Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Rootkit Activity


  • This topic is locked This topic is locked
23 replies to this topic

#1 paul02

paul02

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 03 February 2010 - 06:25 AM

New to this forum. I just know i was infected. iexplorer.exe keeps coming out when there is no IE open. My MSN Messanger.exe became msnmsgr .exe. I run ComboFix but to no avail. Bitdefender picks up a rootkit activity but it dosent solve the issue (so much for it being the Top 1 AV).


Here is the log,


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2010 1:06:02 AM
System Uptime: 2/3/2010 6:42:27 PM (1 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7211
Processor: Intel® Pentium® 4 CPU 3.00GHz | Socket 775 | 2994/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 98 GiB total, 64.152 GiB free.
D: is FIXED (NTFS) - 51 GiB total, 35.468 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SCSI Controller
Device ID: PCI\VEN_1191&DEV_8040&SUBSYS_80401191&REV_02\3&13C0B0C5&0&40
Manufacturer:
Name: SCSI Controller
PNP Device ID: PCI\VEN_1191&DEV_8040&SUBSYS_80401191&REV_02\3&13C0B0C5&0&40
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_B0101462&REV_60\3&13C0B0C5&0&8D
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_B0101462&REV_60\3&13C0B0C5&0&8D
Service:

==== System Restore Points ===================

RP27: 1/4/2010 11:45:13 AM - Software Distribution Service 3.0
RP28: 1/4/2010 11:45:57 AM - Software Distribution Service 3.0
RP29: 1/4/2010 11:55:05 AM - Revo Uninstaller's restore point - Steam
RP30: 1/4/2010 11:55:12 AM - Software Distribution Service 3.0
RP31: 1/4/2010 12:08:09 PM - Software Distribution Service 3.0
RP32: 1/4/2010 12:15:49 PM - Software Distribution Service 3.0
RP33: 1/4/2010 12:35:40 PM - Installed Microsoft .NET Framework (English) v1.0.3705
RP34: 1/4/2010 12:37:35 PM - Installed Microsoft .NET Framework 1.1
RP35: 1/4/2010 1:36:04 PM - Installed Steam
RP36: 1/4/2010 7:42:09 PM - Installed Windows XP Wdf01007.
RP37: 1/4/2010 8:45:43 PM - Software Distribution Service 3.0
RP38: 1/4/2010 8:50:47 PM - Software Distribution Service 3.0
RP39: 1/4/2010 9:23:19 PM - Printer Driver Microsoft XPS Document Writer Installed
RP40: 1/4/2010 11:26:34 PM - Software Distribution Service 3.0
RP41: 1/5/2010 12:18:39 AM - Software Distribution Service 3.0
RP42: 1/5/2010 4:04:07 PM - Revo Uninstaller's restore point - Music Organizer 2.5.1
RP43: 1/5/2010 7:54:54 PM - Software Distribution Service 3.0
RP44: 1/6/2010 9:48:21 AM - Installed PTLens
RP45: 1/6/2010 11:46:59 AM - Installed Nero 9 4.4.9.0
RP46: 1/6/2010 5:28:54 PM - Software Distribution Service 3.0
RP47: 1/7/2010 12:54:30 AM - Installed QuickTime
RP48: 1/8/2010 12:38:29 AM - Installed Adobe Reader 9.2.
RP49: 1/8/2010 11:49:40 AM - Removed Nero 9 4.4.9.0
RP50: 1/8/2010 12:07:37 PM - Installed Nero - Burning Rom
RP51: 1/9/2010 9:38:10 AM - Removed Nero - Burning Rom
RP52: 1/9/2010 9:46:52 AM - Installed Nero 9 Lite 4.4.9.0
RP53: 1/10/2010 4:53:51 PM - System Checkpoint
RP54: 1/10/2010 10:38:32 PM - Revo Uninstaller's restore point - Ask Toolbar
RP55: 1/10/2010 10:39:30 PM - Revo Uninstaller's restore point - Ask Toolbar
RP56: 1/10/2010 10:40:13 PM - Removed Ask Toolbar.
RP57: 1/10/2010 10:41:43 PM - Revo Uninstaller's restore point - Nero 9 Lite
RP58: 1/10/2010 10:42:48 PM - Removed Nero 9 Lite 4.4.9.0
RP59: 1/10/2010 10:45:05 PM - Revo Uninstaller's restore point - Nero 9 Lite
RP60: 1/12/2010 1:39:23 AM - System Checkpoint
RP61: 1/13/2010 10:44:54 AM - Software Distribution Service 3.0
RP62: 1/17/2010 12:31:50 PM - Installed ijji REACTOR
RP63: 1/17/2010 1:50:36 PM - Revo Uninstaller's restore point - ijji - Gunz
RP64: 1/17/2010 1:55:02 PM - Revo Uninstaller's restore point - ijji REACTOR
RP65: 1/17/2010 1:55:31 PM - Revo Uninstaller's restore point - ijji REACTOR
RP66: 1/17/2010 1:55:43 PM - Removed ijji REACTOR
RP67: 1/20/2010 12:29:10 AM - System Checkpoint
RP68: 1/20/2010 2:32:19 PM - Installed DirectX
RP69: 1/20/2010 2:34:54 PM - Installed Nero 9 4.4.9.0
RP70: 1/22/2010 11:18:54 AM - Revo Uninstaller's restore point - LightScribe System Software
RP71: 1/22/2010 11:19:23 AM - Removed LightScribe System Software.
RP72: 1/22/2010 11:21:21 AM - Revo Uninstaller's restore point - Nero 9
RP73: 1/22/2010 11:24:45 AM - Removed Nero 9 4.4.9.0
RP74: 1/22/2010 8:30:44 PM - Software Distribution Service 3.0
RP75: 1/23/2010 1:17:02 AM - Installed DirectX
RP76: 1/23/2010 1:20:59 AM - Installed Nero 8
RP77: 1/26/2010 12:03:51 PM - System Checkpoint
RP78: 1/28/2010 1:32:00 PM - System Checkpoint
RP79: 1/30/2010 12:21:04 PM - System Checkpoint
RP80: 2/1/2010 8:54:54 AM - System Checkpoint
RP81: 2/1/2010 2:35:19 PM - Revo Uninstaller's restore point - eBay Icon
RP82: 2/2/2010 11:01:47 PM - Revo Uninstaller's restore point - Malwarebytes' Anti-Malware
RP83: 2/3/2010 6:32:19 PM - Revo Uninstaller's restore point - Norton Internet Security

==== Installed Programs ======================

礣orrent
卸载 讯游CS DOD竞技平台
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.2
Apple Application Support
Apple Software Update
ATI Catalyst Install Manager
ATI Display Driver
BitDefender Internet Security 2010
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Cheat Engine 5.5
Counter-Strike 1.6
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Stylus S20_T10_T20 Manual
EPSON Stylus T10 Series Printer Uninstall
EPSON Web-To-Page
Exact Audio Copy 0.99pb5
Garena 2010
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
HxD Hex Editor version 1.7.7.0
ImagXpress
Java™ 6 Update 17
K-Lite Codec Pack 5.5.1 (Basic)
Left 4 Dead 2
LimeWire PRO 5.4.6
Messenger Plus! Live
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIRC
Mozilla Firefox (3.5.7)
MSVC80_x86_v2
MSVC90_x86
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 8
neroxml
Nokia Connectivity Cable Driver
Nokia Ovi Player
Nokia Ovi Suite
Nokia Ovi Suite Software Updater
Nokia PC Suite
Nokia Software Updater
Nokia_Multimedia_Common_Components_2_5
Ovi Desktop Sync Engine
OviMPlatform
PC Connectivity Solution
Platform
PTLens
QuickTime
Revo Uninstaller 1.85
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Skype web features
Skype 4.1
Sound Blaster Audigy
Spybot - Search & Destroy
Steam
SUPER Version 2010.bld.37 (Jan 2, 2010)
SureThing CD Labeler - Stomper Edition 32 bit
T-Racks v1.1
TeraCopy 2.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
WebFldrs XP
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
Windows Driver Package - Nokia Modem (10/05/2009 4.2)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

2/3/2010 9:26:53 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0019DB83C9CE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/3/2010 6:43:29 PM, error: SideBySide [59] - Resolve Partial Assembly failed for UCCAPI. Reference error message: The referenced assembly is not installed on your system. .
2/3/2010 6:43:29 PM, error: SideBySide [59] - Generate Activation Context failed for C:\program files\windows live\messenger\msnmsgr .exe. Reference error message: The operation completed successfully. .
2/3/2010 6:43:29 PM, error: SideBySide [32] - Dependent Assembly UCCAPI could not be found and Last Error was The referenced assembly is not installed on your system.
2/3/2010 6:08:16 PM, error: Service Control Manager [7031] - The Norton Internet Security service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/3/2010 11:04:17 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\atapi.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
2/3/2010 10:58:20 AM, information: Windows File Protection [64004] - The protected system file atapi.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x00000000 [The operation completed successfully. ].
2/3/2010 10:58:15 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file atapi.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
2/2/2010 8:42:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde ViaIde
2/2/2010 8:42:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/2/2010 5:30:23 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
2/1/2010 2:56:19 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/31/2010 3:43:44 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
1/30/2010 10:50:16 PM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0019DB83C9CE has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/29/2010 12:19:51 PM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\atapi.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
1/29/2010 12:10:12 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file atapi.sys. This file was restored to the original version to maintain system stability. The file version of the bad file is 0.0.0.1, the version of the system file is 5.1.2600.5512.
1/29/2010 10:02:16 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
1/29/2010 10:02:16 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

and Ark,

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/03 19:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAFDE7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAC582000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940884

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940bf0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad941da0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9415b6

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad94220a

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940d3a

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940dbc

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9413da

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940486

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad94230a

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9449f4

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad94244e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad942d92

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9414ca

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad944746

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9412fa

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad944874

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940782

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940c92

#: 199 Function Name: NtRequestPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad941e30

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad941bec

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad941fba

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940576

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940988

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9406e4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940646

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940b4e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9446b6

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad944b02

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940384

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad94016c

#: 347 Function Name: NtUserDdeSetQualityOfService
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad940100

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad9400be

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93ff80

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93ff3a

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93fcbc

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93fb46

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93fb9a

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93fd1a

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93fb0c

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93f498

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xad93f7c6

==EOF==

BC AdBot (Login to Remove)

 


#2 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 04 February 2010 - 10:34 AM

bumpz! Please help.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 05 February 2010 - 09:12 AM.


#3 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 05 February 2010 - 10:06 PM

Come on! This is a professional team of hackers. Please take my case into consideration.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:50 AM

Posted 10 February 2010 - 10:38 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

Edited by syler, 10 February 2010 - 10:38 AM.

unite.jpg


#5 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 12 February 2010 - 12:46 PM

Sorry for bumping. I am new here. Will post as instructed. However, due to some faults i had to run RSIT.exe for the second time and this time info.txt did not pop up(faulty program?). Will paste the rest here.

Logfile of random's system information tool 1.06 (written by random/random)
Run by TYCO at 2010-02-13 01:36:36
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 67 GB (67%) free of 100 GB
Total RAM: 2047 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:53 AM, on 2/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TYCO\Desktop\RSIT.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\upgrepl.exe
C:\Program Files\trend micro\TYCO.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=0&l=dir
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [uTorrent] "c:\program files\utorrent\utorrent .exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1262544074109
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: app_dll.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

