 -c--a-w c:\windows\system32\dllcache\WMSPDMOD.dll
- 2004-10-11 05:50:36 936,960 -c--a-w c:\windows\system32\dllcache\wmspdmoe.dll
+ 2006-08-24 17:00:26 1,327,616 -c--a-w c:\windows\system32\dllcache\WMSPDMOE.dll
- 2004-10-11 05:50:36 2,362,104 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2006-08-24 17:00:26 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
- 2004-10-11 05:50:36 868,600 -c--a-w c:\windows\system32\dllcache\wmvdmod.dll
+ 2006-08-24 17:00:26 4,096 -c--a-w c:\windows\system32\dllcache\wmvdmod.dll
- 2004-10-11 05:50:38 999,424 -c--a-w c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2006-08-24 17:00:26 4,096 -c--a-w c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2004-08-03 17:40:22 19,328 -c--a-w c:\windows\system32\dllcache\wstcodec.sys
- 2008-05-05 07:37:24 79,424 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2008-11-29 09:05:20 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2004-08-03 17:40:18 17,024 ----a-w c:\windows\system32\drivers\CCDECODE.sys
+ 2006-08-28 16:18:26 2,432 ----a-w c:\windows\system32\drivers\cdr4_xp.sys
+ 2006-08-28 16:18:26 2,560 ----a-w c:\windows\system32\drivers\cdralw2k.sys
+ 2001-08-17 08:32:20 9,600 ----a-w c:\windows\system32\drivers\hidusb.sys
+ 2008-06-28 08:46:36 17,144 ----a-w c:\windows\system32\drivers\mbam.sys
+ 2008-06-28 08:46:40 34,296 ----a-w c:\windows\system32\drivers\mbamcatchme.sys
+ 2001-08-17 08:18:00 12,160 ----a-w c:\windows\system32\drivers\mouhid.sys
+ 2004-08-03 17:28:40 5,504 ----a-w c:\windows\system32\drivers\MSTEE.sys
+ 2004-08-03 17:40:30 85,376 ----a-w c:\windows\system32\drivers\NABTSFEC.sys
+ 2004-08-03 17:40:14 10,880 ----a-w c:\windows\system32\drivers\NdisIP.sys
- 2006-04-18 22:34:55 20,640 ----a-w c:\windows\system32\drivers\PxHelp20.sys
+ 2008-07-31 22:17:04 43,872 ----a-w c:\windows\system32\drivers\pxhelp20.sys
+ 2004-08-03 17:40:18 11,136 ----a-w c:\windows\system32\drivers\SLIP.sys
+ 2004-08-03 17:40:14 15,360 ----a-w c:\windows\system32\drivers\StreamIP.sys
+ 2006-08-24 17:00:26 667,648 ------w c:\windows\system32\drivers\umdf\wpdmtpdr.dll
+ 2004-08-03 17:37:56 59,264 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
+ 2004-08-03 17:38:48 31,616 ----a-w c:\windows\system32\drivers\usbccgp.sys
+ 2007-04-10 21:46:53 1,966,312 ----a-w c:\windows\system32\drivers\VX1000.sys
- 2004-10-11 05:50:38 18,944 ----a-w c:\windows\system32\drivers\wpdusb.sys
+ 2006-08-24 14:56:02 38,656 ----a-w c:\windows\system32\drivers\wpdusb.sys
+ 2004-08-03 17:40:22 19,328 ----a-w c:\windows\system32\drivers\WSTCODEC.SYS
+ 2006-08-24 14:57:06 249,344 ------w c:\windows\system32\drmupgds.exe
- 2004-08-03 19:27:04 695,296 ----a-w c:\windows\system32\drmv2clt.dll
+ 2006-08-24 17:00:14 990,208 ----a-w c:\windows\system32\drmv2clt.dll
+ 2007-04-12 21:46:36 202,072 -c--a-w c:\windows\system32\DRVSTORE\NX6000_F6B3840B39991CB5F379BB4F46F6AA68F481F295\LCCoin14.dll
+ 2007-04-12 21:46:36 34,136 -c--a-w c:\windows\system32\DRVSTORE\NX6000_F6B3840B39991CB5F379BB4F46F6AA68F481F295\nx6000.sys
+ 2007-04-10 21:46:53 111,976 -c--a-w c:\windows\system32\DRVSTORE\VX1000_E963F99BA6CBC696BC000CB6C33CB48A5D65C964\1033\VX1000.dll
+ 2007-04-10 21:46:52 185,704 -c--a-w c:\windows\system32\DRVSTORE\VX1000_E963F99BA6CBC696BC000CB6C33CB48A5D65C964\cVX1000.dll
