Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Old removal of Vundo possibly still lurking


  • Please log in to reply
7 replies to this topic

#1 BaloErets

BaloErets

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 29 April 2009 - 06:46 PM

Had the famous Vundo virus which I removed on my own, or at least did the best that I could. I was unaware that their were heroes such as yourselves that would take the time to help out people like us. My Antivirus/Malware scanner always finds something new on each scan. Firefox is recently freezing up on startup, which it never did. System is often freezing, which never happened either. I've noticed an increase in the CPU usages with the csrss.exe process when Firefox starts up. The Firewall is enabled on my connection, yet disabled on the router. Wasn't sure what would be the best setup for the firewall.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Attaboy at 19:35:10.85 on 29/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.610 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MAFWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Attaboy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Attaboy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [FG_Monitor] c:\program files\folder guard pro\FGKey.exe /Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
StartupFolder: c:\docume~1\attaboy\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: MaxRecentDocs = 15 (0xf)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240980618125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {8D1BDE92-4F69-4058-8737-199FD4A8AAB2} = 206.248.154.22 206.248.154.170
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\attaboy\applic~1\mozilla\firefox\profiles\zoggh8oo.default\
FF - prefs.js: browser.startup.homepage - hxxp://btjunkie.org/|http://www.kvraudio.com/forum/index.php?sid=577e9a69be0da499d6c82dbd66530d7c|http://www.dpreview.com/|http://forum.audionews.ru/|http://forum.gfxnews.ru/|http://www.demonoid.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\documents and settings\attaboy\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\attaboy\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll

============= SERVICES / DRIVERS ===============

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-12-9 57344]
R2 FGUARD32;FGUARD32;c:\program files\folder guard pro\FGUARD32.SYS [2009-3-4 54008]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-7-30 3406120]
R2 TSKNF501.SYS;TSKNF501.SYS;c:\windows\system32\drivers\Tsknf501.sys [2002-12-3 6464]
R3 automap;Automap MIDI Driver Service;c:\windows\system32\drivers\automap.sys [2008-7-29 7168]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-7-31 33792]
R3 MAFW;%FW.SvcDesc%;c:\windows\system32\drivers\mafw.sys [2009-4-9 186368]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-7-30 15656]
S1 4f143ef4;4f143ef4;c:\windows\system32\drivers\4f143ef4.sys --> c:\windows\system32\drivers\4f143ef4.sys [?]
S3 ffSaffireLE_1394;ffSaffireLE_1394;c:\windows\system32\drivers\ffSaffireLE_1394.sys [2008-11-11 116736]
S3 ffSaffireLE_avs;ffSaffireLE_avs;c:\windows\system32\drivers\ffSaffireLE_avs.sys [2008-11-11 44544]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [2008-7-29 27648]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-4 2176]
S3 RDID1032;Roland GI-20;c:\windows\system32\drivers\rdwm1032.sys [2008-7-30 60698]

=============== Created Last 30 ================

2009-04-29 01:03 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-04-29 00:54 <DIR> --d----- c:\windows\system32\PreInstall
2009-04-29 00:50 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-04-29 00:43 <DIR> --dsh--- c:\documents and settings\attaboy\IECompatCache
2009-04-29 00:41 <DIR> --dsh--- c:\documents and settings\attaboy\PrivacIE
2009-04-29 00:31 <DIR> -cd-h--- c:\windows\ie8
2009-04-29 00:02 <DIR> --dsh--- c:\documents and settings\attaboy\IETldCache
2009-04-27 22:21 <DIR> --d----- c:\program files\microsia
2009-04-22 15:11 <DIR> --d----- c:\docume~1\attaboy\applic~1\Red Alert 3
2009-04-21 17:33 <DIR> --d----- c:\docume~1\attaboy\applic~1\Ableton
2009-04-21 17:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ableton
2009-04-21 16:49 <DIR> --d----- c:\docume~1\attaboy\applic~1\UseNeXT
2009-04-21 16:48 <DIR> --d----- c:\program files\UseNeXT
2009-04-21 14:40 <DIR> --d----- c:\docume~1\attaboy\applic~1\Forte
2009-04-21 14:40 <DIR> --d----- c:\program files\Agent
2009-04-21 14:16 <DIR> --d----- c:\docume~1\attaboy\applic~1\GrabIt
2009-04-16 02:19 17 a------- c:\windows\ntsautodial.ini
2009-04-16 02:19 159,552 a------- c:\windows\system32\drivers\ntspppoe.sys
2009-04-16 02:19 <DIR> --d----- c:\program files\teksavvy.com
2009-04-15 23:14 <DIR> --d-h--- c:\program files\Zero G Registry
2009-04-15 23:14 <DIR> --d-h--- c:\documents and settings\attaboy\InstallAnywhere
2009-04-15 23:13 <DIR> --d----- c:\program files\MoveOnBoot
2009-04-15 23:13 <DIR> --d----- c:\program files\GiPo@Utilities
2009-04-15 23:13 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-04-15 23:13 <DIR> --d----- c:\program files\Yamicsoft
2009-04-12 23:02 <DIR> --d----- c:\program files\Atrise
2009-04-12 20:56 <DIR> --d----- c:\docume~1\attaboy\applic~1\Digital Film Tools
2009-04-12 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digital Film Tools
2009-04-12 20:53 <DIR> --d----- c:\program files\55mm
2009-04-12 11:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ACD Systems
2009-04-10 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spectrasonics
2009-04-09 23:31 2,508,646 a------- c:\windows\system32\fwfmdio.dll
2009-04-09 23:30 <DIR> --d----- c:\program files\M-Audio