--
End of file - 7014 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-04 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-04 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll [2009-10-20 128832]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe [2010-02-08 1120704]
"P17Helper"=Rundll32 P17.dll,P17Helper []
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2010-02-13 39424]
"Adobe_Reader"=c:\program files\internet explorer\wmpscfgs.exe [2010-02-13 39424]
"PAC207_Monitor"=C:\WINDOWS\PixArt\PAC207\Monitor.exe [2006-11-03 319488]
"Monitor"=C:\WINDOWS\PixArt\PAC207\Monitor.exe [2006-11-03 319488]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"=C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [2010-02-13 39424]
"uTorrent"=c:\program files\utorrent\utorrent .exe [2010-02-13 39424]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2010-02-13 39424]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="app_dll.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-11-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\Steam\SteamApps\common\left 4 dead 2\left4dead2.exe"="C:\Program Files\Steam\SteamApps\common\left 4 dead 2\left4dead2.exe:*:Enabled:Left 4 Dead 2"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"
"C:\Program Files\uTorrent\utorrent .exe"="C:\Program Files\uTorrent\utorrent .exe:*:Enabled:礣orrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d2dc9ea-0620-11df-becd-0019db83c9ce}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2010-02-13 01:11:23 ----D---- C:\Program Files\trend micro
2010-02-13 01:11:22 ----D---- C:\rsit
2010-02-10 11:27:07 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-10 11:27:03 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-10 11:20:05 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-10 11:20:01 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-10 11:19:56 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-10 11:19:51 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-10 11:19:44 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-10 11:19:37 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-10 11:19:27 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-08 15:08:02 ----A---- C:\WINDOWS\ntbtlog.txt
2010-02-08 14:54:45 ----A---- C:\WINDOWS\wininit.ini
2010-02-07 10:41:28 ----SHD---- C:\RECYCLER
2010-02-07 00:25:27 ----A---- C:\WINDOWS\system32\app_dll.dll.3849515.old
2010-02-07 00:25:27 ----A---- C:\WINDOWS\system32\app_dll.dll.2294265.old
2010-02-07 00:25:27 ----A---- C:\WINDOWS\system32\app_dll.dll.165343.old
2010-02-07 00:25:27 ----A---- C:\WINDOWS\system32\app_dll.dll.12357546.old
2010-02-07 00:25:27 ----A---- C:\WINDOWS\system32\app_dll.dll
2010-02-06 15:13:49 ----A---- C:\Documents and Settings\TYCO\Application Data\bdfvconp.ini
2010-02-06 13:07:35 ----A---- C:\ComboFix.txt
2010-02-06 12:54:04 ----D---- C:\ComboFix
2010-02-06 01:23:11 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2010-02-06 01:20:57 ----A---- C:\WINDOWS\system32\Remover.ini
2010-02-06 01:20:57 ----A---- C:\WINDOWS\system32\Remove.exe
2010-02-06 01:20:56 ----A---- C:\WINDOWS\system32\CoInst_071102.dll
2010-02-06 01:20:54 ----A---- C:\WINDOWS\system32\SP207.ini
2010-02-06 01:20:53 ----A---- C:\WINDOWS\system32\P207USD.dll
2010-02-06 01:20:52 ----D---- C:\WINDOWS\PixArt
2010-02-06 01:20:52 ----D---- C:\Program Files\Common Files\PAC207
2010-02-03 19:18:19 ----A---- C:\RootRepeal report 02-03-10 (19-18-19).txt
2010-02-03 19:12:04 ----A---- C:\RootRepeal report 02-03-10 (19-12-04).txt
2010-02-03 18:01:57 ----D---- C:\Program Files\Windows Sidebar
2010-02-03 18:01:51 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-02-03 18:00:18 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2010-02-02 20:21:30 ----D---- C:\Documents and Settings\TYCO\Application Data\Malwarebytes
2010-02-02 20:21:19 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-02 08:26:03 ----A---- C:\WINDOWS\system32\app_dll.dll.9279781.old
2010-02-02 08:26:03 ----A---- C:\WINDOWS\system32\app_dll.dll.9275796.old
2010-02-02 08:26:03 ----A---- C:\WINDOWS\system32\app_dll.dll.289875.old
2010-02-02 08:26:03 ----A---- C:\WINDOWS\system32\app_dll.dll.238046.old
2010-02-01 15:51:10 ----D---- C:\Documents and Settings\TYCO\Application Data\Mael
2010-02-01 15:40:22 ----D---- C:\Program Files\HxD
2010-02-01 14:33:33 ----A---- C:\WINDOWS\zip.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\SWSC.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\SWREG.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\sed.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\PEV.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\NIRCMD.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\MBR.exe
2010-02-01 14:33:33 ----A---- C:\WINDOWS\grep.exe
2010-02-01 14:32:41 ----D---- C:\Qoobox
2010-02-01 13:46:40 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-01 13:46:40 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-01 13:13:47 ----D---- C:\Program Files\Garena
2010-02-01 10:23:41 ----D---- C:\audio
2010-02-01 10:23:41 ----A---- C:\WINDOWS\UNWISE.EXE
2010-02-01 10:23:41 ----A---- C:\WINDOWS\system32\sc1.dll
2010-02-01 10:23:41 ----A---- C:\WINDOWS\system32\ML2.dll
2010-02-01 10:23:40 ----A---- C:\WINDOWS\system32\eqm.dll
2010-02-01 09:07:53 ----D---- C:\STOMP35
2010-02-01 09:07:50 ----D---- C:\WINDOWS\MVUNINST
2010-02-01 09:07:50 ----D---- C:\Program Files\MVAPPS
2010-01-30 09:17:02 ----D---- C:\Program Files\Exact Audio Copy
2010-01-25 21:46:39 ----D---- C:\Documents and Settings\TYCO\Application Data\EPSON
2010-01-23 01:24:49 ----A---- C:\WINDOWS\system32\MsiExec.exe.log
2010-01-23 01:21:30 ----D---- C:\Program Files\Nero
2010-01-23 01:17:10 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2010-01-20 15:32:29 ----D---- C:\Documents and Settings\TYCO\Application Data\NeroDigital™
2010-01-20 15:15:41 ----D---- C:\Documents and Settings\All Users\Application Data\LightScribe
2010-01-20 14:32:26 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2010-01-17 20:35:10 ----D---- C:\Documents and Settings\All Users\Application Data\Nokia
2010-01-17 14:06:34 ----D---- C:\Program Files\PC Connectivity Solution
2010-01-17 14:05:51 ----A---- C:\WINDOWS\system32\wdfcoinstaller01007.dll
2010-01-17 14:05:51 ----A---- C:\WINDOWS\system32\nmwcdcocls.dll
2010-01-17 14:01:34 ----D---- C:\Documents and Settings\All Users\Application Data\OviInstallerCache
2010-01-17 12:35:48 ----D---- C:\Program Files\Common Files\INCA Shared
2010-01-17 12:32:58 ----HD---- C:\Documents and Settings\TYCO\Application Data\ijjigame
2010-01-15 13:46:41 ----A---- C:\WINDOWS\system32\d3dx9.dll
2010-01-15 13:46:40 ----A---- C:\WINDOWS\system32\D3DX81ab.dll
2010-01-15 13:46:38 ----D---- C:\Program Files\Cheat Engine

======List of files/folders modified in the last 1 months======

2010-02-13 01:36:10 ----D---- C:\WINDOWS\Temp
2010-02-13 01:36:04 ----RD---- C:\Program Files
2010-02-13 01:35:59 ----D---- C:\Program Files\Mozilla Firefox
2010-02-13 01:33:44 ----SD---- C:\WINDOWS\Tasks
2010-02-13 01:32:35 ----D---- C:\Program Files\Internet Explorer
2010-02-13 01:32:34 ----D---- C:\WINDOWS
2010-02-13 01:32:34 ----A---- C:\WINDOWS\updreg.exe
2010-02-13 01:32:33 ----D---- C:\Program Files\Messenger
2010-02-13 01:32:32 ----D---- C:\Program Files\uTorrent
2010-02-13 01:31:46 ----D---- C:\Documents and Settings\TYCO\Application Data\uTorrent
2010-02-13 01:29:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-13 01:24:56 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-13 01:04:44 ----D---- C:\Documents and Settings\TYCO\Application Data\TeraCopy
2010-02-12 23:38:03 ----D---- C:\Program Files\Steam
2010-02-12 20:04:59 ----D---- C:\Program Files\Warcraft III
2010-02-12 17:06:42 ----D---- C:\Documents and Settings\TYCO\Application Data\LimeWire
2010-02-12 15:29:00 ----D---- C:\WINDOWS\system32
2010-02-11 18:42:40 ----A---- C:\bdlog.txt
2010-02-11 17:38:58 ----D---- C:\WINDOWS\system32\drivers
2010-02-10 11:27:09 ----HD---- C:\WINDOWS\inf
2010-02-10 11:27:07 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-10 11:27:05 ----A---- C:\WINDOWS\imsins.BAK
2010-02-10 11:27:04 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-10 11:19:59 ----D---- C:\WINDOWS\Prefetch
2010-02-09 00:51:02 ----D---- C:\Documents and Settings\TYCO\Application Data\mIRC
2010-02-08 23:38:02 ----D---- C:\Program Files\mIRC
2010-02-08 10:42:13 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-02-08 01:38:53 ----A---- C:\WINDOWS\win.ini
2010-02-08 01:27:26 ----A---- C:\WINDOWS\NeroDigital.ini
2010-02-08 00:41:36 ----D---- C:\Program Files\Adobe
2010-02-07 10:33:32 ----SD---- C:\Documents and Settings\TYCO\Application Data\Microsoft
2010-02-06 13:03:27 ----A---- C:\WINDOWS\system.ini
2010-02-06 13:00:44 ----A---- C:\WINDOWS\updreg .exe
2010-02-06 12:57:20 ----D---- C:\WINDOWS\AppPatch
2010-02-06 12:57:19 ----D---- C:\Program Files\Common Files
2010-02-06 12:54:33 ----D---- C:\WINDOWS\system32\Restore
2010-02-06 12:54:14 ----SHD---- C:\System Volume Information
2010-02-06 01:34:18 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-02-06 01:23:12 ----D---- C:\WINDOWS\twain_32
2010-02-06 01:20:52 ----HD---- C:\Program Files\InstallShield Installation Information
2010-02-04 11:23:13 ----D---- C:\Program Files\MSN
2010-02-03 18:47:35 ----SHD---- C:\WINDOWS\Installer
2010-02-02 20:41:30 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-02-02 03:26:20 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-01 14:54:18 ----D---- C:\WINDOWS\ERDNT
2010-02-01 09:36:27 ----D---- C:\WINDOWS\Help
2010-01-28 01:30:13 ----D---- C:\Documents and Settings\TYCO\Application Data\Skype
2010-01-28 00:05:14 ----D---- C:\Documents and Settings\TYCO\Application Data\skypePM
2010-01-27 00:19:22 ----D---- C:\Program Files\Counter-Strike 1.6
2010-01-23 01:26:26 ----D---- C:\Documents and Settings\TYCO\Application Data\Nero
2010-01-23 01:23:20 ----D---- C:\Program Files\Common Files\Nero
2010-01-23 01:21:32 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2010-01-23 01:21:19 ----D---- C:\WINDOWS\Cursors
2010-01-23 01:17:16 ----D---- C:\WINDOWS\system32\DirectX
2010-01-22 20:31:55 ----D---- C:\WINDOWS\system32\en-us
2010-01-22 20:31:37 ----D---- C:\WINDOWS\ie7updates
2010-01-17 20:33:24 ----D---- C:\Program Files\Nokia
2010-01-17 20:31:45 ----D---- C:\Documents and Settings\All Users\Application Data\Installations
2010-01-17 20:19:36 ----D---- C:\Documents and Settings\TYCO\Application Data\Nokia
2010-01-17 14:08:10 ----D---- C:\Program Files\Common Files\Nokia
2010-01-17 14:06:43 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-01-17 13:55:39 ----SD---- C:\WINDOWS\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R2 BDVEDISK;BDVEDISK; \??\C:\Program Files\BitDefender\BitDefender 2010\bdvedisk.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-11-25 4463104]
R3 bdfm;BDFM; C:\WINDOWS\system32\drivers\bdfm.sys [2010-02-11 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service; C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2009-10-19 110984]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys []
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2005-01-10 138752]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2005-01-10 106496]
R3 P17;Sound Blaster Audigy; C:\WINDOWS\system32\drivers\P17.sys [2005-07-07 1389056]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\TYCO\LOCALS~1\Temp\HGE64.tmp []
S3 GMSIPCI;GMSIPCI; \??\E:\INSTALL\GMSIPCI.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-10-06 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-10-06 22016]
S3 PAC207;Eye 110; C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-10-25 616064]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-10-06 7936]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2008-04-14 26112]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-10-06 7936]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-11-25 602112]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-04 153376]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2010-01-29 308552]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2008-02-18 877864]
R2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [2006-12-19 81920]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe [2010-02-11 1612616]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 Arrakis3;BitDefender Arrakis Server; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [2009-10-19 183880]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-02-28 529704]
S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS\system32\GameMon.des [2009-09-20 3474384]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-10-27 657408]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 .1262538362;1262538362; C:\Program Files\1262538362\Computer1262538362L.exe []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-13 01:40:15
Windows 5.1.2600 Service Pack 3
Running: 9lnqprdn.exe; Driver: C:\DOCUME~1\TYCO\LOCALS~1\Temp\kwwdrfoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwAllocateVirtualMemory [0xACBDA884]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwAssignProcessToJobObject [0xACBDABF0]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwConnectPort [0xACBDBDA0]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateFile [0xACBDB5B6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateKey [0xACBDC20A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateProcess [0xACBDAD3A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateProcessEx [0xACBDADBC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateSection [0xACBDB3DA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwCreateThread [0xACBDA486]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwDeviceIoControlFile [0xACBDC30A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwDuplicateObject [0xACBDE9F4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwFsControlFile [0xACBDC44E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwLoadDriver [0xACBDCD92]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenFile [0xACBDB4CA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenProcess [0xACBDE746]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenSection [0xACBDB2FA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenThread [0xACBDE874]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwProtectVirtualMemory [0xACBDA782]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwQueueApcThread [0xACBDAC92]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwRequestPort [0xACBDBE30]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwRequestWaitReplyPort [0xACBDBBEC]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSecureConnectPort [0xACBDBFBA]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSetContextThread [0xACBDA576]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSetSystemInformation [0xACBDA988]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSuspendProcess [0xACBDA6E4]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSuspendThread [0xACBDA646]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwSystemDebugControl [0xACBDAB4E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateProcess [0xACBDE6B6]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateThread [0xACBDEB02]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwWriteVirtualMemory [0xACBDA384]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Adobe\acrotray .exe (*** hidden *** ) 2764
Process C:\WINDOWS\system32\wbem\wmiprvse.exe (*** hidden *** ) 3324
Process c:\program files\nokia\nokia pc suite 7\pcsuite .exe (*** hidden *** ) 3368

---- EOF - GMER 1.0.15 ----


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:50 AM

Posted 12 February 2010 - 12:52 PM

I see you have been running Combofix on your own, please post the log it produced C:\ComboFix.txt

unite.jpg


#7 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 13 February 2010 - 07:48 AM

ComboFix 10-02-05.02 - TYCO 02/06/2010 12:55:08.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1410 [GMT 8:00]
Running from: c:\documents and settings\TYCO\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs .exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\app_dll.dll
c:\windows\system32\AVSredirect.dll
c:\windows\system32\ctfmon .exe
c:\windows\updreg .exe