+ 2007-04-10 21:46:52 202,088 -c--a-w c:\windows\system32\DRVSTORE\VX1000_E963F99BA6CBC696BC000CB6C33CB48A5D65C964\LCCoin14.dll
+ 2007-04-10 21:46:52 505,192 -c--a-w c:\windows\system32\DRVSTORE\VX1000_E963F99BA6CBC696BC000CB6C33CB48A5D65C964\TwainUI.dll
+ 2007-04-10 21:46:52 476,520 -c--a-w c:\windows\system32\DRVSTORE\VX1000_E963F99BA6CBC696BC000CB6C33CB48A5D65C964\vVX1000.dll
+ 2007-04-10 21:46:52 709,992 -c--a-w c:\windows\system32\DRVSTORE\VX1000_E963F99BA6CBC696BC000CB6C33CB48A5D65C964\vVX1000.exe
+ 2007-04-10 21:46:53 1,966,312 -c--a-w c:\windows\system32\DRVSTORE\VX1000_E963F99BA6CBC696BC000CB6C33CB48A5D65C964\VX1000.sys
+ 2007-04-10 21:46:50 111,976 -c--a-w c:\windows\system32\DRVSTORE\VX3000_8C2D2A241B53D9C83A931623F8898B582C368FB7\1033\VX3000.dll
+ 2007-04-10 21:46:47 185,704 -c--a-w c:\windows\system32\DRVSTORE\VX3000_8C2D2A241B53D9C83A931623F8898B582C368FB7\cVX3000.dll
+ 2007-04-10 21:46:47 202,088 -c--a-w c:\windows\system32\DRVSTORE\VX3000_8C2D2A241B53D9C83A931623F8898B582C368FB7\LCCoin14.dll
+ 2007-04-10 21:46:47 505,192 -c--a-w c:\windows\system32\DRVSTORE\VX3000_8C2D2A241B53D9C83A931623F8898B582C368FB7\TwainUI.dll
+ 2007-04-10 21:46:48 476,520 -c--a-w c:\windows\system32\DRVSTORE\VX3000_8C2D2A241B53D9C83A931623F8898B582C368FB7\vVX3000.dll
+ 2007-04-10 21:46:48 709,992 -c--a-w c:\windows\system32\DRVSTORE\VX3000_8C2D2A241B53D9C83A931623F8898B582C368FB7\vVX3000.exe
+ 2007-04-10 21:46:48 1,966,696 -c--a-w c:\windows\system32\DRVSTORE\VX3000_8C2D2A241B53D9C83A931623F8898B582C368FB7\VX3000.sys
+ 2007-04-10 21:46:46 116,072 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\1033\VX6000.dll
+ 2007-04-10 21:46:43 185,704 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\cVX6000.dll
+ 2007-04-10 21:46:43 202,088 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\LCCoin14.dll
+ 2007-04-10 21:46:43 484,712 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\vVX6000.dll
+ 2007-04-10 21:46:43 996,712 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\vVX6000.exe
+ 2007-04-10 21:46:44 2,385,896 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\VX6000Xp.sys
+ 2007-04-10 21:46:44 36,328 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\VX6KCamd.sys
+ 2007-04-10 21:46:44 509,288 -c--a-w c:\windows\system32\DRVSTORE\VX6000_34B6C40B745EB592EBBD2F02BC6EC375C6A74955\VX6KTUI.dll
- 2004-10-11 05:50:30 6,656 ----a-w c:\windows\system32\laprxy.dll
+ 2006-08-24 17:00:16 11,264 ----a-w c:\windows\system32\LAPRXY.dll
+ 2007-04-10 21:46:52 202,088 ----a-w c:\windows\system32\LCCoin14.dll
- 2004-10-11 05:50:30 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2006-08-24 15:01:04 100,864 ----a-w c:\windows\system32\logagent.exe
- 2006-11-09 09:50:00 2,111,096 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2006-11-09 09:50:00 190,072 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-09 15:19:43 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2006-08-24 17:00:18 211,968 ------w c:\windows\system32\MFPLAT.dll
+ 2006-08-24 17:00:18 258,560 ------w c:\windows\system32\MP43DECD.dll
- 2004-08-03 19:26:44 310,272 ----a-w c:\windows\system32\mp43dmod.dll
+ 2006-08-24 17:00:18 4,096 ----a-w c:\windows\system32\MP43DMOD.dll
+ 2006-08-24 17:00:18 316,928 ------w c:\windows\system32\MP4SDECD.dll
- 2004-08-03 19:26:44 384,512 ----a-w c:\windows\system32\mp4sdmod.dll