==================== Find3M ====================

2009-04-29 16:35 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-04-29 16:35 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-04-27 16:59 186,368 a------- c:\windows\system32\drivers\mafw.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-04 19:52 1,700,352 a------- c:\windows\system32\gdiplus.dll
2009-02-28 19:32 23,348 a------- c:\windows\system32\emptyregdb.dat
2009-02-06 13:46 149,751 a------- c:\windows\Curvemeister_3 Uninstaller.exe
2008-10-24 23:46 24,640 a------- c:\program files\common files\security
2008-08-13 17:35 1,786 a------- c:\program files\uninstal.log

============= FINISH: 19:35:42.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:08 PM

Posted 11 May 2009 - 10:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 BaloErets

BaloErets
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 12 May 2009 - 12:50 AM

I would still very much appreciate someone taking a look at my situation. As I mentioned, I did most of the removal manually, and I'm still doubting the success of my actions. He's my new DDS log, along with the attached attach.txt

Thanks again.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Attaboy at 1:40:31.54 on 12/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.793 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Documents and Settings\Attaboy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\onOne Software\Plug-in Suite 4\Register Plug-in Suite 4.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Attaboy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [Google Update] "c:\documents and settings\attaboy\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [FG_Monitor] c:\program files\folder guard pro\FGKey.exe /Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRunOnce: [InstallShieldSetup] c:\progra~1\instal~1\{c3290~1\setup.exe -rebootc:\progra~1\instal~1\{c3290~1\reboot.ini -l0x0009
StartupFolder: c:\docume~1\attaboy\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\attaboy\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: MaxRecentDocs = 15 (0xf)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240980618125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\attaboy\applic~1\mozilla\firefox\profiles\zoggh8oo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.kvraudio.com/forum/index.php?sid=577e9a69be0da499d6c82dbd66530d7c|http://www.dpreview.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\documents and settings\attaboy\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\attaboy\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll

============= SERVICES / DRIVERS ===============

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-12-9 57344]
R2 FGUARD32;FGUARD32;c:\program files\folder guard pro\FGUARD32.SYS [2009-3-4 54008]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-7-30 3406120]
R2 TSKNF501.SYS;TSKNF501.SYS;c:\windows\system32\drivers\Tsknf501.sys [2002-12-3 6464]
R3 automap;Automap MIDI Driver Service;c:\windows\system32\drivers\automap.sys [2008-7-29 7168]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2008-7-31 33792]
R3 MAFW;%FW.SvcDesc%;c:\windows\system32\drivers\mafw.sys [2009-4-9 186368]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-7-30 15656]
S1 4f143ef4;4f143ef4;c:\windows\system32\drivers\4f143ef4.sys --> c:\windows\system32\drivers\4f143ef4.sys [?]
S3 ffSaffireLE_1394;ffSaffireLE_1394;c:\windows\system32\drivers\ffSaffireLE_1394.sys [2008-11-11 116736]
S3 ffSaffireLE_avs;ffSaffireLE_avs;c:\windows\system32\drivers\ffSaffireLE_avs.sys [2008-11-11 44544]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [2008-7-29 27648]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-4 2176]
S3 RDID1032;Roland GI-20;c:\windows\system32\drivers\rdwm1032.sys [2008-7-30 60698]

=============== Created Last 30 ================

2009-05-11 20:06 227,840 a------- c:\windows\system32\Deco_32.dll
2009-05-11 20:06 <DIR> --d----- c:\program files\common files\onOne Software Shared
2009-05-11 20:03 57,344 a------- c:\windows\system32\ASTSf1f.rra
2009-05-11 19:53 268 a---h--- C:\sqmdata00.sqm
2009-05-11 19:53 244 a---h--- C:\sqmnoopt00.sqm
2009-05-09 22:13 25 a------- c:\windows\popcinfot.dat
2009-05-09 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap Games
2009-05-02 01:41 61,440 a------- c:\windows\system32\digitbox.ocx
2009-05-02 01:41 <DIR> --d----- c:\program files\Alarm
2009-05-02 01:16 <DIR> --d----- c:\program files\Goodnight Timer
2009-05-01 01:23 16 a------- c:\windows\system32\msvcsv60.dll
2009-04-30 16:08 <DIR> --d----- c:\program files\TheWeatherNetwork
2009-04-29 01:03 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-04-29 00:54 <DIR> --d----- c:\windows\system32\PreInstall
2009-04-29 00:50 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-04-29 00:43 <DIR> --dsh--- c:\documents and settings\attaboy\IECompatCache
2009-04-29 00:41 <DIR> --dsh--- c:\documents and settings\attaboy\PrivacIE
2009-04-29 00:31 <DIR> -cd-h--- c:\windows\ie8
2009-04-29 00:02 <DIR> --dsh--- c:\documents and settings\attaboy\IETldCache
2009-04-27 22:21 <DIR> --d----- c:\program files\microsia
2009-04-22 15:11 <DIR> --d----- c:\docume~1\attaboy\applic~1\Red Alert 3
2009-04-21 17:33 <DIR> --d----- c:\docume~1\attaboy\applic~1\Ableton
2009-04-21 17:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ableton
2009-04-21 16:49 <DIR> --d----- c:\docume~1\attaboy\applic~1\UseNeXT
2009-04-21 16:48 <DIR> --d----- c:\program files\UseNeXT
2009-04-21 14:40 <DIR> --d----- c:\docume~1\attaboy\applic~1\Forte
2009-04-21 14:40 <DIR> --d----- c:\program files\Agent
2009-04-21 14:16 <DIR> --d----- c:\docume~1\attaboy\applic~1\GrabIt
2009-04-16 02:19 17 a------- c:\windows\ntsautodial.ini
2009-04-16 02:19 159,552 a------- c:\windows\system32\drivers\ntspppoe.sys
2009-04-16 02:19 <DIR> --d----- c:\program files\teksavvy.com
2009-04-15 23:14 <DIR> --d-h--- c:\program files\Zero G Registry
2009-04-15 23:14 <DIR> --d-h--- c:\documents and settings\attaboy\InstallAnywhere
2009-04-15 23:13 <DIR> --d----- c:\program files\MoveOnBoot
2009-04-15 23:13 <DIR> --d----- c:\program files\GiPo@Utilities
2009-04-15 23:13 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-04-15 23:13 <DIR> --d----- c:\program files\Yamicsoft
2009-04-12 23:02 <DIR> --d----- c:\program files\Atrise
2009-04-12 20:56 <DIR> --d----- c:\docume~1\attaboy\applic~1\Digital Film Tools
2009-04-12 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digital Film Tools
2009-04-12 20:53 <DIR> --d----- c:\program files\55mm