.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-05 17:25 . 2010-02-05 17:37 304160 ----a-w- C:\PA207.DAT
2010-02-05 17:20 . 2007-10-04 09:42 48128 ----a-w- c:\windows\system32\Remove.exe
2010-02-05 17:20 . 2007-11-02 03:07 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2010-02-05 17:20 . 2007-10-25 10:31 616064 ----a-w- c:\windows\system32\drivers\PFC027.SYS
2010-02-05 17:20 . 2006-10-12 03:57 14336 ----a-w- c:\windows\system32\P207USD.dll
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\program files\Common Files\PAC207
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\windows\PixArt
2010-02-05 11:34 . 2010-02-05 12:48 -------- d-----w- c:\documents and settings\TYCO\Incomplete
2010-02-03 11:11 . 2010-02-03 11:11 0 ----a-w- c:\documents and settings\TYCO\settings.dat
2010-02-03 10:10 . 2010-02-03 10:10 4 ----a-w- c:\program files\10137328.dat
2010-02-03 10:01 . 2010-02-03 10:01 -------- d-----w- c:\program files\Windows Sidebar
2010-02-03 10:01 . 2010-02-03 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-03 10:00 . 2010-02-03 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-03 02:59 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-02 14:56 . 2010-02-02 14:56 4 ----a-w- c:\program files\8108671.dat
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\Malwarebytes
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 07:51 . 2010-02-01 07:51 -------- d-----w- c:\documents and settings\TYCO\Application Data\Mael
2010-02-01 07:40 . 2010-02-01 07:40 -------- d-----w- c:\program files\HxD
2010-02-01 05:46 . 2010-02-03 10:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-01 05:46 . 2010-02-01 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-01 05:13 . 2010-02-05 09:06 -------- d-----w- c:\program files\Garena
2010-02-01 02:23 . 2010-02-01 02:23 -------- d-----w- C:\audio
2010-02-01 02:23 . 1999-02-09 21:04 240640 ----a-w- c:\windows\system32\sc1.dll
2010-02-01 02:23 . 1999-02-09 21:00 225280 ----a-w- c:\windows\system32\ML2.dll
2010-02-01 02:23 . 1998-04-30 06:56 129024 ----a-w- c:\windows\UNWISE.EXE
2010-02-01 02:23 . 1999-02-09 20:55 228352 ----a-w- c:\windows\system32\eqm.dll
2010-02-01 01:31 . 2010-02-01 01:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Help
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- C:\STOMP35
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- c:\windows\MVUNINST
2010-02-01 01:07 . 2010-02-01 01:07 -------- d-----w- c:\program files\MVAPPS
2010-01-30 01:17 . 2010-01-30 01:24 -------- d-----w- c:\documents and settings\Bob\Application Data\AccurateRip
2010-01-30 01:17 . 2010-01-30 01:18 -------- d-----w- c:\program files\Exact Audio Copy
2010-01-26 06:40 . 2010-01-26 06:40 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Identities
2010-01-25 13:46 . 2010-01-25 13:46 -------- d-----w- c:\documents and settings\TYCO\Application Data\EPSON
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Ahead
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Application Data\Nero
2010-01-23 00:34 . 2010-01-28 00:21 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Ahead
2010-01-22 17:31 . 2010-01-22 17:31 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Ahead
2010-01-22 17:21 . 2010-01-22 17:21 -------- d-----w- c:\program files\Nero
2010-01-20 07:32 . 2010-01-20 07:32 -------- d-----w- c:\documents and settings\TYCO\Application Data\NeroDigital™
2010-01-20 07:15 . 2010-01-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2010-01-18 06:31 . 2010-01-18 06:31 -------- d-----w- c:\documents and settings\Bob\Application Data\PC Suite
2010-01-17 12:35 . 2010-01-17 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-01-17 12:33 . 2010-01-17 12:31 24403616 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en.exe
2010-01-17 12:32 . 2010-01-17 12:32 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-01-17 12:32 . 2010-01-17 12:32 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-01-17 12:32 . 2010-01-17 12:32 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-01-17 12:19 . 2010-01-17 12:19 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\NokiaAccount
2010-01-17 06:06 . 2010-02-06 01:33 -------- d-----w- c:\documents and settings\Family\Tracing
2010-01-17 06:06 . 2008-08-26 01:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-17 06:06 . 2010-01-17 06:06 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-17 06:05 . 2009-10-06 03:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-17 06:05 . 2009-10-06 03:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-17 06:05 . 2009-10-06 03:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-17 06:05 . 2009-10-06 03:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-17 06:04 . 2010-01-17 06:04 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-17 06:04 . 2010-01-17 06:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-17 06:04 . 2010-01-17 06:04 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-17 06:04 . 2010-01-17 06:04 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-17 06:01 . 2010-01-17 06:01 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-17 06:01 . 2010-01-17 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-17 04:44 . 2010-01-17 04:44 3198 ----a-w- c:\windows\system32\wbers.dat
2010-01-17 04:36 . 2004-12-31 15:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-01-17 04:35 . 2010-01-17 04:35 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-01-17 04:32 . 2010-01-17 04:33 -------- d--h--w- c:\documents and settings\TYCO\Application Data\ijjigame
2010-01-16 15:31 . 2010-01-16 15:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Apple Computer
2010-01-15 05:46 . 2009-01-25 15:36 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2010-01-15 05:46 . 2009-01-25 15:36 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2010-01-15 05:46 . 2010-02-05 14:57 -------- d-----w- c:\program files\Cheat Engine
2010-01-13 01:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-11 23:58 . 2010-01-11 23:58 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Identities
2010-01-11 13:04 . 2010-01-11 13:05 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Adobe
2010-01-11 09:16 . 2010-01-11 09:18 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Adobe
2010-01-11 04:06 . 2010-01-18 14:30 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Adobe
2010-01-10 15:21 . 2010-01-10 15:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-10 15:21 . 2010-01-27 16:05 -------- d-----w- c:\documents and settings\TYCO\Application Data\skypePM
2010-01-10 15:17 . 2010-01-27 17:30 -------- d-----w- c:\documents and settings\TYCO\Application Data\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\program files\Common Files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----r- c:\program files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-10 14:31 . 2010-01-10 14:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\Apple Computer
2010-01-09 11:56 . 2010-01-09 11:56 28680 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-09 06:42 . 2010-01-09 06:42 -------- d-----w- c:\documents and settings\Family\Application Data\PC Suite
2010-01-08 03:00 . 2010-01-23 00:34 -------- d-----w- c:\documents and settings\Bob\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 05:04 . 2010-01-06 03:08 -------- d-----w- c:\program files\uTorrent
2010-02-06 05:03 . 2010-01-06 03:07 -------- d-----w- c:\documents and settings\TYCO\Application Data\uTorrent
2010-02-06 05:00 . 2010-01-04 02:54 39424 ----a-w- c:\windows\updreg.exe
2010-02-06 04:09 . 2010-01-04 09:24 -------- d-----w- c:\documents and settings\TYCO\Application Data\mIRC
2010-02-06 03:49 . 2010-01-06 13:08 -------- d-----w- c:\documents and settings\TYCO\Application Data\TeraCopy
2010-02-06 03:34 . 2010-01-04 09:24 -------- d-----w- c:\program files\mIRC
2010-02-05 17:20 . 2010-01-03 17:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-05 15:33 . 2010-01-04 05:36 -------- d-----w- c:\program files\Steam
2010-02-05 13:16 . 2010-01-06 03:12 -------- d-----w- c:\documents and settings\TYCO\Application Data\LimeWire
2010-02-05 09:51 . 2010-01-03 18:12 -------- d-----w- c:\program files\Warcraft III
2010-01-28 18:17 . 2010-01-03 19:19 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-26 16:19 . 2010-01-03 18:12 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-01-22 17:26 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nero
2010-01-22 17:23 . 2010-01-06 03:47 -------- d-----w- c:\program files\Common Files\Nero
2010-01-22 17:21 . 2010-01-06 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-18 14:27 . 2010-01-04 16:26 629720 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-17 12:33 . 2010-01-04 06:02 -------- d-----w- c:\program files\Nokia
2010-01-17 12:31 . 2010-01-04 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-17 12:19 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nokia
2010-01-17 06:08 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-10 17:17 . 2010-01-03 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-07 16:38 . 2010-01-04 00:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-06 16:55 . 2010-01-06 16:54 -------- d-----w- c:\program files\QuickTime
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\program files\Apple Software Update
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-06 13:07 . 2010-01-06 13:07 -------- d-----w- c:\program files\TeraCopy
2010-01-06 09:29 . 2010-01-06 09:29 -------- d-----w- c:\program files\MSXML 4.0
2010-01-06 03:11 . 2010-01-06 03:11 -------- d-----w- c:\program files\LimeWire
2010-01-06 01:51 . 2010-01-06 01:51 -------- d-----w- c:\documents and settings\Bob\Application Data\ePaperPress
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_52D5F617C25478BAD90D68.exe
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_525AB3E17FA832EF7FEF72.exe
2010-01-06 01:48 . 2010-01-06 01:48 -------- d-----w- c:\program files\ePaperPress
2010-01-05 14:56 . 2010-01-05 14:56 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-05 14:54 . 2010-01-05 14:54 -------- d-----w- c:\program files\eRightSoft
2010-01-05 12:00 . 2010-01-04 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 04:16 . 2010-01-05 04:16 -------- d-----w- c:\documents and settings\Family\Application Data\BitDefender
2010-01-05 01:05 . 2010-01-03 17:14 28680 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:31 . 2010-01-04 16:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\VSRevoGroup
2010-01-04 16:29 . 2010-01-03 18:18 28680 ----a-w- c:\documents and settings\TYCO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:20 . 2010-01-04 03:22 -------- d-----w- c:\program files\Microsoft Works
2010-01-04 11:58 . 2010-01-04 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-01-04 11:42 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\PC Suite
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-04 09:30 . 2010-01-04 09:29 -------- d-----w- c:\program files\GameSun
2010-01-04 06:04 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-01-04 06:04 . 2010-01-04 06:03 -------- d-----w- c:\program files\DIFX
2010-01-04 06:03 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\PCSuite
2010-01-04 06:00 . 2010-01-04 06:00 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-01-04 06:00 . 2010-01-04 06:00 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-01-04 05:59 . 2010-01-04 06:00 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_web.exe
2010-01-04 05:57 . 2010-01-04 05:56 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-04 03:46 . 2010-01-04 03:46 -------- d-----w- c:\program files\VS Revo Group
2010-01-04 03:21 . 2010-01-04 03:21 -------- d-----w- c:\program files\Microsoft.NET
2010-01-04 02:59 . 2010-01-04 02:49 -------- d-----w- c:\program files\Creative
2010-01-04 02:40 . 2010-01-04 02:40 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-04 02:40 . 2010-01-04 02:40 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-04 00:37 . 2010-01-03 17:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-04 00:35 . 2010-01-04 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\UDL
2010-01-04 00:33 . 2010-01-04 00:10 -------- d-----w- c:\program files\epson
2010-01-04 00:31 . 2010-01-04 00:31 -------- d-----w- c:\documents and settings\Bob\Application Data\InstallShield
2010-01-04 00:30 . 2010-01-04 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-01-04 00:12 . 2010-01-04 00:12 -------- d-----w- c:\documents and settings\Bob\Application Data\EPSON
2010-01-03 19:05 . 2010-01-03 17:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-03 18:48 . 2010-01-03 18:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\U3
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\ATI
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\BitDefender
2010-01-03 18:17 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-03 18:13 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\Bob\Application Data\BitDefender
2010-01-03 18:12 . 2010-01-03 18:11 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-03 18:12 . 2010-01-03 18:12 -------- d-----w- c:\program files\BitDefender
2010-01-03 18:09 . 2010-01-03 18:09 -------- d-----w- c:\documents and settings\Bob\Application Data\U3
2010-01-03 18:03 . 2010-01-03 17:38 -------- d-----w- c:\program files\ATI
2010-01-03 18:01 . 2010-01-03 18:01 10134 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{A778A787-08A4-4089-CB68-02A9737DE532}\ARPPRODUCTICON.exe
2010-01-03 17:57 . 2010-01-03 17:57 -------- d-----w- c:\documents and settings\Bob\Application Data\ATI
2010-01-03 17:57 . 2010-01-03 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-01-03 17:57 . 2010-01-03 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-01-03 17:55 . 2010-01-03 17:55 -------- d-----w- c:\program files\MSBuild
2010-01-03 17:54 . 2010-01-03 17:54 -------- d-----w- c:\program files\Reference Assemblies
2010-01-03 17:53 . 2010-01-03 17:53 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-03 17:53 . 2010-01-03 17:53 -------- d-----w- c:\program files\MSXML 6.0
2010-01-03 17:52 . 2010-01-03 17:52 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-01-03 17:50 . 2010-01-03 17:50 0 ----a-w- c:\windows\nsreg.dat
2010-01-03 17:41 . 2010-01-03 17:41 -------- d-----w- c:\program files\Microsoft
2010-01-03 17:41 . 2010-01-03 17:41 -------- d-----w- c:\program files\Windows Live
2010-01-03 17:41 . 2010-01-03 17:41 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-03 17:39 . 2010-01-03 17:38 -------- d-----w- c:\program files\ATI Technologies
2009-10-19 10:59 . 2010-01-03 18:18 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2006-05-03 10:06 . 2010-01-05 14:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-01-05 14:54 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-01-05 14:54 216064 --sh--r- c:\windows\system32\nbDX.dll
.
CODE
<pre>
c:\program files\Common Files\Nero\Lib\nmindexstoresvr            .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr          .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr        .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr       .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr      .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr     .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr    .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr   .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr  .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe
c:\program files\Creative\SBAudigy\Surround Mixer\ctsysvol .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Nokia\Nokia PC Suite 7\pcsuite .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\uTorrent\utorrent          .exe
c:\program files\uTorrent\utorrent         .exe
c:\program files\uTorrent\utorrent        .exe
c:\program files\uTorrent\utorrent       .exe
c:\program files\uTorrent\utorrent      .exe
c:\program files\uTorrent\utorrent     .exe
c:\program files\uTorrent\utorrent    .exe
c:\program files\uTorrent\utorrent   .exe
c:\program files\uTorrent\utorrent  .exe
c:\program files\uTorrent\utorrent .exe
c:\program files\Windows Live\Messenger\msnmsgr        .exe
c:\program files\Windows Live\Messenger\msnmsgr      .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\PixArt\PAC207\monitor .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\spool\drivers\w32x86\3\e_fatiebs .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-02-01_06.55.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-06 05:02 . 2010-02-06 05:02 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2010-02-05 17:23 . 2008-04-14 00:12 53760 c:\windows\system32\vfwwdm32.dll
+ 2009-08-13 08:21 . 2008-04-13 22:42 76288 c:\windows\system32\taskkill.exe
+ 2010-02-05 17:23 . 2008-04-13 18:46 19200 c:\windows\system32\drivers\WSTCODEC.SYS
+ 2010-02-05 17:23 . 2008-04-13 18:46 15232 c:\windows\system32\drivers\StreamIP.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 11136 c:\windows\system32\drivers\SLIP.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 10880 c:\windows\system32\drivers\NdisIP.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 85248 c:\windows\system32\drivers\NABTSFEC.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 17024 c:\windows\system32\drivers\CCDECODE.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 19200 c:\windows\system32\dllcache\wstcodec.sys
+ 2010-02-05 17:23 . 2008-04-14 00:12 53760 c:\windows\system32\dllcache\vfwwdm32.dll
+ 2010-02-05 17:23 . 2008-04-13 18:46 15232 c:\windows\system32\dllcache\streamip.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 11136 c:\windows\system32\dllcache\slip.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 10880 c:\windows\system32\dllcache\ndisip.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 85248 c:\windows\system32\dllcache\nabtsfec.sys
+ 2010-02-05 17:23 . 2008-04-13 18:46 17024 c:\windows\system32\dllcache\ccdecode.sys
+ 2006-02-28 12:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2010-01-03 17:07 . 2010-02-06 04:56 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-03 17:07 . 2010-02-01 06:37 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-03 17:07 . 2010-02-06 04:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-13 01:45 . 2010-02-03 02:54 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
- 2010-01-13 01:45 . 2010-02-01 06:32 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-02-05 17:20 . 2010-02-06 05:04 39424 c:\windows\PixArt\PAC207\monitor.exe
- 2010-01-03 17:42 . 2010-01-03 17:42 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
+ 2010-02-03 10:47 . 2010-02-03 10:47 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
+ 2010-02-05 17:23 . 2008-04-13 18:39 5504 c:\windows\system32\drivers\MSTEE.sys
+ 2010-02-05 17:23 . 2008-04-13 18:39 5504 c:\windows\system32\dllcache\mstee.sys
+ 2004-01-07 03:21 . 2004-01-07 03:21 237936 c:\windows\system32\unicows.dll
+ 2010-02-05 17:20 . 2007-10-22 06:46 425984 c:\windows\PixArt\PAC207\PASnap.exe
+ 2010-02-05 17:20 . 2006-11-20 01:01 163840 c:\windows\PixArt\PAC207\AMCap.exe
+ 2010-02-03 10:47 . 2010-02-03 10:47 430080 c:\windows\Installer\47840.msi
+ 2010-01-03 17:07 . 2010-02-06 04:56 2244608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-02-06 39424]
"uTorrent"="c:\program files\utorrent\utorrent .exe" [2010-02-06 39424]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2010-02-06 39424]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-01-29 1120704]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="c:\windows\UpdReg.EXE" [2010-02-06 39424]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-02-06 39424]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2010-02-06 39424]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2010-02-06 39424]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/4/2010 1:17 AM 11264]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 152456]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Family\LOCALS~1\Temp\MQD2.tmp --> c:\docume~1\Family\LOCALS~1\Temp\MQD2.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2/6/2010 1:20 AM 616064]
S4 .1262538362;1262538362;c:\program files\1262538362\Computer1262538362L.exe --> c:\program files\1262538362\Computer1262538362L.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-02-06 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]