+ 2006-08-24 17:00:18 4,096 ----a-w c:\windows\system32\MP4SDMOD.dll
+ 2006-08-24 17:00:18 259,072 ------w c:\windows\system32\MPG4DECD.dll
- 2004-08-03 19:26:44 240,640 ----a-w c:\windows\system32\mpg4dmod.dll
+ 2006-08-24 17:00:18 4,096 ----a-w c:\windows\system32\MPG4DMOD.dll
- 2004-08-03 19:27:02 259,072 ----a-w c:\windows\system32\msnetobj.dll
+ 2006-08-24 17:00:18 179,712 ----a-w c:\windows\system32\msnetobj.dll
- 2004-10-11 05:50:30 25,088 ----a-w c:\windows\system32\MsPMSNSv.dll
+ 2006-08-24 17:00:20 27,648 ----a-w c:\windows\system32\mspmsnsv.dll
- 2004-10-11 05:50:30 169,472 ----a-w c:\windows\system32\MsPMSP.dll
+ 2006-08-24 17:00:20 175,104 ----a-w c:\windows\system32\mspmsp.dll
- 2004-10-11 05:50:30 360,176 ----a-w c:\windows\system32\MSSCP.dll
+ 2006-08-24 17:00:20 414,208 ----a-w c:\windows\system32\msscp.dll
- 2004-10-11 05:50:30 311,296 ----a-w c:\windows\system32\MSWMDM.dll
+ 2006-08-24 17:00:20 320,512 ----a-w c:\windows\system32\mswmdm.dll
+ 2006-08-24 17:00:22 284,160 ------w c:\windows\system32\PortableDeviceApi.dll
+ 2006-08-24 17:00:22 101,888 ------w c:\windows\system32\PortableDeviceClassExtension.dll
+ 2006-08-24 17:00:22 166,912 ------w c:\windows\system32\PortableDeviceTypes.dll
+ 2006-08-24 17:00:22 132,096 ------w c:\windows\system32\PortableDeviceWiaCompat.dll
+ 2006-08-24 17:00:22 198,144 ------w c:\windows\system32\PortableDeviceWMDRM.dll
- 2006-04-18 22:34:56 372,736 ----a-w c:\windows\system32\px.dll
+ 2008-07-31 22:17:04 588,272 ------w c:\windows\system32\px.dll
- 2006-04-18 22:34:56 56,832 ----a-w c:\windows\system32\pxcpya64.exe
+ 2006-10-18 14:13:36 64,248 ------w c:\windows\system32\PxCpyA64.exe
- 2006-04-18 22:34:56 108,544 ----a-w c:\windows\system32\pxcpyi64.exe
+ 2006-10-18 14:13:36 115,960 ------w c:\windows\system32\PxCpyI64.exe
- 2006-04-18 22:34:56 421,888 ----a-w c:\windows\system32\pxdrv.dll
+ 2008-07-31 22:17:04 543,216 ------w c:\windows\system32\pxdrv.dll
- 2006-04-18 22:34:56 61,440 ----a-w c:\windows\system32\pxhpinst.exe
+ 2008-07-31 22:17:04 72,176 ------w c:\windows\system32\pxhpinst.exe
- 2006-04-18 22:34:56 56,320 ----a-w c:\windows\system32\pxinsa64.exe
+ 2006-11-02 11:27:04 64,760 ------w c:\windows\system32\PxInsA64.exe
- 2006-04-18 22:34:56 109,568 ----a-w c:\windows\system32\pxinsi64.exe
+ 2006-11-02 11:27:04 118,520 ------w c:\windows\system32\PxInsI64.exe
- 2006-04-18 22:34:56 172,032 ----a-w c:\windows\system32\pxmas.dll
+ 2008-07-31 22:17:04 186,864 ------w c:\windows\system32\pxmas.dll
- 2006-04-18 22:34:56 339,968 ----a-w c:\windows\system32\pxwave.dll
+ 2008-07-31 22:17:04 379,376 ------w c:\windows\system32\pxwave.dll
- 2004-10-11 05:50:30 221,184 ----a-w c:\windows\system32\qasf.dll
+ 2006-08-24 17:00:22 210,432 ----a-w c:\windows\system32\qasf.dll
- 2005-05-03 07:28:20 13,536 ------w c:\windows\system32\spmsg.dll
+ 2005-02-24 06:50:06 13,536 ------w c:\windows\system32\spmsg.dll
- 2005-02-24 06:51:42 22,752 ----a-w c:\windows\system32\spupdsvc.exe
+ 2006-08-11 14:44:00 22,752 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-02-29 13:45:51 1,536 ----a-w c:\windows\system32\TrueSoft.dat
+ 2008-10-31 11:17:18 1,536 ----a-w c:\windows\system32\TrueSoft.dat
- 2004-10-11 05:50:30 47,104 ----a-w c:\windows\system32\uwdf.exe
+ 2006-08-24 17:12:14 8,704 ----a-w c:\windows\system32\uwdf.exe
+ 2004-08-03 19:26:48 53,760 ----a-w c:\windows\system32\vfwwdm32.dll