==================== Find3M ====================

2009-05-09 23:30 186,368 a------- c:\windows\system32\drivers\mafw.sys
2009-05-09 08:49 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-05-09 08:49 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-04 19:52 1,700,352 a------- c:\windows\system32\gdiplus.dll
2009-02-28 19:32 23,348 a------- c:\windows\system32\emptyregdb.dat
2008-10-24 23:46 24,640 a------- c:\program files\common files\security
2008-08-13 17:35 1,786 a------- c:\program files\uninstal.log

============= FINISH: 1:41:07.31 ===============

Attached Files



#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 PM

Posted 15 May 2009 - 10:34 AM

Hello BaloErets and thank you for your patience,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 BaloErets

BaloErets
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 15 May 2009 - 02:58 PM

Thanks for taking a look. Wasn't sure if you wanted the file itself, or just a copy/paste of the text, so I did both. I realize that it comes out to the same thing in the end, yet maybe it's easier for you to work with a .txt file.


ComboFix 09-05-15.01 - Attaboy 15/05/2009 15:46.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.961 [GMT -4:00]
Running from: c:\documents and settings\Attaboy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-14 15:18 . 2009-05-14 15:18 -------- d-----w c:\program files\Algodoo Phun Edition
2009-05-14 02:24 . 2009-05-15 02:06 -------- d-----w c:\documents and settings\Attaboy\Application Data\SolidWorks 2008
2009-05-14 02:13 . 2009-05-15 02:29 -------- d-----w c:\documents and settings\Attaboy\Application Data\SolidWorks
2009-05-14 02:02 . 2009-05-14 02:02 -------- d-----w c:\program files\SolidWorks Viewer
2009-05-14 01:03 . 2009-05-14 01:03 -------- d-----w c:\documents and settings\Attaboy\Application Data\DWGeditor
2009-05-14 00:52 . 2008-02-22 17:37 8704 ----a-w c:\windows\system32\ibfs32.dll
2009-05-14 00:37 . 2009-05-15 01:57 -------- d-----w c:\program files\Common Files\SolidWorks Shared
2009-05-14 00:36 . 2009-05-15 01:39 -------- d-----w c:\program files\Common Files\eDrawings2008
2009-05-14 00:36 . 2009-05-14 00:36 -------- d-----w c:\documents and settings\All Users\Application Data\SolidWorks
2009-05-14 00:32 . 2009-05-14 00:32 -------- d-----w c:\program files\MSECache
2009-05-12 06:32 . 2009-05-12 06:32 -------- d-----w c:\documents and settings\Attaboy\Application Data\Mask Pro 4.0
2009-05-12 00:06 . 2009-02-13 15:35 227840 ----a-w c:\windows\system32\Deco_32.dll
2009-05-12 00:06 . 2009-05-12 00:06 -------- d-----w c:\program files\Common Files\onOne Software Shared
2009-05-10 02:13 . 2009-05-13 17:30 25 ----a-w c:\windows\popcinfot.dat
2009-05-10 02:13 . 2009-05-10 02:13 -------- d-----w c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-07 22:00 . 2009-05-07 22:00 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-02 05:41 . 2009-05-02 05:41 -------- d-----w c:\program files\Alarm
2009-05-02 05:16 . 2009-05-02 05:16 -------- d-----w c:\program files\Goodnight Timer
2009-04-30 20:08 . 2009-04-30 20:08 -------- d-----w c:\program files\TheWeatherNetwork
2009-04-30 00:37 . 2009-04-30 00:37 -------- d-----w c:\program files\ERUNT
2009-04-29 05:03 . 2009-04-29 05:03 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-29 04:43 . 2009-04-29 04:43 -------- d-sh--w c:\documents and settings\Attaboy\IECompatCache
2009-04-29 04:41 . 2009-04-29 04:41 -------- d-sh--w c:\documents and settings\Attaboy\PrivacIE
2009-04-29 04:31 . 2009-04-29 04:31 -------- dc-h--w c:\windows\ie8
2009-04-29 04:02 . 2009-04-29 04:02 -------- d-sh--w c:\documents and settings\Attaboy\IETldCache
2009-04-28 02:21 . 2009-04-28 02:21 -------- d-----w c:\program files\microsia
2009-04-21 18:40 . 2009-04-21 18:40 -------- d-----w c:\documents and settings\Attaboy\Application Data\Forte
2009-04-21 18:40 . 2009-04-21 18:40 -------- d-----w c:\program files\Agent
2009-04-21 18:16 . 2009-04-21 18:20 -------- d-----w c:\documents and settings\Attaboy\Application Data\GrabIt
2009-04-16 06:19 . 2001-08-03 15:32 159552 ----a-w c:\windows\system32\drivers\ntspppoe.sys
2009-04-16 06:19 . 2009-04-16 06:19 -------- d-----w c:\program files\teksavvy.com
2009-04-16 03:14 . 2009-04-16 03:14 -------- d--h--w c:\program files\Zero G Registry
2009-04-16 03:14 . 2009-04-16 03:14 -------- d--h--w c:\documents and settings\Attaboy\InstallAnywhere
2009-04-16 03:13 . 2009-04-16 03:13 -------- d-----w c:\program files\Common Files\Gibinsoft Shared
2009-04-16 03:13 . 2009-04-16 03:13 -------- d-----w c:\program files\GiPo@Utilities
2009-04-16 03:13 . 2009-04-16 03:13 -------- d-----w c:\program files\MoveOnBoot
2009-04-16 03:13 . 2009-04-16 03:13 -------- d-----w c:\program files\Yamicsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 18:29 . 2008-12-13 21:50 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-15 18:29 . 2008-12-13 21:50 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-05-14 02:26 . 2009-02-14 20:49 2429016 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-14 02:14 . 2008-07-30 03:38 232824 ----a-w c:\documents and settings\Attaboy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 00:07 . 2008-08-01 01:35 -------- d-----w c:\program files\onOne Software
2009-05-12 00:03 . 2008-07-30 03:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-10 03:30 . 2009-04-10 03:31 186368 ----a-w c:\windows\system32\drivers\mafw.sys
2009-05-05 23:28 . 2009-03-04 21:12 -------- d-----w c:\program files\Folder Guard Pro
2009-05-02 05:18 . 2008-08-06 17:33 -------- d-----w c:\program files\Common Files\ACD Systems
2009-05-01 05:35 . 2008-08-06 00:25 208 ----a-w c:\windows\msocreg32.dat
2009-04-30 22:49 . 2008-07-30 09:15 -------- d-----w c:\program files\Google
2009-04-29 04:26 . 2008-12-23 02:03 -------- d-----w c:\program files\QuickTime
2009-04-23 19:41 . 2009-03-02 17:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 03:02 . 2009-04-13 03:02 -------- d-----w c:\program files\Atrise
2009-04-13 00:55 . 2009-04-13 00:53 -------- d-----w c:\program files\55mm
2009-04-12 20:58 . 2009-03-19 20:27 -------- d-----w c:\program files\DynamicPhotoHDR4
2009-04-12 20:46 . 2008-08-21 03:35 -------- d-----w c:\program files\Sonnox
2009-04-12 20:46 . 2008-08-21 03:26 -------- d-----w c:\program files\FabFilter
2009-04-12 20:46 . 2008-11-18 05:47 -------- d-----w c:\program files\Image-Line
2009-04-12 20:46 . 2008-07-30 12:59 -------- d-----w c:\program files\Tablet
2009-04-12 20:45 . 2008-08-21 03:32 -------- d-----w c:\program files\PSPaudioware
2009-04-12 20:45 . 2008-09-17 22:28 -------- d-----w c:\program files\GCFScape
2009-04-12 20:45 . 2008-08-05 16:38 -------- d-----w c:\program files\u-he
2009-04-12 20:45 . 2008-08-17 16:59 -------- d-----w c:\program files\SoulseekNS
2009-04-12 20:45 . 2008-07-31 19:05 -------- d-----w c:\program files\FocalBlade
2009-04-12 20:45 . 2008-10-25 03:13 -------- d-----w c:\program files\AESTESIS
2009-04-12 20:45 . 2008-11-18 05:53 -------- d-----w c:\program files\KeyToSound
2009-04-12 20:45 . 2008-07-31 02:14 -------- d-----w c:\program files\Bonjour
2009-04-12 20:45 . 2008-07-31 17:49 -------- d-----w c:\program files\AKVIS
2009-04-12 20:18 . 2008-07-31 00:00 -------- d-----w c:\program files\PowerISO
2009-04-12 20:18 . 2009-01-12 23:08 -------- d-----w c:\program files\Propellerhead
2009-04-12 20:17 . 2008-08-11 02:25 -------- d-----w c:\program files\MagicISO
2009-04-12 20:17 . 2008-11-18 05:50 -------- d-----w c:\program files\Koblo
2009-04-12 20:17 . 2008-07-31 04:01 -------- d-----w c:\program files\Syncrosoft
2009-04-12 20:17 . 2008-07-31 00:55 -------- d-----w c:\program files\Logitech
2009-04-12 20:17 . 2008-07-30 09:15 -------- d-----w c:\program files\NOS
2009-04-12 20:17 . 2008-08-12 04:41 -------- d-----w c:\program files\Spectrasonics
2009-04-12 20:17 . 2008-10-01 16:24 -------- d-----w c:\program files\QuickMonitorProfile
2009-04-12 20:17 . 2009-02-11 05:15 -------- d-----w c:\program files\Reallusion
2009-04-10 03:30 . 2009-04-10 03:30 -------- d-----w c:\program files\M-Audio
2009-04-06 19:32 . 2009-03-02 17:58 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-03-02 17:58 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-21 17:54 . 2009-03-21 17:51 -------- d-----w c:\program files\Driver Sweeper
2009-03-19 20:52 . 2009-03-19 20:52 -------- d-----w c:\program files\Realtek AC97
2009-03-19 20:47 . 2009-03-19 20:47 -------- d-----w c:\program files\g200kg
2009-03-19 20:35 . 2009-03-19 20:33 -------- d-----w c:\program files\Artizen HDR 2.7
2009-03-19 20:33 . 2009-03-19 20:28 -------- d-----w c:\program files\easyHDR
2009-03-19 19:31 . 2009-03-19 19:31 -------- d-----w c:\program files\ACD Systems
2009-03-19 15:54 . 2009-03-19 15:54 -------- d-----w c:\program files\Common Files\Logitech
2009-03-08 08:34 . 2004-08-04 05:56 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-04 05:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-04 05:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-04 05:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-04 05:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-04 05:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-04 05:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-04 05:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-04 05:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2001-08-23 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-04 23:52 . 2009-03-04 23:52 1700352 ----a-w c:\windows\system32\gdiplus.dll
2009-02-28 23:32 . 2008-07-30 03:15 23348 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-24 23:42 . 2008-08-11 02:28 116736 ----a-w c:\windows\system32\drivers\mcdbus.sys
2008-10-25 03:46 . 2008-10-25 03:26 24640 ----a-w c:\program files\Common Files\security
2008-08-13 21:35 . 2008-08-13 21:35 1786 ----a-w c:\program files\uninstal.log
2009-02-11 05:15 . 2009-02-11 05:15 81 --sha-r c:\windows\FFSSET.BIN
.