2010-02-06 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-06 05:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=0&l=dir
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TYCO\Application Data\Mozilla\Firefox\Profiles\gdtk1tkb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\components\FirefoxExtension.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Family\LOCALS~1\Temp\MQD2.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallIS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_is=\"0\" />"
"Device"="xrnJucq8yLy6z8fMzszNusjHvM8="
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\nokia\nokia pc suite 7\pcsuite .exe
.
**************************************************************************
.
Completion time: 2010-02-06 13:07:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 05:07
ComboFix2.txt 2010-02-01 07:02

Pre-Run: 72,423,743,488 bytes free
Post-Run: 72,858,992,640 bytes free

- - End Of File - - 4EAE1759F628BE89972A7617AEF63FB6


I will try to aid you here, i think i read and found something similar or equal to the problem i am having. Its a malware which infects wmscfgs.exe or something. It was said that it would replace itself even if you use an Anti Virus to remove it and the only way was to go into SAFE MODE and delete the registry and staff. However i cant excess regedit as "Disabled by Administrator" which therefore left me helpless.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:50 AM

Posted 13 February 2010 - 02:01 PM

Hi paul02,

Please delete the copy of Combofix you have then download a new copy and run it again, then do the following online scan.


Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • Combofix.txt
  • ESET log

Thanks

unite.jpg


#9 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 13 February 2010 - 08:36 PM

ComboFix 10-02-12.01 - TYCO 02/14/2010 9:18.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1594 [GMT 8:00]
Running from: c:\documents and settings\TYCO\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs .exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\app_dll.dll
c:\windows\system32\ctfmon .exe
c:\windows\updreg .exe

.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-14 01:25 . 2010-02-14 01:25 4 ----a-w- c:\program files\1859234.dat
2010-02-12 17:21 . 2010-02-12 17:21 4 ----a-w- c:\program files\7939968.dat
2010-02-12 17:11 . 2010-02-12 17:37 -------- d-----w- c:\program files\trend micro
2010-02-12 17:11 . 2010-02-14 01:08 -------- d-----w- C:\rsit
2010-02-12 05:27 . 2010-02-12 05:27 4 ----a-w- c:\program files\20648500.dat
2010-02-11 11:03 . 2010-02-11 11:03 4 ----a-w- c:\program files\5233593.dat
2010-02-07 23:30 . 2010-02-07 23:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-05 17:20 . 2007-10-04 09:42 48128 ----a-w- c:\windows\system32\Remove.exe
2010-02-05 17:20 . 2007-11-02 03:07 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2010-02-05 17:20 . 2007-10-25 10:31 616064 ----a-w- c:\windows\system32\drivers\PFC027.SYS
2010-02-05 17:20 . 2006-10-12 03:57 14336 ----a-w- c:\windows\system32\P207USD.dll
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\program files\Common Files\PAC207
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\windows\PixArt
2010-02-05 11:34 . 2010-02-12 08:22 -------- d-----w- c:\documents and settings\TYCO\Incomplete
2010-02-03 11:11 . 2010-02-03 11:11 0 ----a-w- c:\documents and settings\TYCO\settings.dat
2010-02-03 10:10 . 2010-02-03 10:10 4 ----a-w- c:\program files\10137328.dat
2010-02-03 10:01 . 2010-02-03 10:01 -------- d-----w- c:\program files\Windows Sidebar
2010-02-03 10:01 . 2010-02-03 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-03 10:00 . 2010-02-03 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-03 02:59 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-02 14:56 . 2010-02-02 14:56 4 ----a-w- c:\program files\8108671.dat
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\Malwarebytes
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 07:51 . 2010-02-01 07:51 -------- d-----w- c:\documents and settings\TYCO\Application Data\Mael
2010-02-01 07:40 . 2010-02-01 07:40 -------- d-----w- c:\program files\HxD
2010-02-01 05:46 . 2010-02-03 10:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-01 05:46 . 2010-02-01 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-01 05:13 . 2010-02-12 11:22 -------- d-----w- c:\program files\Garena
2010-02-01 02:23 . 2010-02-01 02:23 -------- d-----w- C:\audio
2010-02-01 02:23 . 1999-02-09 21:04 240640 ----a-w- c:\windows\system32\sc1.dll
2010-02-01 02:23 . 1999-02-09 21:00 225280 ----a-w- c:\windows\system32\ML2.dll
2010-02-01 02:23 . 1998-04-30 06:56 129024 ----a-w- c:\windows\UNWISE.EXE
2010-02-01 02:23 . 1999-02-09 20:55 228352 ----a-w- c:\windows\system32\eqm.dll
2010-02-01 01:31 . 2010-02-01 01:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Help
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- C:\STOMP35
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- c:\windows\MVUNINST
2010-02-01 01:07 . 2010-02-01 01:07 -------- d-----w- c:\program files\MVAPPS
2010-01-30 01:17 . 2010-01-30 01:24 -------- d-----w- c:\documents and settings\Bob\Application Data\AccurateRip
2010-01-30 01:17 . 2010-01-30 01:18 -------- d-----w- c:\program files\Exact Audio Copy
2010-01-26 06:40 . 2010-01-26 06:40 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Identities
2010-01-25 13:46 . 2010-01-25 13:46 -------- d-----w- c:\documents and settings\TYCO\Application Data\EPSON
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Ahead
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Application Data\Nero
2010-01-23 00:34 . 2010-01-28 00:21 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Ahead
2010-01-22 17:31 . 2010-01-22 17:31 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Ahead
2010-01-22 17:21 . 2010-01-22 17:21 -------- d-----w- c:\program files\Nero
2010-01-20 07:32 . 2010-01-20 07:32 -------- d-----w- c:\documents and settings\TYCO\Application Data\NeroDigital™
2010-01-20 07:15 . 2010-01-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2010-01-18 06:31 . 2010-01-18 06:31 -------- d-----w- c:\documents and settings\Bob\Application Data\PC Suite
2010-01-17 12:35 . 2010-01-17 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-01-17 12:33 . 2010-01-17 12:31 24403616 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en.exe
2010-01-17 12:32 . 2010-01-17 12:32 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-01-17 12:32 . 2010-01-17 12:32 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-01-17 12:32 . 2010-01-17 12:32 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-01-17 12:19 . 2010-01-17 12:19 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\NokiaAccount
2010-01-17 06:06 . 2010-02-12 06:01 -------- d-----w- c:\documents and settings\Family\Tracing
2010-01-17 06:06 . 2008-08-26 01:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-17 06:06 . 2010-01-17 06:06 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-17 06:05 . 2009-10-06 03:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-17 06:05 . 2009-10-06 03:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-17 06:05 . 2009-10-06 03:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-17 06:05 . 2009-10-06 03:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-17 06:04 . 2010-01-17 06:04 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-17 06:04 . 2010-01-17 06:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-17 06:04 . 2010-01-17 06:04 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-17 06:04 . 2010-01-17 06:04 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-17 06:01 . 2010-01-17 06:01 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-17 06:01 . 2010-01-17 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-17 04:44 . 2010-01-17 04:44 3198 ----a-w- c:\windows\system32\wbers.dat
2010-01-17 04:36 . 2004-12-31 15:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-01-17 04:35 . 2010-01-17 04:35 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-01-17 04:32 . 2010-01-17 04:33 -------- d--h--w- c:\documents and settings\TYCO\Application Data\ijjigame
2010-01-16 15:31 . 2010-01-16 15:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Apple Computer
2010-01-15 05:46 . 2009-01-25 15:36 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2010-01-15 05:46 . 2009-01-25 15:36 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2010-01-15 05:46 . 2010-02-11 06:25 -------- d-----w- c:\program files\Cheat Engine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 01:28 . 2010-01-04 02:54 39424 ----a-w- c:\windows\updreg.exe
2010-02-14 01:28 . 2010-01-06 03:08 -------- d-----w- c:\program files\uTorrent
2010-02-14 01:27 . 2010-01-06 03:07 -------- d-----w- c:\documents and settings\TYCO\Application Data\uTorrent
2010-02-14 01:25 . 2010-01-04 02:54 39424 ----a-w- c:\windows\updreg .exe
2010-02-14 01:12 . 2010-01-06 13:08 -------- d-----w- c:\documents and settings\TYCO\Application Data\TeraCopy
2010-02-13 15:04 . 2010-01-04 05:36 -------- d-----w- c:\program files\Steam
2010-02-12 12:04 . 2010-01-03 18:12 -------- d-----w- c:\program files\Warcraft III
2010-02-12 09:06 . 2010-01-06 03:12 -------- d-----w- c:\documents and settings\TYCO\Application Data\LimeWire
2010-02-11 09:38 . 2009-12-07 10:49 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-11 09:38 . 2009-12-07 10:46 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-11 09:13 . 2010-01-04 16:26 629720 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-08 16:51 . 2010-01-04 09:24 -------- d-----w- c:\documents and settings\TYCO\Application Data\mIRC
2010-02-08 15:38 . 2010-01-04 09:24 -------- d-----w- c:\program files\mIRC
2010-02-05 17:20 . 2010-01-03 17:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-28 18:17 . 2010-01-03 19:19 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-27 17:30 . 2010-01-10 15:17 -------- d-----w- c:\documents and settings\TYCO\Application Data\Skype
2010-01-27 16:05 . 2010-01-10 15:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\skypePM
2010-01-26 16:19 . 2010-01-03 18:12 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-01-23 00:34 . 2010-01-08 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\Nero
2010-01-22 17:26 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nero
2010-01-22 17:23 . 2010-01-06 03:47 -------- d-----w- c:\program files\Common Files\Nero
2010-01-22 17:21 . 2010-01-06 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-17 12:33 . 2010-01-04 06:02 -------- d-----w- c:\program files\Nokia
2010-01-17 12:31 . 2010-01-04 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-17 12:19 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nokia
2010-01-17 06:08 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-10 17:17 . 2010-01-03 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-10 15:21 . 2010-01-10 15:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----r- c:\program files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\program files\Common Files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-10 14:31 . 2010-01-10 14:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\Apple Computer
2010-01-09 11:56 . 2010-01-09 11:56 28680 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-09 06:42 . 2010-01-09 06:42 -------- d-----w- c:\documents and settings\Family\Application Data\PC Suite
2010-01-07 16:38 . 2010-01-04 00:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-06 16:55 . 2010-01-06 16:54 -------- d-----w- c:\program files\QuickTime
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\program files\Apple Software Update
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-06 13:07 . 2010-01-06 13:07 -------- d-----w- c:\program files\TeraCopy
2010-01-06 09:29 . 2010-01-06 09:29 -------- d-----w- c:\program files\MSXML 4.0
2010-01-06 03:11 . 2010-01-06 03:11 -------- d-----w- c:\program files\LimeWire
2010-01-06 01:51 . 2010-01-06 01:51 -------- d-----w- c:\documents and settings\Bob\Application Data\ePaperPress
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_52D5F617C25478BAD90D68.exe
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_525AB3E17FA832EF7FEF72.exe
2010-01-06 01:48 . 2010-01-06 01:48 -------- d-----w- c:\program files\ePaperPress
2010-01-05 14:56 . 2010-01-05 14:56 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-05 14:54 . 2010-01-05 14:54 -------- d-----w- c:\program files\eRightSoft
2010-01-05 12:00 . 2010-01-04 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 04:16 . 2010-01-05 04:16 -------- d-----w- c:\documents and settings\Family\Application Data\BitDefender
2010-01-05 01:05 . 2010-01-03 17:14 28680 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:31 . 2010-01-04 16:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\VSRevoGroup
2010-01-04 16:29 . 2010-01-03 18:18 28680 ----a-w- c:\documents and settings\TYCO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:20 . 2010-01-04 03:22 -------- d-----w- c:\program files\Microsoft Works
2010-01-04 11:58 . 2010-01-04 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-01-04 11:42 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\PC Suite
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-04 09:30 . 2010-01-04 09:29 -------- d-----w- c:\program files\GameSun
2010-01-04 06:04 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-01-04 06:04 . 2010-01-04 06:03 -------- d-----w- c:\program files\DIFX
2010-01-04 06:03 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\PCSuite
2010-01-04 06:00 . 2010-01-04 06:00 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-01-04 06:00 . 2010-01-04 06:00 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-01-04 05:59 . 2010-01-04 06:00 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_web.exe
2010-01-04 05:57 . 2010-01-04 05:56 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-04 03:46 . 2010-01-04 03:46 -------- d-----w- c:\program files\VS Revo Group
2010-01-04 03:21 . 2010-01-04 03:21 -------- d-----w- c:\program files\Microsoft.NET
2010-01-04 02:59 . 2010-01-04 02:49 -------- d-----w- c:\program files\Creative
2010-01-04 02:40 . 2010-01-04 02:40 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-04 02:40 . 2010-01-04 02:40 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-04 00:37 . 2010-01-03 17:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-04 00:35 . 2010-01-04 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\UDL
2010-01-04 00:33 . 2010-01-04 00:10 -------- d-----w- c:\program files\epson
2010-01-04 00:31 . 2010-01-04 00:31 -------- d-----w- c:\documents and settings\Bob\Application Data\InstallShield
2010-01-04 00:30 . 2010-01-04 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-01-04 00:12 . 2010-01-04 00:12 -------- d-----w- c:\documents and settings\Bob\Application Data\EPSON
2010-01-03 19:05 . 2010-01-03 17:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-03 18:48 . 2010-01-03 18:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\U3
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\ATI
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\BitDefender
2010-01-03 18:17 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-03 18:13 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\Bob\Application Data\BitDefender
2010-01-03 18:12 . 2010-01-03 18:11 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-03 18:12 . 2010-01-03 18:12 -------- d-----w- c:\program files\BitDefender
2010-01-03 18:09 . 2010-01-03 18:09 -------- d-----w- c:\documents and settings\Bob\Application Data\U3
2010-01-03 18:03 . 2010-01-03 17:38 -------- d-----w- c:\program files\ATI
2010-01-03 18:01 . 2010-01-03 18:01 10134 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{A778A787-08A4-4089-CB68-02A9737DE532}\ARPPRODUCTICON.exe
2006-05-03 10:06 . 2010-01-05 14:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-01-05 14:54 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-01-05 14:54 216064 --sh--r- c:\windows\system32\nbDX.dll
.
CODE
<pre>
c:\program files\BitDefender\BitDefender 2010\bdagent .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr            .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr          .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr        .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr       .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr      .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr     .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr    .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr   .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr  .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe
c:\program files\Creative\SBAudigy\Surround Mixer\ctsysvol .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Nokia\Nokia PC Suite 7\pcsuite .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\uTorrent\utorrent                                 .exe
c:\program files\uTorrent\utorrent                                .exe
c:\program files\uTorrent\utorrent                               .exe
c:\program files\uTorrent\utorrent                              .exe
c:\program files\uTorrent\utorrent                             .exe
c:\program files\uTorrent\utorrent                            .exe
c:\program files\uTorrent\utorrent                           .exe
c:\program files\uTorrent\utorrent                          .exe
c:\program files\uTorrent\utorrent                         .exe
c:\program files\uTorrent\utorrent                        .exe
c:\program files\uTorrent\utorrent                       .exe
c:\program files\uTorrent\utorrent                      .exe
c:\program files\uTorrent\utorrent                     .exe
c:\program files\uTorrent\utorrent                    .exe
c:\program files\uTorrent\utorrent                   .exe
c:\program files\uTorrent\utorrent                  .exe
c:\program files\uTorrent\utorrent                 .exe
c:\program files\uTorrent\utorrent                .exe
c:\program files\uTorrent\utorrent               .exe
c:\program files\uTorrent\utorrent              .exe
c:\program files\uTorrent\utorrent             .exe
c:\program files\uTorrent\utorrent            .exe
c:\program files\uTorrent\utorrent           .exe
c:\program files\uTorrent\utorrent          .exe
c:\program files\uTorrent\utorrent         .exe
c:\program files\uTorrent\utorrent        .exe
c:\program files\uTorrent\utorrent       .exe
c:\program files\uTorrent\utorrent      .exe
c:\program files\uTorrent\utorrent     .exe
c:\program files\uTorrent\utorrent    .exe
c:\program files\uTorrent\utorrent   .exe
c:\program files\uTorrent\utorrent  .exe
c:\program files\uTorrent\utorrent .exe
c:\program files\Windows Live\Messenger\msnmsgr         .exe
c:\program files\Windows Live\Messenger\msnmsgr        .exe
c:\program files\Windows Live\Messenger\msnmsgr      .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\updreg .exe
c:\windows\PixArt\PAC207\monitor .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\spool\drivers\w32x86\3\e_fatiebs .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-02-14 39424]
"uTorrent"="c:\program files\utorrent\utorrent .exe" [2010-02-14 39424]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2010-02-14 39424]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-02-08 1120704]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="c:\windows\UpdReg.EXE" [2010-02-14 39424]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-02-14 39424]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent .exe"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/4/2010 1:17 AM 11264]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\TYCO\LOCALS~1\Temp\HGE64.tmp --> c:\docume~1\TYCO\LOCALS~1\Temp\HGE64.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2/6/2010 1:20 AM 616064]
S4 .1262538362;1262538362;c:\program files\1262538362\Computer1262538362L.exe --> c:\program files\1262538362\Computer1262538362L.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-02-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-02-14 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]