- 2006-04-18 22:34:55 28,672 ----a-w c:\windows\system32\vxblock.dll
+ 2008-07-31 22:17:04 88,560 ------w c:\windows\system32\vxblock.dll
- 2004-10-11 05:50:30 15,872 ----a-w c:\windows\system32\wdfapi.dll
+ 2006-08-24 17:00:22 4,096 ----a-w c:\windows\system32\wdfapi.dll
- 2004-10-11 05:50:30 38,912 ----a-w c:\windows\system32\wdfmgr.exe
+ 2006-08-24 17:12:14 8,704 ----a-w c:\windows\system32\wdfmgr.exe
- 2004-10-11 05:50:30 379,120 ----a-w c:\windows\system32\wmadmod.dll
+ 2006-08-24 17:00:22 757,248 ----a-w c:\windows\system32\WMADMOD.dll
- 2004-10-11 05:50:30 712,704 ----a-w c:\windows\system32\wmadmoe.dll
+ 2006-08-24 17:00:22 1,118,208 ----a-w c:\windows\system32\WMADMOE.dll
- 2004-10-11 05:50:30 224,256 ----a-w c:\windows\system32\wmasf.dll
+ 2006-08-24 17:00:22 222,208 ----a-w c:\windows\system32\WMASF.dll
- 2004-10-11 05:50:32 28,160 ----a-w c:\windows\system32\WMDMLOG.dll
+ 2006-08-24 17:00:22 33,792 ----a-w c:\windows\system32\wmdmlog.dll
- 2004-10-11 05:50:32 33,792 ----a-w c:\windows\system32\WMDMPS.dll
+ 2006-08-24 17:00:22 37,376 ----a-w c:\windows\system32\wmdmps.dll
- 2004-10-11 05:50:32 344,064 ----a-w c:\windows\system32\WMDRMdev.dll
+ 2006-08-24 17:00:22 428,032 ----a-w c:\windows\system32\wmdrmdev.dll
- 2004-10-11 05:50:32 290,816 ----a-w c:\windows\system32\WMDRMNet.dll
+ 2006-08-24 17:00:24 347,648 ----a-w c:\windows\system32\wmdrmnet.dll
+ 2006-08-24 17:00:24 532,992 ------w c:\windows\system32\wmdrmsdk.dll
- 2004-10-11 05:50:32 150,016 ----a-w c:\windows\system32\wmidx.dll
+ 2006-08-24 17:00:24 157,184 ----a-w c:\windows\system32\wmidx.dll
- 2004-10-11 05:50:32 1,026,048 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2006-08-24 17:00:24 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
- 2004-10-11 05:50:34 773,368 ----a-w c:\windows\system32\wmsdmod.dll
+ 2006-08-24 17:00:26 4,096 ----a-w c:\windows\system32\wmsdmod.dll
- 2004-10-11 05:50:34 1,116,160 ----a-w c:\windows\system32\wmsdmoe2.dll
+ 2006-08-24 17:00:26 4,096 ----a-w c:\windows\system32\wmsdmoe2.dll
- 2004-10-11 05:50:34 531,192 ----a-w c:\windows\system32\wmspdmod.dll
+ 2006-08-24 17:00:26 603,648 ----a-w c:\windows\system32\WMSPDMOD.dll
- 2004-10-11 05:50:36 936,960 ----a-w c:\windows\system32\wmspdmoe.dll
+ 2006-08-24 17:00:26 1,327,616 ----a-w c:\windows\system32\WMSPDMOE.dll
- 2004-10-11 05:50:36 1,181,944 ----a-w c:\windows\system32\wmvadvd.dll
+ 2006-08-24 17:00:26 4,096 ----a-w c:\windows\system32\WMVADVD.dll
- 2004-10-11 05:50:36 1,509,376 ----a-w c:\windows\system32\WMVADVE.DLL
+ 2006-08-24 17:00:26 4,096 ----a-w c:\windows\system32\WMVADVE.DLL
- 2004-10-11 05:50:36 2,362,104 ----a-w c:\windows\system32\wmvcore.dll
+ 2006-08-24 17:00:26 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2006-08-24 17:00:26 1,539,584 ------w c:\windows\system32\WMVDECOD.dll
- 2004-10-11 05:50:36 868,600 ----a-w c:\windows\system32\wmvdmod.dll
+ 2006-08-24 17:00:26 4,096 ----a-w c:\windows\system32\wmvdmod.dll
- 2004-10-11 05:50:38 999,424 ----a-w c:\windows\system32\wmvdmoe2.dll
+ 2006-08-24 17:00:26 4,096 ----a-w c:\windows\system32\wmvdmoe2.dll
+ 2006-08-24 17:00:26 1,532,416 ------w c:\windows\system32\WMVENCOD.dll
+ 2006-08-24 17:00:26 1,392,128 ------w c:\windows\system32\WMVSDECD.dll
+ 2006-08-24 17:00:26 790,016 ------w c:\windows\system32\WMVSENCD.dll