((((((((((((((((((((((((((((( SnapShot_2009-04-29_07.12.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-15 18:29 . 2009-05-15 18:29 16384 c:\windows\temp\Perflib_Perfdata_750.dat
+ 2007-08-22 00:46 . 2007-08-22 00:46 59160 c:\windows\system32\zlib.dll
+ 2007-07-31 01:19 . 2008-10-16 18:09 43544 c:\windows\system32\wups2.dll
+ 2008-07-30 03:15 . 2008-10-16 18:08 34328 c:\windows\system32\wups.dll
+ 2009-05-10 03:30 . 2004-08-04 06:05 23552 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\wdmaud.drv
- 2009-04-27 20:59 . 2004-08-04 06:05 23552 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\wdmaud.drv
- 2009-04-27 20:59 . 2004-08-04 03:08 48640 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\stream.sys
+ 2009-05-10 03:30 . 2004-08-04 03:08 48640 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\stream.sys
+ 2009-05-10 03:30 . 2004-08-04 03:08 60288 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\drmk.sys
- 2009-04-27 20:59 . 2004-08-04 03:08 60288 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\drmk.sys
+ 2000-04-03 21:52 . 2000-04-03 21:52 94208 c:\windows\system32\msstkprp.dll
+ 1998-10-20 23:05 . 1998-10-20 23:05 54784 c:\windows\system32\Inetwh32.dll
+ 2008-07-30 03:15 . 2008-10-16 18:08 34328 c:\windows\system32\dllcache\wups.dll
- 2008-12-09 21:01 . 2008-11-11 23:23 57344 c:\windows\system32\ASTSRV.EXE
+ 2008-12-09 21:01 . 2009-02-13 15:38 57344 c:\windows\system32\ASTSRV.EXE
+ 2009-05-15 01:31 . 2009-05-15 01:31 40960 c:\windows\Installer\{FED8A261-FE64-416D-ADDD-3EA1173D3D2D}\NewShortcut2_2FDF6F4A18924ADEABF68EF440EC9254.exe
+ 2009-05-15 01:43 . 2009-05-15 02:02 61440 c:\windows\Installer\{F039B2AE-4D0B-4806-89B6-9645F4DD3FDA}\NewShortcut3_2723AB6ADE8640EEAA77EC7E47C4DF34.exe
+ 2009-05-15 01:43 . 2009-05-15 02:02 61440 c:\windows\Installer\{F039B2AE-4D0B-4806-89B6-9645F4DD3FDA}\NewShortcut3.11CCDA48_0F59_4209_ACA1_FCDB865558EA.exe
+ 2009-05-15 01:43 . 2009-05-15 02:02 61440 c:\windows\Installer\{F039B2AE-4D0B-4806-89B6-9645F4DD3FDA}\NewShortcut2.exe
+ 2009-05-15 01:43 . 2009-05-15 02:02 61440 c:\windows\Installer\{F039B2AE-4D0B-4806-89B6-9645F4DD3FDA}\NewShortcut2.11CCDA48_0F59_4209_ACA1_FCDB865558EA.exe
+ 2009-05-15 01:43 . 2009-05-15 02:02 61440 c:\windows\Installer\{F039B2AE-4D0B-4806-89B6-9645F4DD3FDA}\NewShortcut1.exe
+ 2009-05-15 01:43 . 2009-05-15 02:02 61440 c:\windows\Installer\{F039B2AE-4D0B-4806-89B6-9645F4DD3FDA}\NewShortcut1.11CCDA48_0F59_4209_ACA1_FCDB865558EA.exe
+ 2009-05-15 01:43 . 2009-05-15 02:02 61440 c:\windows\Installer\{F039B2AE-4D0B-4806-89B6-9645F4DD3FDA}\ARPPRODUCTICON.exe
+ 2009-05-15 01:40 . 2009-05-15 01:40 19790 c:\windows\Installer\{E69411C0-8D66-4F9C-B6D6-9ED2FB89D0E4}\eModelViewer1.exe
+ 2009-05-15 01:40 . 2009-05-15 01:40 91648 c:\windows\Installer\{E69411C0-8D66-4F9C-B6D6-9ED2FB89D0E4}\eModelViewer.exe
+ 2009-05-14 02:02 . 2009-05-14 02:02 61440 c:\windows\Installer\{CCBFCA70-D1B3-48A7-9504-8D149DD39658}\NewShortcut4_9D476422816D4D9D9C5BF92FD1B36102.exe
+ 2009-05-14 02:02 . 2009-05-14 02:02 19790 c:\windows\Installer\{CCBFCA70-D1B3-48A7-9504-8D149DD39658}\ARPPRODUCTICON.exe
+ 2009-05-14 01:03 . 2009-05-14 01:59 61440 c:\windows\Installer\{A8567E18-9E80-4EA3-A5C1-A6186C86F2CC}\NewShortcut3.11CCDA48_0F59_4209_ACA1_FCDB865558EA.exe
+ 2009-05-14 01:03 . 2009-05-14 01:59 61440 c:\windows\Installer\{A8567E18-9E80-4EA3-A5C1-A6186C86F2CC}\NewShortcut2.11CCDA48_0F59_4209_ACA1_FCDB865558EA.exe
+ 2009-05-14 01:03 . 2009-05-14 01:59 61440 c:\windows\Installer\{A8567E18-9E80-4EA3-A5C1-A6186C86F2CC}\NewShortcut1.11CCDA48_0F59_4209_ACA1_FCDB865558EA.exe
+ 2009-05-14 00:54 . 2009-05-14 00:54 91648 c:\windows\Installer\{40345A8F-3B72-44DE-814F-72E8A52B1161}\eModelViewer.exe
+ 2009-05-14 01:44 . 2009-05-14 01:44 40960 c:\windows\Installer\{3E5E0DD2-6904-43DF-8713-10D27C0382B1}\NewShortcut4_44D8AEC8F136484FAF16133810C0ADAF.exe
+ 2009-05-14 01:44 . 2009-05-14 01:44 19790 c:\windows\Installer\{3E5E0DD2-6904-43DF-8713-10D27C0382B1}\NewShortcut11_9E93391AC74A491B9E7DAE979F039521.exe
+ 2009-05-14 01:44 . 2009-05-14 01:44 40960 c:\windows\Installer\{3E5E0DD2-6904-43DF-8713-10D27C0382B1}\NewShortcut1_44D8AEC8F136484FAF16133810C0ADAF.exe
+ 2009-05-14 01:44 . 2009-05-14 01:44 19790 c:\windows\Installer\{3E5E0DD2-6904-43DF-8713-10D27C0382B1}\ARPPRODUCTICON.exe
+ 2009-05-15 01:27 . 2009-05-15 01:27 53248 c:\windows\Installer\{33BAD028-D921-4A9E-8004-89B11E413C6C}\NewShortcut34_792F51F9C200445DAC7A15C2F082A715.exe
+ 2009-05-15 01:27 . 2009-05-15 01:27 40960 c:\windows\Installer\{33BAD028-D921-4A9E-8004-89B11E413C6C}\NewShortcut1_792F51F9C200445DAC7A15C2F082A715.exe
+ 2009-05-15 01:38 . 2009-05-15 01:38 61440 c:\windows\Installer\{33A9C38A-E3CC-4077-9E24-CBEFCFA76EFA}\DWGEditorEnNo1_C1A7EF455E1B4799AB173C52D9FB3A0E.exe