2010-02-14 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 01:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=0&l=dir
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TYCO\Application Data\Mozilla\Firefox\Profiles\gdtk1tkb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 09:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\TYCO\LOCALS~1\Temp\HGE64.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallIS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_is=\"0\" />"
"Device"="xrnJucq8yLy6z8fMzszNusjHvM8="
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\nokia\nokia pc suite 7\pcsuite .exe
.
**************************************************************************
.
Completion time: 2010-02-14 09:31:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 01:31

Pre-Run: 72,436,436,992 bytes free
Post-Run: 72,591,851,520 bytes free

- - End Of File - - 8D839990E31A6F1790A72BC16B2A9A60






C:\Documents and Settings\Bob\My Documents\Downloads\eac-0.99pb5.exe Win32/Adware.ADON application deleted - quarantined
C:\Documents and Settings\TYCO\Desktop\this is not a hacks folder!\cstrikeh4x\bi0sBase.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\TYCO\Desktop\this is not a hacks folder!\cstrikeh4x\bi0sBase\bi0sBase.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\TYCO\Local Settings\temp\wmpscfgs.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\TYCO\My Documents\Downloads\Nero 8.3.2.1+ Key By Miguelito.zip Win32/Toolbar.AskSBar application deleted - quarantined
C:\Documents and Settings\TYCO\My Documents\Downloads\Nero_BurningRom8.3.2.1_GM83_ESD_01_CD14808.exe Win32/Toolbar.AskSBar application deleted - quarantined
C:\Program Files\Adobe\12423234.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\183781.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\242375.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\2715796.old Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\295500.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\3863140.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\527796.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\9281000.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\9301968.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\acrotray .exe Win32/Kryptik.CII.Gen trojan cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Nero\Lib\nmindexstoresvr.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Internet Explorer\js.mui probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Internet Explorer\wmpscfgs.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Internet Explorer\wmpscfgs.exe.delme136 probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Messenger\msmsgs.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Nokia\Nokia PC Suite 7\pcsuite.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\uTorrent\utorrent .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Windows Live\Messenger\msnmsgr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Windows Live\Messenger\msnmsgr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Windows Live\Messenger\msnmsgr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Windows Live\Messenger\msnmsgr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Windows Live\Messenger\msnmsgr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Program Files\Windows Live\Messenger\msnmsgr .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Adobe\acrotray .exe.vir Win32/TrojanDownloader.Unruy.BD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\js.mui.vir probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\wmpscfgs .exe.vir probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\wmpscfgs.exe.vir probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\updreg .exe.vir probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\updreg .exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\updreg.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\app_dll.dll.12357546.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\app_dll.dll.2294265.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\app_dll.dll.238046.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\app_dll.dll.289875.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\app_dll.dll.3849515.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\app_dll.dll.9275796.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\app_dll.dll.9279781.old Win32/Agent.QSZ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\f2714156 .exe Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\wmpscfgs.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
F:\sysusb\usbdur.exe IRC/SdBot trojan cleaned by deleting - quarantined
Operating memory probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan contained infected files

Edited by paul02, 14 February 2010 - 07:37 AM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:50 AM

Posted 14 February 2010 - 01:17 PM

Hi,

Can you tell me if you have set these proxy settings in firefox?

FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
AtJob::
Collect::
c:\program files\1859234.dat
c:\program files\7939968.dat
c:\program files\20648500.dat
c:\program files\5233593.dat
c:\program files\10137328.dat
c:\program files\8108671.dat
File::
c:\program files\Windows Live\Messenger\msnmsgr         .exe
c:\program files\Windows Live\Messenger\msnmsgr        .exe
c:\program files\Windows Live\Messenger\msnmsgr      .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\uTorrent\utorrent                                 .exe
c:\program files\uTorrent\utorrent                                .exe
c:\program files\uTorrent\utorrent                               .exe
c:\program files\uTorrent\utorrent                              .exe
c:\program files\uTorrent\utorrent                             .exe
c:\program files\uTorrent\utorrent                            .exe
c:\program files\uTorrent\utorrent                           .exe
c:\program files\uTorrent\utorrent                          .exe
c:\program files\uTorrent\utorrent                         .exe
c:\program files\uTorrent\utorrent                        .exe
c:\program files\uTorrent\utorrent                       .exe
c:\program files\uTorrent\utorrent                      .exe
c:\program files\uTorrent\utorrent                     .exe
c:\program files\uTorrent\utorrent                    .exe
c:\program files\uTorrent\utorrent                   .exe
c:\program files\uTorrent\utorrent                  .exe
c:\program files\uTorrent\utorrent                 .exe
c:\program files\uTorrent\utorrent                .exe
c:\program files\uTorrent\utorrent               .exe
c:\program files\uTorrent\utorrent              .exe
c:\program files\uTorrent\utorrent             .exe
c:\program files\uTorrent\utorrent            .exe
c:\program files\uTorrent\utorrent           .exe
c:\program files\uTorrent\utorrent          .exe
c:\program files\uTorrent\utorrent         .exe
c:\program files\uTorrent\utorrent        .exe
c:\program files\uTorrent\utorrent       .exe
c:\program files\uTorrent\utorrent      .exe
c:\program files\uTorrent\utorrent     .exe
c:\program files\uTorrent\utorrent    .exe
c:\program files\uTorrent\utorrent   .exe
c:\program files\uTorrent\utorrent  .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr            .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr          .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr        .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr       .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr      .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr     .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr    .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr   .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr  .exe
RenV::
c:\program files\BitDefender\BitDefender 2010\bdagent .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe
c:\program files\Creative\SBAudigy\Surround Mixer\ctsysvol .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Nokia\Nokia PC Suite 7\pcsuite .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\uTorrent\utorrent .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\updreg .exe
c:\windows\PixArt\PAC207\monitor .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\spool\drivers\w32x86\3\e_fatiebs .exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
"c:\\Program Files\\uTorrent\\utorrent .exe"=-
Driver::
GarenaPEngine
.1262538362


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Once combofix has finished please run another scan with ESET and post back with both logs.

Thanks

unite.jpg


#11 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 15 February 2010 - 01:36 AM

Yes i do use a proxy. This is because i cant excess some sites in my country as it does not load properly so i use this proxy under singnet. Here are the logs,


ComboFix 10-02-12.01 - TYCO 02/15/2010 10:38:17.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1520 [GMT 8:00]
Running from: c:\documents and settings\TYCO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TYCO\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

FILE ::
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\uTorrent\utorrent .exe"
"c:\program files\Windows Live\Messenger\msnmsgr .exe"
"c:\program files\Windows Live\Messenger\msnmsgr .exe"
"c:\program files\Windows Live\Messenger\msnmsgr .exe"
"c:\program files\Windows Live\Messenger\msnmsgr .exe"
"c:\program files\Windows Live\Messenger\msnmsgr .exe"
"c:\program files\Windows Live\Messenger\msnmsgr .exe"

file zipped: c:\program files\10137328.dat
file zipped: c:\program files\1859234.dat
file zipped: c:\program files\20648500.dat
file zipped: c:\program files\5233593.dat
file zipped: c:\program files\7939968.dat
file zipped: c:\program files\8108671.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\10137328.dat
c:\program files\1859234.dat
c:\program files\20648500.dat
c:\program files\5233593.dat
c:\program files\7939968.dat
c:\program files\8108671.dat
c:\program files\Adobe\acrotray .exe
c:\program files\Common Files\Nero\Lib\nmindexstoresvr .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\app_dll.dll
c:\windows\system32\ctfmon.exe.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GARENAPENGINE
-------\Service_.1262538362
-------\Service_GarenaPEngine