+ 2006-08-24 17:00:26 656,896 ------w c:\windows\system32\WMVXENCD.dll
- 2004-10-11 05:50:38 38,912 ----a-w c:\windows\system32\wpd_ci.dll
+ 2006-08-24 17:00:28 629,760 ----a-w c:\windows\system32\wpd_ci.dll
- 2004-10-11 05:50:38 61,952 ----a-w c:\windows\system32\wpdconns.dll
+ 2006-08-24 17:00:26 35,840 ----a-w c:\windows\system32\wpdconns.dll
- 2004-10-11 05:50:38 114,176 ----a-w c:\windows\system32\wpdmtp.dll
+ 2006-08-24 17:00:26 154,624 ----a-w c:\windows\system32\wpdmtp.dll
- 2004-10-11 05:50:38 66,560 ----a-w c:\windows\system32\wpdmtpus.dll
+ 2006-08-24 17:00:28 63,488 ----a-w c:\windows\system32\wpdmtpus.dll
+ 2006-08-24 17:00:28 2,589,184 ------w c:\windows\system32\WpdShext.dll
+ 2006-08-24 14:56:22 17,408 ------w c:\windows\system32\wpdshextautoplay.exe
+ 2006-08-24 17:00:28 133,120 ------w c:\windows\system32\WPDShServiceObj.dll
- 2004-10-11 05:50:38 327,680 ----a-w c:\windows\system32\wpdsp.dll
+ 2006-08-24 17:00:28 349,184 ----a-w c:\windows\system32\wpdsp.dll
+ 2006-02-03 03:11:26 14,032 ----a-w c:\windows\system32\x3daudio1_0.dll
+ 2007-03-05 07:12:18 15,128 ----a-w c:\windows\system32\x3daudio1_1.dll
+ 2006-02-03 03:12:06 230,096 ----a-w c:\windows\system32\xactengine2_0.dll
+ 2006-03-31 07:09:48 229,584 ----a-w c:\windows\system32\xactengine2_1.dll
+ 2006-05-31 01:54:16 230,168 ----a-w c:\windows\system32\xactengine2_2.dll
+ 2006-07-28 04:00:32 236,824 ----a-w c:\windows\system32\xactengine2_3.dll
+ 2006-09-28 10:35:56 237,848 ----a-w c:\windows\system32\xactengine2_4.dll
+ 2006-12-08 06:32:00 251,672 ----a-w c:\windows\system32\xactengine2_5.dll
+ 2007-01-24 09:57:30 255,848 ----a-w c:\windows\system32\xactengine2_6.dll
+ 2007-04-04 13:25:00 261,480 ----a-w c:\windows\system32\xactengine2_7.dll
+ 2006-03-31 07:09:24 62,672 ----a-w c:\windows\system32\xinput1_1.dll
+ 2006-07-28 04:00:14 62,744 ----a-w c:\windows\system32\xinput1_2.dll
+ 2007-04-04 13:23:42 81,768 ----a-w c:\windows\system32\xinput1_3.dll
+ 2005-12-05 12:37:30 61,136 ----a-w c:\windows\system32\xinput9_1_0.dll
- 2005-12-30 14:40:30 761,856 ----a-w c:\windows\system32\xvidcore.dll
+ 2006-11-01 09:22:38 765,952 ----a-w c:\windows\system32\xvidcore.dll
+ 2007-04-10 21:46:52 505,192 ----a-w c:\windows\twain_32\VX1000\TwainUI.dll
+ 1998-02-06 17:07:32 299,520 ----a-w c:\windows\uninst.exe
+ 2007-04-10 21:46:52 476,520 ----a-w c:\windows\vVX1000.dll
+ 2007-04-10 21:46:52 709,992 ----a-w c:\windows\vVX1000.exe
+ 2007-04-10 21:46:53 111,976 ----a-w c:\windows\VX1000.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-06-20 4538368]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-03-26 413775]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-12 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-18 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-11 709992]
"nwiz"="nwiz.exe" [2005-10-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\Ipbleepa\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-08-09 18944]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-08-09 18944]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Nokia Device Manager.lnk - c:\program files\Nokia\PC Suite for the Nokia 6708\Device Manager\audevicemgr.exe [2006-03-20 802304]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-08-09 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