+ 2009-05-15 01:38 . 2009-05-15 01:38 61440 c:\windows\Installer\{33A9C38A-E3CC-4077-9E24-CBEFCFA76EFA}\DWGEditorEnNo_D0220928AF1811D3AEA400C04F79FCDD.exe
+ 2009-05-15 01:38 . 2009-05-15 01:38 61440 c:\windows\Installer\{33A9C38A-E3CC-4077-9E24-CBEFCFA76EFA}\DWGEditor1_C1A7EF455E1B4799AB173C52D9FB3A0E.exe
+ 2009-05-15 01:38 . 2009-05-15 01:38 61440 c:\windows\Installer\{33A9C38A-E3CC-4077-9E24-CBEFCFA76EFA}\DWGEditor_D0220928AF1811D3AEA400C04F79FCDD.exe
+ 2009-05-15 01:38 . 2009-05-15 01:38 61440 c:\windows\Installer\{33A9C38A-E3CC-4077-9E24-CBEFCFA76EFA}\ARPPRODUCTICON.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 61440 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\swScheduler.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 40960 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\swlmwizard.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 61440 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\SldConverter.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 61440 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\i386_SldWorks.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 65536 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\i386_SldRxexeSE_D0220928AF1811D3AEA400C04F79FCDD.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 65536 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\i386_SldRxexeSDK_D0220928AF1811D3AEA400C04F79FCDD.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 65536 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\i386_SldRx.exe
+ 2009-05-15 01:58 . 2009-05-15 01:58 65536 c:\windows\Installer\{266EB766-9ABB-40D0-AB9F-41EE46D23876}\CopyOptWiz.exe
- 2009-04-27 20:59 . 2004-08-04 04:56 4096 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\ksuser.dll
+ 2009-05-10 03:30 . 2004-08-04 04:56 4096 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\ksuser.dll
+ 2008-07-30 03:15 . 2008-10-16 18:12 561688 c:\windows\system32\wuapi.dll
+ 2004-08-04 05:56 . 2006-09-20 11:40 399360 c:\windows\system32\rpcss.dll
+ 1998-10-27 19:08 . 1998-10-27 19:08 317952 c:\windows\system32\roboex32.dll
+ 2009-05-10 03:30 . 2009-05-02 23:51 186368 c:\windows\system32\ReinstallBackups\0021\DriverFiles\mafw.sys
- 2009-04-27 20:59 . 2009-04-24 23:40 186368 c:\windows\system32\ReinstallBackups\0021\DriverFiles\mafw.sys
+ 2009-05-10 03:30 . 2004-08-04 03:15 145792 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\portcls.sys
- 2009-04-27 20:59 . 2004-08-04 03:15 145792 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\portcls.sys
- 2009-04-27 20:59 . 2004-08-04 03:15 140928 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\ks.sys
+ 2009-05-10 03:30 . 2004-08-04 03:15 140928 c:\windows\system32\ReinstallBackups\0021\DriverFiles\i386\ks.sys
+ 1997-10-01 22:09 . 1997-10-01 22:09 395776 c:\windows\system32\msfrt40.dll
+ 2009-05-14 00:40 . 2007-04-14 18:10 113536 c:\windows\system32\DRVSTORE\PhysX32_AF7F37E9A9915C11C74CCDC4D0974682050F02B7\physX32.sys
+ 2008-07-30 03:15 . 2008-10-16 18:12 561688 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-04 05:56 . 2006-09-20 11:40 399360 c:\windows\system32\dllcache\rpcss.dll
+ 2009-05-14 00:32 . 2009-05-14 00:32 217864 c:\windows\Installer\{90120000-00A4-0409-0000-0000000FF1CE}\misc.exe
+ 2009-04-30 03:14 . 2009-04-30 03:14 372736 c:\windows\erdnt\AutoBackup\29-04-2009\Users\00000002\UsrClass.dat
+ 2009-04-30 03:14 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\29-04-2009\ERDNT.EXE
+ 2009-05-15 13:54 . 2009-05-15 13:54 372736 c:\windows\erdnt\AutoBackup\15-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-15 13:54 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\15-05-2009\ERDNT.EXE
+ 2009-05-15 02:06 . 2009-05-15 02:06 372736 c:\windows\erdnt\AutoBackup\14-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-15 02:06 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\14-05-2009\ERDNT.EXE
+ 2009-05-14 02:29 . 2009-05-14 02:29 372736 c:\windows\erdnt\AutoBackup\13-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-14 02:29 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\13-05-2009\ERDNT.EXE
+ 2009-05-12 12:20 . 2009-05-12 12:20 372736 c:\windows\erdnt\AutoBackup\12-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-12 12:20 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\12-05-2009\ERDNT.EXE
+ 2009-05-09 13:10 . 2009-05-09 13:10 372736 c:\windows\erdnt\AutoBackup\09-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-09 13:10 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\09-05-2009\ERDNT.EXE
+ 2009-05-03 15:47 . 2009-05-03 15:47 372736 c:\windows\erdnt\AutoBackup\03-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-03 15:47 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\03-05-2009\ERDNT.EXE