((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-14 01:32 . 2010-02-14 01:32 -------- d-----w- c:\program files\ESET
2010-02-12 17:11 . 2010-02-12 17:37 -------- d-----w- c:\program files\trend micro
2010-02-12 17:11 . 2010-02-14 01:08 -------- d-----w- C:\rsit
2010-02-07 23:30 . 2010-02-07 23:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-05 17:20 . 2007-10-04 09:42 48128 ----a-w- c:\windows\system32\Remove.exe
2010-02-05 17:20 . 2007-11-02 03:07 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2010-02-05 17:20 . 2007-10-25 10:31 616064 ----a-w- c:\windows\system32\drivers\PFC027.SYS
2010-02-05 17:20 . 2006-10-12 03:57 14336 ----a-w- c:\windows\system32\P207USD.dll
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\program files\Common Files\PAC207
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\windows\PixArt
2010-02-05 11:34 . 2010-02-14 03:13 -------- d-----w- c:\documents and settings\TYCO\Incomplete
2010-02-03 11:11 . 2010-02-03 11:11 0 ----a-w- c:\documents and settings\TYCO\settings.dat
2010-02-03 10:01 . 2010-02-03 10:01 -------- d-----w- c:\program files\Windows Sidebar
2010-02-03 10:01 . 2010-02-03 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-03 10:00 . 2010-02-03 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-03 02:59 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\Malwarebytes
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 07:51 . 2010-02-01 07:51 -------- d-----w- c:\documents and settings\TYCO\Application Data\Mael
2010-02-01 07:40 . 2010-02-01 07:40 -------- d-----w- c:\program files\HxD
2010-02-01 05:46 . 2010-02-15 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-01 05:46 . 2010-02-01 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-01 05:13 . 2010-02-14 13:28 -------- d-----w- c:\program files\Garena
2010-02-01 02:23 . 2010-02-01 02:23 -------- d-----w- C:\audio
2010-02-01 02:23 . 1999-02-09 21:04 240640 ----a-w- c:\windows\system32\sc1.dll
2010-02-01 02:23 . 1999-02-09 21:00 225280 ----a-w- c:\windows\system32\ML2.dll
2010-02-01 02:23 . 1998-04-30 06:56 129024 ----a-w- c:\windows\UNWISE.EXE
2010-02-01 02:23 . 1999-02-09 20:55 228352 ----a-w- c:\windows\system32\eqm.dll
2010-02-01 01:31 . 2010-02-01 01:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Help
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- C:\STOMP35
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- c:\windows\MVUNINST
2010-02-01 01:07 . 2010-02-01 01:07 -------- d-----w- c:\program files\MVAPPS
2010-01-30 01:17 . 2010-01-30 01:24 -------- d-----w- c:\documents and settings\Bob\Application Data\AccurateRip
2010-01-30 01:17 . 2010-01-30 01:18 -------- d-----w- c:\program files\Exact Audio Copy
2010-01-26 06:40 . 2010-01-26 06:40 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Identities
2010-01-25 13:46 . 2010-01-25 13:46 -------- d-----w- c:\documents and settings\TYCO\Application Data\EPSON
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Ahead
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Application Data\Nero
2010-01-23 00:34 . 2010-01-28 00:21 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Ahead
2010-01-22 17:31 . 2010-01-22 17:31 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Ahead
2010-01-22 17:21 . 2010-01-22 17:21 -------- d-----w- c:\program files\Nero
2010-01-20 07:32 . 2010-01-20 07:32 -------- d-----w- c:\documents and settings\TYCO\Application Data\NeroDigital™
2010-01-20 07:15 . 2010-01-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2010-01-18 06:31 . 2010-01-18 06:31 -------- d-----w- c:\documents and settings\Bob\Application Data\PC Suite
2010-01-17 12:35 . 2010-01-17 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-01-17 12:33 . 2010-01-17 12:31 24403616 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en.exe
2010-01-17 12:32 . 2010-01-17 12:32 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-01-17 12:32 . 2010-01-17 12:32 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-01-17 12:32 . 2010-01-17 12:32 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-01-17 12:19 . 2010-01-17 12:19 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\NokiaAccount
2010-01-17 06:06 . 2010-02-14 10:43 -------- d-----w- c:\documents and settings\Family\Tracing
2010-01-17 06:06 . 2008-08-26 01:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-17 06:06 . 2010-01-17 06:06 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-17 06:05 . 2009-10-06 03:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-17 06:05 . 2009-10-06 03:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-17 06:05 . 2009-10-06 03:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-17 06:05 . 2009-10-06 03:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-17 06:04 . 2010-01-17 06:04 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-17 06:04 . 2010-01-17 06:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-17 06:04 . 2010-01-17 06:04 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-17 06:04 . 2010-01-17 06:04 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-17 06:01 . 2010-01-17 06:01 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-17 06:01 . 2010-01-17 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-17 04:44 . 2010-01-17 04:44 3198 ----a-w- c:\windows\system32\wbers.dat
2010-01-17 04:36 . 2004-12-31 15:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-01-17 04:35 . 2010-01-17 04:35 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-01-17 04:32 . 2010-01-17 04:33 -------- d--h--w- c:\documents and settings\TYCO\Application Data\ijjigame
2010-01-16 15:31 . 2010-01-16 15:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 02:18 . 2010-01-04 05:36 -------- d-----w- c:\program files\Steam
2010-02-14 12:49 . 2010-01-06 13:08 -------- d-----w- c:\documents and settings\TYCO\Application Data\TeraCopy
2010-02-14 12:17 . 2010-01-03 18:12 -------- d-----w- c:\program files\Warcraft III
2010-02-14 03:35 . 2010-01-06 03:08 -------- d-----w- c:\program files\uTorrent
2010-02-14 03:19 . 2010-01-06 03:12 -------- d-----w- c:\documents and settings\TYCO\Application Data\LimeWire
2010-02-14 02:39 . 2010-01-15 05:46 -------- d-----w- c:\program files\Cheat Engine
2010-02-14 02:18 . 2010-01-06 03:07 -------- d-----w- c:\documents and settings\TYCO\Application Data\uTorrent
2010-02-11 09:38 . 2009-12-07 10:49 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-11 09:38 . 2009-12-07 10:46 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-11 09:13 . 2010-01-04 16:26 629720 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-08 16:51 . 2010-01-04 09:24 -------- d-----w- c:\documents and settings\TYCO\Application Data\mIRC
2010-02-08 15:38 . 2010-01-04 09:24 -------- d-----w- c:\program files\mIRC
2010-02-05 17:20 . 2010-01-03 17:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-28 18:17 . 2010-01-03 19:19 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-27 17:30 . 2010-01-10 15:17 -------- d-----w- c:\documents and settings\TYCO\Application Data\Skype
2010-01-27 16:05 . 2010-01-10 15:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\skypePM
2010-01-26 16:19 . 2010-01-03 18:12 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-01-23 00:34 . 2010-01-08 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\Nero
2010-01-22 17:26 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nero
2010-01-22 17:23 . 2010-01-06 03:47 -------- d-----w- c:\program files\Common Files\Nero
2010-01-22 17:21 . 2010-01-06 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-17 12:33 . 2010-01-04 06:02 -------- d-----w- c:\program files\Nokia
2010-01-17 12:31 . 2010-01-04 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-17 12:19 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nokia
2010-01-17 06:08 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-10 17:17 . 2010-01-03 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-10 15:21 . 2010-01-10 15:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----r- c:\program files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\program files\Common Files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-10 14:31 . 2010-01-10 14:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\Apple Computer
2010-01-09 11:56 . 2010-01-09 11:56 28680 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-09 06:42 . 2010-01-09 06:42 -------- d-----w- c:\documents and settings\Family\Application Data\PC Suite
2010-01-07 16:38 . 2010-01-04 00:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-06 16:55 . 2010-01-06 16:54 -------- d-----w- c:\program files\QuickTime
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\program files\Apple Software Update
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-06 13:07 . 2010-01-06 13:07 -------- d-----w- c:\program files\TeraCopy
2010-01-06 09:29 . 2010-01-06 09:29 -------- d-----w- c:\program files\MSXML 4.0
2010-01-06 03:11 . 2010-01-06 03:11 -------- d-----w- c:\program files\LimeWire
2010-01-06 01:51 . 2010-01-06 01:51 -------- d-----w- c:\documents and settings\Bob\Application Data\ePaperPress
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_52D5F617C25478BAD90D68.exe
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_525AB3E17FA832EF7FEF72.exe
2010-01-06 01:48 . 2010-01-06 01:48 -------- d-----w- c:\program files\ePaperPress
2010-01-05 14:56 . 2010-01-05 14:56 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-05 14:54 . 2010-01-05 14:54 -------- d-----w- c:\program files\eRightSoft
2010-01-05 12:00 . 2010-01-04 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 04:16 . 2010-01-05 04:16 -------- d-----w- c:\documents and settings\Family\Application Data\BitDefender
2010-01-05 01:05 . 2010-01-03 17:14 28680 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:31 . 2010-01-04 16:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\VSRevoGroup
2010-01-04 16:29 . 2010-01-03 18:18 28680 ----a-w- c:\documents and settings\TYCO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:20 . 2010-01-04 03:22 -------- d-----w- c:\program files\Microsoft Works
2010-01-04 11:58 . 2010-01-04 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-01-04 11:42 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\PC Suite
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-04 09:30 . 2010-01-04 09:29 -------- d-----w- c:\program files\GameSun
2010-01-04 06:04 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-01-04 06:04 . 2010-01-04 06:03 -------- d-----w- c:\program files\DIFX
2010-01-04 06:03 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\PCSuite
2010-01-04 06:00 . 2010-01-04 06:00 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-01-04 06:00 . 2010-01-04 06:00 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-01-04 05:59 . 2010-01-04 06:00 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_web.exe
2010-01-04 05:57 . 2010-01-04 05:56 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-04 03:46 . 2010-01-04 03:46 -------- d-----w- c:\program files\VS Revo Group
2010-01-04 03:21 . 2010-01-04 03:21 -------- d-----w- c:\program files\Microsoft.NET
2010-01-04 02:59 . 2010-01-04 02:49 -------- d-----w- c:\program files\Creative
2010-01-04 02:40 . 2010-01-04 02:40 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-04 02:40 . 2010-01-04 02:40 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-04 00:37 . 2010-01-03 17:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-04 00:35 . 2010-01-04 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\UDL
2010-01-04 00:33 . 2010-01-04 00:10 -------- d-----w- c:\program files\epson
2010-01-04 00:31 . 2010-01-04 00:31 -------- d-----w- c:\documents and settings\Bob\Application Data\InstallShield
2010-01-04 00:30 . 2010-01-04 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-01-04 00:12 . 2010-01-04 00:12 -------- d-----w- c:\documents and settings\Bob\Application Data\EPSON
2010-01-03 19:05 . 2010-01-03 17:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-03 18:48 . 2010-01-03 18:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\U3
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\ATI
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\BitDefender
2010-01-03 18:17 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-03 18:13 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\Bob\Application Data\BitDefender
2010-01-03 18:12 . 2010-01-03 18:11 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-03 18:12 . 2010-01-03 18:12 -------- d-----w- c:\program files\BitDefender
2010-01-03 18:09 . 2010-01-03 18:09 -------- d-----w- c:\documents and settings\Bob\Application Data\U3
2010-01-03 18:03 . 2010-01-03 17:38 -------- d-----w- c:\program files\ATI
2010-01-03 18:01 . 2010-01-03 18:01 10134 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{A778A787-08A4-4089-CB68-02A9737DE532}\ARPPRODUCTICON.exe
2010-01-03 17:57 . 2010-01-03 17:57 -------- d-----w- c:\documents and settings\Bob\Application Data\ATI
2006-05-03 10:06 . 2010-01-05 14:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-01-05 14:54 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-01-05 14:54 216064 --sh--r- c:\windows\system32\nbDX.dll
.
CODE
<pre>
c:\program files\BitDefender\BitDefender 2010\bdagent .exe
c:\program files\uTorrent\utorrent                                  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-02-14_01.27.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\PixArt\PAC207\monitor .exe
+ 2010-02-15 02:45 . 2010-02-15 02:45 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2010-02-14 03:01 . 2010-02-15 02:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-02-06 06:01 . 2010-02-14 01:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-14 02:19 . 2010-02-14 02:19 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
- 2010-02-14 01:13 . 2010-02-14 01:13 80395 c:\windows\Installer\{A85FD55B-891B-4314-97A5-EA96C0BD80B5}\MsblIco.Exe
+ 2010-01-04 00:30 . 2007-11-30 06:00 188928 c:\windows\system32\spool\drivers\w32x86\3\e_fatiebs.exe
+ 2010-01-03 17:07 . 2010-02-15 02:29 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-03 17:07 . 2010-02-14 01:25 131072 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-14 02:19 . 2010-02-14 02:19 430080 c:\windows\Installer\24a45.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-02-08 1120704]
"P17Helper"="P17.dll" [2005-05-03 64512]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/4/2010 1:17 AM 11264]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2/6/2010 1:20 AM 616064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=0&l=dir
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TYCO\Application Data\Mozilla\Firefox\Profiles\gdtk1tkb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 10:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallIS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_is=\"0\" />"
"Device"="xrnJucq8yLy6z8fMzszNusjHvM8="
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
.
**************************************************************************
.
Completion time: 2010-02-15 10:50:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 02:50
ComboFix2.txt 2010-02-14 01:31

Pre-Run: 72,253,550,592 bytes free
Post-Run: 72,160,858,112 bytes free

- - End Of File - - A12B225FDBB4D4B651163329F607E572







C:\Documents and Settings\TYCO\Local Settings\temp\f3801609 .exe Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\11104500.old Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\3803281.old Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\Program Files\Adobe\acrotray .exe Win32/Kryptik.CII.Gen trojan cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Windows Live\Messenger\msnmsgr.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Adobe\acrotray .exe.vir Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\js.mui.vir probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\wmpscfgs.exe.vir probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting (after the next restart) - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001322.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001414.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001422.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001428.exe Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001430.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001449.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001450.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001597.old Win32/Kryptik.CII.Gen trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{92960791-E614-4CFF-9269-0A3BEC330AD5}\RP5\A0001598.exe probably a variant of Win32/TrojanDownloader.Unruy.AZ trojan cleaned by deleting - quarantined

Edited by paul02, 15 February 2010 - 06:00 AM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:50 AM

Posted 15 February 2010 - 12:22 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\BitDefender\BitDefender 2010\bdagent .exe
c:\program files\uTorrent\utorrent                                  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\ctfmon .exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#13 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 15 February 2010 - 09:41 PM

ComboFix 10-02-12.01 - TYCO 02/16/2010 10:27:44.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1617 [GMT 8:00]
Running from: c:\documents and settings\TYCO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TYCO\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\app_dll.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))
.