R2 VenturiClient;Venturi Client;c:\program files\Speed+\Client\VentC.exe [2007-10-23 2475360]
R3 komiceb;Nokia 6708 Cable Emulation Bus (WDM);c:\windows\system32\drivers\komiceb.sys [2007-11-13 41792]
R3 sit_bus;SIT_1x_usbmodem Device;c:\windows\system32\drivers\sit_bus.sys [2007-04-17 22144]
R3 sit_flt;SUNGIL USB Filter Service;c:\windows\system32\drivers\sit_flt.sys [2007-04-18 4352]
R3 sit_mdm;SIT_1x_usbmodem ;c:\windows\system32\drivers\sit_mdm.sys [2007-04-17 39680]
R3 sit_prt;SIT_1x_usbmodem Port;c:\windows\system32\drivers\sit_prt.sys [2007-04-17 38656]
R3 vwinter;Venturi Wireless Intercepter;c:\windows\system32\drivers\vwinter.sys [2007-10-23 47392]
R3 vwredir;Venturi Wireless Redirector;c:\windows\system32\drivers\vwredir.sys [2007-10-23 85792]
S3 komibus;Nokia 6708 Composite Device driver (WDM);c:\windows\system32\drivers\komibus.sys [2007-11-13 52384]
S3 komimdfl;Nokia 6708 VSC Modem (WDM) (Filter);c:\windows\system32\drivers\komimdfl.sys [2007-11-13 6000]
S3 komimdmc;Nokia 6708 mRouter Port (WDM);c:\windows\system32\drivers\komimdmc.sys [2007-11-13 85184]
S3 komisce;Nokia 6708 VSC Modem (WDM);c:\windows\system32\drivers\komisce.sys [2007-11-13 68112]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d76e0968-ccce-11dd-aca1-f234a330d1fb}]
\Shell\Auto\command - H:\gb32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL gb32.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-18 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2007-04-11 03:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ax3abblf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.00.19.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 19:29:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-16 19:30:15
ComboFix-quarantined-files.txt 2009-02-16 14:00:03
ComboFix2.txt 2008-06-30 06:57:45
ComboFix3.txt 2008-06-29 09:37:35
ComboFix4.txt 2008-02-05 13:40:09
ComboFix5.txt 2009-02-16 13:55:42