+ 2009-05-02 13:18 . 2009-05-02 13:18 372736 c:\windows\erdnt\AutoBackup\02-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-02 13:18 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\02-05-2009\ERDNT.EXE
+ 2009-05-01 13:40 . 2009-05-01 13:40 372736 c:\windows\erdnt\AutoBackup\01-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-01 13:40 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\01-05-2009\ERDNT.EXE
+ 2009-04-30 00:38 . 2009-04-30 00:38 372736 c:\windows\erdnt\29-04-2009\Users\00000002\UsrClass.dat
+ 2009-04-30 00:38 . 2005-10-20 16:02 163328 c:\windows\erdnt\29-04-2009\ERDNT.EXE
+ 2009-05-14 00:32 . 2009-05-14 00:32 461616 c:\windows\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Owc11.dll
+ 2004-08-04 05:56 . 2006-09-20 11:40 1286656 c:\windows\system32\ole32.dll
+ 2008-07-29 20:04 . 2009-05-14 02:28 7529256 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-04 05:56 . 2006-09-20 11:40 1286656 c:\windows\system32\dllcache\ole32.dll
+ 2009-04-30 03:13 . 2009-04-30 03:14 22781952 c:\windows\erdnt\AutoBackup\29-04-2009\Users\00000001\ntuser.dat
+ 2009-05-15 13:54 . 2009-05-15 13:54 22781952 c:\windows\erdnt\AutoBackup\15-05-2009\Users\00000001\ntuser.dat
+ 2009-05-15 02:06 . 2009-05-15 02:06 22781952 c:\windows\erdnt\AutoBackup\14-05-2009\Users\00000001\ntuser.dat
+ 2009-05-14 02:29 . 2009-05-14 02:29 22781952 c:\windows\erdnt\AutoBackup\13-05-2009\Users\00000001\ntuser.dat
+ 2009-05-12 12:20 . 2009-05-12 12:20 22781952 c:\windows\erdnt\AutoBackup\12-05-2009\Users\00000001\ntuser.dat
+ 2009-05-09 13:10 . 2009-05-09 13:10 22781952 c:\windows\erdnt\AutoBackup\09-05-2009\Users\00000001\ntuser.dat
+ 2009-05-03 15:47 . 2009-05-03 15:47 22781952 c:\windows\erdnt\AutoBackup\03-05-2009\Users\00000001\ntuser.dat
+ 2009-05-02 13:18 . 2009-05-02 13:18 22781952 c:\windows\erdnt\AutoBackup\02-05-2009\Users\00000001\ntuser.dat
+ 2009-05-01 13:40 . 2009-05-01 13:40 22781952 c:\windows\erdnt\AutoBackup\01-05-2009\Users\00000001\ntuser.dat
+ 2009-04-30 00:38 . 2009-04-30 00:38 22781952 c:\windows\erdnt\29-04-2009\Users\00000001\ntuser.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"Google Update"="c:\documents and settings\Attaboy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-27 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2008-01-05 118600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2007-10-24 245760]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\Attaboy\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-8-10 576000]
SolidWorks Task Scheduler Engine.lnk - j:\solid works 2008\swScheduler\swBOEngine.exe [2008-2-15 488728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-30 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"Midi1"= rddv1032.dll
"Midi2"= myokent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk
backup=c:\windows\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Attaboy^Start Menu^Programs^Startup^File-Ex.lnk]
path=c:\documents and settings\Attaboy\Start Menu\Programs\Startup\File-Ex.lnk
backup=c:\windows\pss\File-Ex.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Attaboy^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Attaboy\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"RRT-Auto"=c:\documents and settings\Attaboy\Desktop\RRT.exe auto
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero BackItUp\\BackItUp.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steinberg\\Cubase SX 3\\Cubasesx3.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
"f:\\Steam\\steamapps\\fac12\\garrysmod\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"g:\\Tiction v0.3.0\\Tiction.exe"=
"g:\\Dimple\\dimple-0.0.6-win32\\dimple.exe"=
"f:\\Games\\Mercs 2\\Mercenaries2.exe"=
"f:\\Steam\\steamapps\\fac12\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Steam\\steamapps\\common\\astropop deluxe\\WinAP.exe"=
"f:\\Steam\\steamapps\\common\\the wonderful end of the world\\main.exe"=
"f:\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"f:\\Steam\\steamapps\\common\\trials 2 second edition\\launcher.exe"=
"f:\\Steam\\steamapps\\common\\monster trucks nitro demo\\MonsterTrucksNitro.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"f:\\Steam\\steamapps\\common\\multiwinia\\multiwinia.exe"=
"f:\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Attaboy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Attaboy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"=
"c:\\Program Files\\Windows Live\\Mail\\wlmail.exe"=
"f:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54107:TCP"= 54107:TCP:UT TCP
"54107:UDP"= 54107:UDP:UT UDP
"6549:TCP"= 6549:TCP:SlSeek
"8426:TCP"= 8426:TCP:SoulS`
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"10000:TCP"= 10000:TCP:10000
"10001:TCP"= 10001:TCP:10001
"1000:UDP"= 1000:UDP:10000
"10001:UDP"= 10001:UDP:10001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= *
"Enabled"= 1 (0x1)