2010-02-14 01:32 . 2010-02-14 01:32 -------- d-----w- c:\program files\ESET
2010-02-12 17:11 . 2010-02-12 17:37 -------- d-----w- c:\program files\trend micro
2010-02-07 23:30 . 2010-02-07 23:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-05 17:20 . 2007-10-04 09:42 48128 ----a-w- c:\windows\system32\Remove.exe
2010-02-05 17:20 . 2007-11-02 03:07 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2010-02-05 17:20 . 2007-10-25 10:31 616064 ----a-w- c:\windows\system32\drivers\PFC027.SYS
2010-02-05 17:20 . 2006-10-12 03:57 14336 ----a-w- c:\windows\system32\P207USD.dll
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\program files\Common Files\PAC207
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\windows\PixArt
2010-02-05 11:34 . 2010-02-15 15:10 -------- d-----w- c:\documents and settings\TYCO\Incomplete
2010-02-03 11:11 . 2010-02-03 11:11 0 ----a-w- c:\documents and settings\TYCO\settings.dat
2010-02-03 10:01 . 2010-02-03 10:01 -------- d-----w- c:\program files\Windows Sidebar
2010-02-03 10:01 . 2010-02-03 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-03 10:00 . 2010-02-03 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-03 02:59 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\Malwarebytes
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 07:51 . 2010-02-01 07:51 -------- d-----w- c:\documents and settings\TYCO\Application Data\Mael
2010-02-01 07:40 . 2010-02-01 07:40 -------- d-----w- c:\program files\HxD
2010-02-01 05:46 . 2010-02-15 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-01 05:46 . 2010-02-01 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-01 05:13 . 2010-02-15 12:11 -------- d-----w- c:\program files\Garena
2010-02-01 02:23 . 2010-02-01 02:23 -------- d-----w- C:\audio
2010-02-01 02:23 . 1999-02-09 21:04 240640 ----a-w- c:\windows\system32\sc1.dll
2010-02-01 02:23 . 1999-02-09 21:00 225280 ----a-w- c:\windows\system32\ML2.dll
2010-02-01 02:23 . 1998-04-30 06:56 129024 ----a-w- c:\windows\UNWISE.EXE
2010-02-01 02:23 . 1999-02-09 20:55 228352 ----a-w- c:\windows\system32\eqm.dll
2010-02-01 01:31 . 2010-02-01 01:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Help
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- C:\STOMP35
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- c:\windows\MVUNINST
2010-02-01 01:07 . 2010-02-01 01:07 -------- d-----w- c:\program files\MVAPPS
2010-01-30 01:17 . 2010-01-30 01:24 -------- d-----w- c:\documents and settings\Bob\Application Data\AccurateRip
2010-01-30 01:17 . 2010-01-30 01:18 -------- d-----w- c:\program files\Exact Audio Copy
2010-01-26 06:40 . 2010-01-26 06:40 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Identities
2010-01-25 13:46 . 2010-01-25 13:46 -------- d-----w- c:\documents and settings\TYCO\Application Data\EPSON
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Ahead
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Application Data\Nero
2010-01-23 00:34 . 2010-01-28 00:21 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Ahead
2010-01-22 17:31 . 2010-01-22 17:31 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Ahead
2010-01-22 17:21 . 2010-01-22 17:21 -------- d-----w- c:\program files\Nero
2010-01-20 07:32 . 2010-01-20 07:32 -------- d-----w- c:\documents and settings\TYCO\Application Data\NeroDigital™
2010-01-20 07:15 . 2010-01-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2010-01-18 06:31 . 2010-01-18 06:31 -------- d-----w- c:\documents and settings\Bob\Application Data\PC Suite
2010-01-17 12:35 . 2010-01-17 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-01-17 12:33 . 2010-01-17 12:31 24403616 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en.exe
2010-01-17 12:32 . 2010-01-17 12:32 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-01-17 12:32 . 2010-01-17 12:32 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-01-17 12:32 . 2010-01-17 12:32 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-01-17 12:19 . 2010-01-17 12:19 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\NokiaAccount
2010-01-17 06:06 . 2010-02-14 10:43 -------- d-----w- c:\documents and settings\Family\Tracing
2010-01-17 06:06 . 2008-08-26 01:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-17 06:06 . 2010-01-17 06:06 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-17 06:05 . 2009-10-06 03:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-17 06:05 . 2009-10-06 03:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-17 06:05 . 2009-10-06 03:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-17 06:05 . 2009-10-06 03:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-17 06:05 . 2009-10-06 03:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-17 06:04 . 2010-01-17 06:04 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-17 06:04 . 2010-01-17 06:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-17 06:04 . 2010-01-17 06:04 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-17 06:04 . 2010-01-17 06:04 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-17 06:01 . 2010-01-17 06:01 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-17 06:01 . 2010-01-17 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-17 04:44 . 2010-01-17 04:44 3198 ----a-w- c:\windows\system32\wbers.dat
2010-01-17 04:36 . 2004-12-31 15:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-01-17 04:35 . 2010-01-17 04:35 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-01-17 04:32 . 2010-01-17 04:33 -------- d--h--w- c:\documents and settings\TYCO\Application Data\ijjigame

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 02:27 . 2010-01-06 03:08 -------- d-----w- c:\program files\uTorrent
2010-02-16 01:55 . 2010-01-04 05:36 -------- d-----w- c:\program files\Steam
2010-02-15 15:15 . 2010-01-04 09:24 -------- d-----w- c:\documents and settings\TYCO\Application Data\mIRC
2010-02-15 15:11 . 2010-01-06 03:12 -------- d-----w- c:\documents and settings\TYCO\Application Data\LimeWire
2010-02-15 15:01 . 2010-01-04 09:24 -------- d-----w- c:\program files\mIRC
2010-02-15 12:06 . 2010-01-06 13:08 -------- d-----w- c:\documents and settings\TYCO\Application Data\TeraCopy
2010-02-15 11:07 . 2010-01-03 18:12 -------- d-----w- c:\program files\Warcraft III
2010-02-14 02:39 . 2010-01-15 05:46 -------- d-----w- c:\program files\Cheat Engine
2010-02-14 02:18 . 2010-01-06 03:07 -------- d-----w- c:\documents and settings\TYCO\Application Data\uTorrent
2010-02-11 09:38 . 2009-12-07 10:49 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-11 09:38 . 2009-12-07 10:46 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-11 09:13 . 2010-01-04 16:26 629720 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-05 17:20 . 2010-01-03 17:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-28 18:17 . 2010-01-03 19:19 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-27 17:30 . 2010-01-10 15:17 -------- d-----w- c:\documents and settings\TYCO\Application Data\Skype
2010-01-27 16:05 . 2010-01-10 15:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\skypePM
2010-01-26 16:19 . 2010-01-03 18:12 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-01-23 00:34 . 2010-01-08 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\Nero
2010-01-22 17:26 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nero
2010-01-22 17:23 . 2010-01-06 03:47 -------- d-----w- c:\program files\Common Files\Nero
2010-01-22 17:21 . 2010-01-06 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-17 12:33 . 2010-01-04 06:02 -------- d-----w- c:\program files\Nokia
2010-01-17 12:31 . 2010-01-04 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-17 12:19 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nokia
2010-01-17 06:08 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-10 17:17 . 2010-01-03 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-10 15:21 . 2010-01-10 15:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----r- c:\program files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\program files\Common Files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-10 14:31 . 2010-01-10 14:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\Apple Computer
2010-01-09 11:56 . 2010-01-09 11:56 28680 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-09 06:42 . 2010-01-09 06:42 -------- d-----w- c:\documents and settings\Family\Application Data\PC Suite
2010-01-07 16:38 . 2010-01-04 00:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-06 16:55 . 2010-01-06 16:54 -------- d-----w- c:\program files\QuickTime
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\program files\Apple Software Update
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-06 13:07 . 2010-01-06 13:07 -------- d-----w- c:\program files\TeraCopy
2010-01-06 09:29 . 2010-01-06 09:29 -------- d-----w- c:\program files\MSXML 4.0
2010-01-06 03:11 . 2010-01-06 03:11 -------- d-----w- c:\program files\LimeWire
2010-01-06 01:51 . 2010-01-06 01:51 -------- d-----w- c:\documents and settings\Bob\Application Data\ePaperPress
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_52D5F617C25478BAD90D68.exe
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_525AB3E17FA832EF7FEF72.exe
2010-01-06 01:48 . 2010-01-06 01:48 -------- d-----w- c:\program files\ePaperPress
2010-01-05 14:56 . 2010-01-05 14:56 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-05 14:54 . 2010-01-05 14:54 -------- d-----w- c:\program files\eRightSoft
2010-01-05 12:00 . 2010-01-04 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 04:16 . 2010-01-05 04:16 -------- d-----w- c:\documents and settings\Family\Application Data\BitDefender
2010-01-05 01:05 . 2010-01-03 17:14 28680 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:31 . 2010-01-04 16:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\VSRevoGroup
2010-01-04 16:29 . 2010-01-03 18:18 28680 ----a-w- c:\documents and settings\TYCO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:20 . 2010-01-04 03:22 -------- d-----w- c:\program files\Microsoft Works
2010-01-04 11:58 . 2010-01-04 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-01-04 11:42 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\PC Suite
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-04 09:30 . 2010-01-04 09:29 -------- d-----w- c:\program files\GameSun
2010-01-04 06:04 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-01-04 06:04 . 2010-01-04 06:03 -------- d-----w- c:\program files\DIFX
2010-01-04 06:03 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\PCSuite
2010-01-04 06:00 . 2010-01-04 06:00 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-01-04 06:00 . 2010-01-04 06:00 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-01-04 05:59 . 2010-01-04 06:00 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_web.exe
2010-01-04 05:57 . 2010-01-04 05:56 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-04 03:46 . 2010-01-04 03:46 -------- d-----w- c:\program files\VS Revo Group
2010-01-04 03:21 . 2010-01-04 03:21 -------- d-----w- c:\program files\Microsoft.NET
2010-01-04 02:59 . 2010-01-04 02:49 -------- d-----w- c:\program files\Creative
2010-01-04 02:40 . 2010-01-04 02:40 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-04 02:40 . 2010-01-04 02:40 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-04 00:37 . 2010-01-03 17:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-04 00:35 . 2010-01-04 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\UDL
2010-01-04 00:33 . 2010-01-04 00:10 -------- d-----w- c:\program files\epson
2010-01-04 00:31 . 2010-01-04 00:31 -------- d-----w- c:\documents and settings\Bob\Application Data\InstallShield
2010-01-04 00:30 . 2010-01-04 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-01-04 00:12 . 2010-01-04 00:12 -------- d-----w- c:\documents and settings\Bob\Application Data\EPSON
2010-01-03 19:05 . 2010-01-03 17:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-03 18:48 . 2010-01-03 18:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\U3
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\wsbl.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_white.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_summ.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\ph_black.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords2.dat
2010-01-03 18:25 . 2010-01-03 18:25 0 ----a-w- c:\windows\system32\pcwords.dat
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\ATI
2010-01-03 18:18 . 2010-01-03 18:18 -------- d-----w- c:\documents and settings\TYCO\Application Data\BitDefender
2010-01-03 18:17 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-03 18:13 . 2010-01-03 18:12 -------- d-----w- c:\documents and settings\Bob\Application Data\BitDefender
2010-01-03 18:12 . 2010-01-03 18:11 -------- d-----w- c:\program files\Common Files\BitDefender
2010-01-03 18:12 . 2010-01-03 18:12 -------- d-----w- c:\program files\BitDefender
2010-01-03 18:09 . 2010-01-03 18:09 -------- d-----w- c:\documents and settings\Bob\Application Data\U3
2010-01-03 18:03 . 2010-01-03 17:38 -------- d-----w- c:\program files\ATI
2010-01-03 18:01 . 2010-01-03 18:01 10134 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{A778A787-08A4-4089-CB68-02A9737DE532}\ARPPRODUCTICON.exe
2010-01-03 17:57 . 2010-01-03 17:57 -------- d-----w- c:\documents and settings\Bob\Application Data\ATI
2006-05-03 10:06 . 2010-01-05 14:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-01-05 14:54 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-01-05 14:54 216064 --sh--r- c:\windows\system32\nbDX.dll
.
CODE
<pre>
c:\program files\BitDefender\BitDefender 2010\bdagent .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-02-08 1120704]
"P17Helper"="P17.dll" [2005-05-03 64512]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/4/2010 1:17 AM 11264]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2/6/2010 1:20 AM 616064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=0&l=dir
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TYCO\Application Data\Mozilla\Firefox\Profiles\gdtk1tkb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-16 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallIS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_is=\"0\" />"
"Device"="xrnJucq8yLy6z8fMzszNusjHvM8="
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
.
**************************************************************************
.
Completion time: 2010-02-16 10:39:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-16 02:39

Pre-Run: 67,559,043,072 bytes free
Post-Run: 67,543,543,808 bytes free

- - End Of File - - DE0B5E4F93326CF2398A017AB6479C61


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:50 AM

Posted 16 February 2010 - 11:07 AM

Hi,

Please tell me in your next reply if you are still having any problems.


Run TFC again then do the following instructions.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\program files\BitDefender\BitDefender 2010\bdagent .exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, Aclick on View sACcan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • Combofix.txt
  • MBAM log
  • Kaspersky report

Thanks

unite.jpg


#15 paul02

paul02
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 17 February 2010 - 07:41 PM

For some reason, my firefox crashes after i tick Save As for Kaspersky Online Scanner. Here are the other 2 logs.