Pre-Run: 26,956,886,016 bytes free
Post-Run: 27,451,928,576 bytes free

517

Regards,
Yps

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:31 AM

Posted 16 February 2009 - 07:05 PM

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

c:\windows\system32\stus.exe
c:\windows\system32\userinit.exe
c:\windows\system32\dllcache\userinit.exe

Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 17 February 2009 - 03:45 AM

Here are the results in attached PDF.
STUS 0
USERINIT 22/39
DLLCACHE/USERINIT 0
I have attached the 3 pdf results.
Regards,
Yps

Attached Files



#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:31 AM

Posted 17 February 2009 - 07:40 AM

Please plug in any removable flash drive or hard drive before running the below script.
========
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
c:\windows\system32\dllcache\userinit.exe | c:\windows\system32\userinit.exe

File::
H:\gb32.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d76e0968-ccce-11dd-aca1-f234a330d1fb}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 18 February 2009 - 08:58 AM

I have attached the log files to this post as directed by you.
Best regards,
Yps

Attached Files



#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:31 AM

Posted 18 February 2009 - 09:00 AM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Yps

Yps
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:01:01 PM

Posted 18 February 2009 - 01:11 PM

Here is the resultant log of MBAM

Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.1.2600 Service Pack 2

18/02/2009 11:39:04 PM
mbam-log-2009-02-18 (23-39-04).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 228320
Time elapsed: 1 hour(s), 8 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\evgmqxuy.dat.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

Best regards,
Yps




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users