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [09/12/2008 5:01 PM 57344]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [04/03/2009 5:12 PM 54008]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;j:\solid works 2008\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [23/01/2008 6:37 PM 245760]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;j:\solid works 2008\COSMOS\FloWorks\binCFW\StandAloneSlv.exe [23/01/2008 6:37 PM 245760]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [30/07/2008 8:59 AM 3406120]
R2 TSKNF501.SYS;TSKNF501.SYS;c:\windows\system32\drivers\Tsknf501.sys [03/12/2002 12:57 AM 6464]
R3 automap;Automap MIDI Driver Service;c:\windows\system32\drivers\automap.sys [29/07/2008 10:09 PM 7168]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [31/07/2008 12:02 AM 33792]
R3 MAFW;%FW.SvcDesc%;c:\windows\system32\drivers\mafw.sys [09/04/2009 11:31 PM 186368]
R3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [29/07/2008 10:08 PM 27648]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [30/07/2008 8:59 AM 15656]
S1 4f143ef4;4f143ef4;c:\windows\system32\drivers\4f143ef4.sys --> c:\windows\system32\drivers\4f143ef4.sys [?]
S3 ffSaffireLE_1394;ffSaffireLE_1394;c:\windows\system32\drivers\ffSaffireLE_1394.sys [11/11/2008 10:00 PM 116736]
S3 ffSaffireLE_avs;ffSaffireLE_avs;c:\windows\system32\drivers\ffSaffireLE_avs.sys [11/11/2008 10:00 PM 44544]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [04/08/2004 1:56 AM 2176]
S3 RDID1032;Roland GI-20;c:\windows\system32\drivers\rdwm1032.sys [30/07/2008 9:21 PM 60698]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1647877149-725345543-1003.job
- c:\documents and settings\Attaboy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-27 05:10]