ComboFix 10-02-12.01 - TYCO 02/17/2010 23:25:28.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1499 [GMT 8:00]
Running from: c:\documents and settings\TYCO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TYCO\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

FILE ::
"c:\program files\BitDefender\BitDefender 2010\bdagent .exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\BitDefender\BitDefender 2010\bdagent .exe

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-17 14:22 . 2010-02-17 14:23 -------- d-----w- c:\documents and settings\Family\Application Data\Ahead
2010-02-16 13:44 . 2010-02-16 14:17 -------- d-----w- c:\documents and settings\TYCO\Application Data\Ahead
2010-02-16 13:44 . 2010-02-16 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2010-02-16 13:42 . 2010-02-16 13:43 -------- d-----w- c:\program files\Common Files\Ahead
2010-02-16 13:42 . 2010-02-16 13:42 -------- d-----w- c:\program files\Nero
2010-02-16 10:50 . 2008-02-28 05:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
2010-02-14 01:32 . 2010-02-14 01:32 -------- d-----w- c:\program files\ESET
2010-02-12 17:11 . 2010-02-12 17:37 -------- d-----w- c:\program files\trend micro
2010-02-07 23:30 . 2010-02-07 23:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-05 17:20 . 2007-10-04 09:42 48128 ----a-w- c:\windows\system32\Remove.exe
2010-02-05 17:20 . 2007-11-02 03:07 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2010-02-05 17:20 . 2007-10-25 10:31 616064 ----a-w- c:\windows\system32\drivers\PFC027.SYS
2010-02-05 17:20 . 2006-10-12 03:57 14336 ----a-w- c:\windows\system32\P207USD.dll
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\program files\Common Files\PAC207
2010-02-05 17:20 . 2010-02-05 17:20 -------- d-----w- c:\windows\PixArt
2010-02-05 11:34 . 2010-02-15 15:10 -------- d-----w- c:\documents and settings\TYCO\Incomplete
2010-02-03 11:11 . 2010-02-03 11:11 0 ----a-w- c:\documents and settings\TYCO\settings.dat
2010-02-03 10:01 . 2010-02-03 10:01 -------- d-----w- c:\program files\Windows Sidebar
2010-02-03 10:01 . 2010-02-03 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-03 10:00 . 2010-02-03 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-03 02:59 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\Malwarebytes
2010-02-02 12:21 . 2010-02-02 12:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 07:51 . 2010-02-01 07:51 -------- d-----w- c:\documents and settings\TYCO\Application Data\Mael
2010-02-01 07:40 . 2010-02-01 07:40 -------- d-----w- c:\program files\HxD
2010-02-01 05:46 . 2010-02-15 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-01 05:46 . 2010-02-01 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-01 05:13 . 2010-02-16 02:50 -------- d-----w- c:\program files\Garena
2010-02-01 02:23 . 2010-02-01 02:23 -------- d-----w- C:\audio
2010-02-01 02:23 . 1999-02-09 21:04 240640 ----a-w- c:\windows\system32\sc1.dll
2010-02-01 02:23 . 1999-02-09 21:00 225280 ----a-w- c:\windows\system32\ML2.dll
2010-02-01 02:23 . 1998-04-30 06:56 129024 ----a-w- c:\windows\UNWISE.EXE
2010-02-01 02:23 . 1999-02-09 20:55 228352 ----a-w- c:\windows\system32\eqm.dll
2010-02-01 01:31 . 2010-02-01 01:31 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Help
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- C:\STOMP35
2010-02-01 01:07 . 2010-02-01 01:08 -------- d-----w- c:\windows\MVUNINST
2010-02-01 01:07 . 2010-02-01 01:07 -------- d-----w- c:\program files\MVAPPS
2010-01-30 01:17 . 2010-01-30 01:24 -------- d-----w- c:\documents and settings\Bob\Application Data\AccurateRip
2010-01-30 01:17 . 2010-01-30 01:18 -------- d-----w- c:\program files\Exact Audio Copy
2010-01-26 06:40 . 2010-01-26 06:40 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Identities
2010-01-25 13:46 . 2010-01-25 13:46 -------- d-----w- c:\documents and settings\TYCO\Application Data\EPSON
2010-01-23 04:55 . 2010-02-17 14:22 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Ahead
2010-01-23 04:55 . 2010-01-23 04:55 -------- d-----w- c:\documents and settings\Family\Application Data\Nero
2010-01-23 00:34 . 2010-01-28 00:21 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Ahead
2010-01-22 17:31 . 2010-01-22 17:31 -------- d-----w- c:\documents and settings\TYCO\Local Settings\Application Data\Ahead
2010-01-20 07:32 . 2010-01-20 07:32 -------- d-----w- c:\documents and settings\TYCO\Application Data\NeroDigital™
2010-01-20 07:15 . 2010-01-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 15:30 . 2010-01-06 03:07 -------- d-----w- c:\documents and settings\TYCO\Application Data\uTorrent
2010-02-17 15:19 . 2010-01-04 09:24 -------- d-----w- c:\documents and settings\TYCO\Application Data\mIRC
2010-02-17 15:18 . 2010-01-04 09:24 -------- d-----w- c:\program files\mIRC
2010-02-17 06:49 . 2010-01-04 05:36 -------- d-----w- c:\program files\Steam
2010-02-16 17:16 . 2010-01-06 13:08 -------- d-----w- c:\documents and settings\TYCO\Application Data\TeraCopy
2010-02-16 16:51 . 2010-01-04 16:26 629720 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-16 13:42 . 2010-01-06 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-02-16 10:51 . 2010-01-06 03:47 -------- d-----w- c:\program files\Common Files\Nero
2010-02-16 04:48 . 2010-01-03 18:12 -------- d-----w- c:\program files\Warcraft III
2010-02-16 02:27 . 2010-01-06 03:08 -------- d-----w- c:\program files\uTorrent
2010-02-15 15:11 . 2010-01-06 03:12 -------- d-----w- c:\documents and settings\TYCO\Application Data\LimeWire
2010-02-14 02:39 . 2010-01-15 05:46 -------- d-----w- c:\program files\Cheat Engine
2010-02-11 09:38 . 2009-12-07 10:49 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-11 09:38 . 2009-12-07 10:46 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-05 17:20 . 2010-01-03 17:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-28 18:17 . 2010-01-03 19:19 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-01-27 17:30 . 2010-01-10 15:17 -------- d-----w- c:\documents and settings\TYCO\Application Data\Skype
2010-01-27 16:05 . 2010-01-10 15:21 -------- d-----w- c:\documents and settings\TYCO\Application Data\skypePM
2010-01-26 16:19 . 2010-01-03 18:12 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-01-23 00:34 . 2010-01-08 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\Nero
2010-01-22 17:26 . 2010-01-06 04:05 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nero
2010-01-18 06:31 . 2010-01-18 06:31 -------- d-----w- c:\documents and settings\Bob\Application Data\PC Suite
2010-01-17 12:35 . 2010-01-17 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-01-17 12:33 . 2010-01-04 06:02 -------- d-----w- c:\program files\Nokia
2010-01-17 12:32 . 2010-01-17 12:32 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-01-17 12:32 . 2010-01-17 12:32 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-01-17 12:32 . 2010-01-17 12:32 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-01-17 12:31 . 2010-01-04 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-17 12:31 . 2010-01-17 12:33 24403616 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en.exe
2010-01-17 12:19 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\Nokia
2010-01-17 06:08 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-17 06:06 . 2010-01-17 06:06 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-17 06:04 . 2010-01-17 06:04 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-17 06:04 . 2010-01-17 06:04 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-17 06:04 . 2010-01-17 06:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-17 06:04 . 2010-01-17 06:04 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-17 06:04 . 2010-01-17 06:04 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-17 06:01 . 2010-01-17 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-17 06:01 . 2010-01-17 06:01 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-17 04:44 . 2010-01-17 04:44 3198 ----a-w- c:\windows\system32\wbers.dat
2010-01-17 04:35 . 2010-01-17 04:35 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-01-17 04:33 . 2010-01-17 04:32 -------- d--h--w- c:\documents and settings\TYCO\Application Data\ijjigame
2010-01-10 17:17 . 2010-01-03 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-10 15:21 . 2010-01-10 15:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----r- c:\program files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\program files\Common Files\Skype
2010-01-10 15:16 . 2010-01-10 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-10 14:31 . 2010-01-10 14:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\Apple Computer
2010-01-09 11:56 . 2010-01-09 11:56 28680 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-09 06:42 . 2010-01-09 06:42 -------- d-----w- c:\documents and settings\Family\Application Data\PC Suite
2010-01-07 16:38 . 2010-01-04 00:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-06 16:55 . 2010-01-06 16:54 -------- d-----w- c:\program files\QuickTime
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- c:\program files\Common Files\Apple
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\program files\Apple Software Update
2010-01-06 16:53 . 2010-01-06 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-06 13:07 . 2010-01-06 13:07 -------- d-----w- c:\program files\TeraCopy
2010-01-06 09:29 . 2010-01-06 09:29 -------- d-----w- c:\program files\MSXML 4.0
2010-01-06 03:11 . 2010-01-06 03:11 -------- d-----w- c:\program files\LimeWire
2010-01-06 01:51 . 2010-01-06 01:51 -------- d-----w- c:\documents and settings\Bob\Application Data\ePaperPress
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_52D5F617C25478BAD90D68.exe
2010-01-06 01:48 . 2010-01-06 01:48 2734 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{9D3CA274-0A7C-4F37-BC58-B9F142051A5A}\_525AB3E17FA832EF7FEF72.exe
2010-01-06 01:48 . 2010-01-06 01:48 -------- d-----w- c:\program files\ePaperPress
2010-01-05 14:56 . 2010-01-05 14:56 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-05 14:54 . 2010-01-05 14:54 -------- d-----w- c:\program files\eRightSoft
2010-01-05 12:00 . 2010-01-04 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 04:16 . 2010-01-05 04:16 -------- d-----w- c:\documents and settings\Family\Application Data\BitDefender
2010-01-05 01:05 . 2010-01-03 17:14 28680 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:31 . 2010-01-04 16:31 -------- d-----w- c:\documents and settings\TYCO\Application Data\VSRevoGroup
2010-01-04 16:29 . 2010-01-03 18:18 28680 ----a-w- c:\documents and settings\TYCO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-04 16:20 . 2010-01-04 03:22 -------- d-----w- c:\program files\Microsoft Works
2010-01-04 11:58 . 2010-01-04 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-01-04 11:42 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\TYCO\Application Data\PC Suite
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-04 11:42 . 2010-01-04 11:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-04 09:30 . 2010-01-04 09:29 -------- d-----w- c:\program files\GameSun
2010-01-04 06:04 . 2010-01-04 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-01-04 06:04 . 2010-01-04 06:03 -------- d-----w- c:\program files\DIFX
2010-01-04 06:03 . 2010-01-04 06:03 -------- d-----w- c:\program files\Common Files\PCSuite
2010-01-04 06:00 . 2010-01-04 06:00 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-01-04 06:00 . 2010-01-04 06:00 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-01-04 06:00 . 2010-01-04 06:00 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-01-04 05:59 . 2010-01-04 06:00 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_web.exe
2010-01-04 05:57 . 2010-01-04 05:56 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-04 03:46 . 2010-01-04 03:46 -------- d-----w- c:\program files\VS Revo Group
2010-01-04 03:21 . 2010-01-04 03:21 -------- d-----w- c:\program files\Microsoft.NET
2010-01-04 02:59 . 2010-01-04 02:49 -------- d-----w- c:\program files\Creative
2010-01-04 02:40 . 2010-01-04 02:40 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-01-04 02:40 . 2010-01-04 02:40 16 ----a-w- c:\windows\system32\asdict.dat
2010-01-04 00:37 . 2010-01-03 17:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-04 00:35 . 2010-01-04 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\UDL
2010-01-04 00:33 . 2010-01-04 00:10 -------- d-----w- c:\program files\epson
2010-01-04 00:31 . 2010-01-04 00:31 -------- d-----w- c:\documents and settings\Bob\Application Data\InstallShield
2010-01-04 00:30 . 2010-01-04 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-01-04 00:12 . 2010-01-04 00:12 -------- d-----w- c:\documents and settings\Bob\Application Data\EPSON
2006-05-03 10:06 . 2010-01-05 14:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-01-05 14:54 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-01-05 14:54 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-16_02.35.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-02-16 02:34 . 2010-02-16 02:34 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
+ 2010-02-17 15:31 . 2010-02-17 15:31 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
+ 2007-05-16 01:18 . 2007-05-16 01:18 95864 c:\windows\system32\NeroCo.dll
- 2008-02-18 08:21 . 2008-02-18 08:21 11304 c:\windows\system32\drivers\imagedrv.sys
+ 2007-07-03 11:10 . 2007-07-03 11:10 11304 c:\windows\system32\drivers\imagedrv.sys
+ 2010-02-16 13:43 . 2010-02-16 13:43 25214 c:\windows\Installer\{CF097717-F174-4144-954A-FBC4BF301033}\ARPPRODUCTICON.exe
+ 2007-04-23 08:42 . 2007-04-23 08:42 972336 c:\windows\UNRecode.exe
+ 2007-06-26 06:12 . 2007-06-26 06:12 972072 c:\windows\UNNeroVision.exe
+ 2007-02-28 08:41 . 2007-02-28 08:41 972336 c:\windows\UNNeroShowTime.exe
- 2007-02-28 07:41 . 2007-02-28 07:41 972336 c:\windows\UNNeroShowTime.exe
+ 2007-06-27 11:05 . 2007-06-27 11:05 972072 c:\windows\UNNeroMediaHome.exe
- 2008-02-28 09:38 . 2008-02-28 09:38 972072 c:\windows\UNNeroMediaHome.exe
+ 2007-03-20 13:22 . 2007-03-20 13:22 972336 c:\windows\UNNeroBackItUp.exe
- 2007-03-20 12:22 . 2007-03-20 12:22 972336 c:\windows\UNNeroBackItUp.exe
+ 2007-07-03 11:10 . 2007-07-03 11:10 132904 c:\windows\system32\drivers\imagesrv.sys
- 2008-02-18 08:21 . 2008-02-18 08:21 132904 c:\windows\system32\drivers\imagesrv.sys
+ 2010-02-16 13:43 . 2010-02-16 13:43 6425600 c:\windows\Installer\13713f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\pcsuite.exe" [2009-11-11 1451520]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-01-06 289584]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-02-08 1120704]
"P17Helper"="P17.dll" [2005-05-03 64512]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/4/2010 1:17 AM 11264]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2/6/2010 1:20 AM 616064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=0&l=dir
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TYCO\Application Data\Mozilla\Firefox\Profiles\gdtk1tkb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 23:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallIS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_is=\"0\" />"
"Device"="xrnJucq8yLy6z8fMzszNusjHvM8="
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2508)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Completion time: 2010-02-17 23:36:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 15:36
ComboFix2.txt 2010-02-16 02:39

Pre-Run: 73,735,884,800 bytes free
Post-Run: 73,691,516,928 bytes free

- - End Of File - - D826C5AC330684ABACC629D59FAC6949




Malwarebytes' Anti-Malware 1.44
Database version: 3751
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/17/2010 11:45:45 PM
mbam-log-2010-02-17 (23-45-45).txt

Scan type: Quick Scan
Objects scanned: 131935
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\app_dll.dll.11100875.old (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\app_dll.dll.165343.old (Trojan.Agent) -> Quarantined and deleted successfully.









0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users