2009-05-13 c:\windows\Tasks\Norton PC Checkup WeekDay Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-06-29 12:47]

2009-05-10 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-06-29 12:47]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Attaboy\Application Data\Mozilla\Firefox\Profiles\zoggh8oo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.kvraudio.com/forum/index.php?sid=577e9a69be0da499d6c82dbd66530d7c|http://www.dpreview.com/|http://forum.audionews.ru/|http://forum.gfxnews.ru/|http://www.demonoid.com/|http://btjunkie.org/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\documents and settings\Attaboy\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Attaboy\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 15:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\runonceex\0001]
@Denied: (A B C D 2) (Administrator)
@Denied: (A B C D 2) (LocalSystem)
@Denied: (A B C D 2) (Administrators)
"*FixWareOut"="c:\\WINDOWS\\system32\\cmd.exe /c c:\\fixwareout\\FindT\\XP-2K2.cmd"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\myokent.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\rddv1032.dll
c:\windows\system32\myokent.dll
.
Completion time: 2009-05-15 15:50
ComboFix-quarantined-files.txt 2009-05-15 19:49
ComboFix2.txt 2009-04-29 20:42
ComboFix3.txt 2009-04-29 07:14
ComboFix4.txt 2009-04-28 18:16
ComboFix5.txt 2009-05-15 18:15

Pre-Run: 10,042,740,736 bytes free
Post-Run: 10,034,479,104 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4
455

Attached Files

  • Attached File  log.txt   37.46KB   0 downloads


#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 PM

Posted 15 May 2009 - 09:57 PM

You're welcome. :thumbup2:

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text inside the code box below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\runonceex\0001]

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image

  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 BaloErets

BaloErets
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 15 May 2009 - 10:03 PM

Thanks again.

I'll run the scan overnight, and post the results tomorrow.

#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 PM

Posted 15 May 2009 - 10:04 PM

That will be fine. I am subscribed to this thread so shall be notified when you reply.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users