Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[Windows No Disk Virus]


  • This topic is locked This topic is locked
29 replies to this topic

#1 ryan12313

ryan12313

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 24 May 2010 - 05:49 PM

As Intstructed, heres my DDS Log. I was told to skip GMER.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 18:43:12.96 on Mon 05/24/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.406 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\mbam\mbamservice.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\mbam\mbamgui.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Documents and Settings\Owner.steal-o-meal\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.steal-o-meal\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.steal-o-meal\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner.steal-o-meal\Desktop\dds (1).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5052
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5052
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - IE Developer Toolbar BHO
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [CHotkey] zHotkey.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Airlink101 WLAN Monitor] c:\program files\airlink101\wlan monitor\WLANMon.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\mbam\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cataly~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {444A7D6B-2EB9-40A0-BA8F-306206D7EF56} = 192.168.0.1,0.0.0.0
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-6 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-6 112592]
R2 MBAMService;MBAMService;c:\program files\mbam\mbamservice.exe [2010-5-22 378192]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-6 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-6 1142224]
R3 AL101;Airlink101 802.11g PCI Driver;c:\windows\system32\drivers\AL101.sys [2010-4-5 380928]
R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\jmhqil.sys --> c:\windows\system32\drivers\jmhqil.sys [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-22 20952]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-22 38224]
S3 Login_serv;Login;c:\program files\risk your life 2 - destination\Login_serv.exe [2010-4-5 150528]
S4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-4-6 233136]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-4-6 63360]

=============== Created Last 30 ================

2010-05-23 16:37:47 0 d-----w- c:\program files\ryrym
2010-05-23 02:46:41 0 d-----w- c:\program files\mbam
2010-05-23 02:41:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 02:41:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 02:41:24 0 d-----w- c:\program files\mbam
2010-05-23 02:41:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-23 00:37:41 0 d-sha-r- C:\cmdcons
2010-05-23 00:30:50 98816 ----a-w- c:\windows\sed.exe
2010-05-23 00:30:50 77312 ----a-w- c:\windows\MBR.exe
2010-05-23 00:30:50 256512 ----a-w- c:\windows\PEV.exe
2010-05-23 00:30:50 161792 ----a-w- c:\windows\SWREG.exe
2010-05-23 00:30:07 0 d-----w- C:\ComboFix
2010-05-23 00:17:08 0 d-----w- c:\program files\Exterminate It!
2010-05-22 23:08:07 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-05-22 23:08:06 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2010-05-22 23:06:54 0 d-----w- c:\program files\common files\INCA Shared
2010-05-20 01:54:54 57398 -c--a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-05-14 22:53:50 0 d-----w- C:\.jagex_cache_32
2010-05-14 22:47:47 0 d-----w- c:\windows\.silabclient_store_32
2010-05-14 22:44:36 0 d-----w- c:\windows\.mpr_file_store_32
2010-05-14 01:51:29 0 d-----w- c:\program files\Tragik Industries
2010-05-14 01:51:22 0 d-----w- c:\program files\RSS
2010-05-14 01:51:22 0 d-----w- C:\e38
2010-05-12 18:53:01 1817 ----a-w- C:\zaa.bat
2010-05-10 21:53:01 0 ----a-w- c:\documents and settings\owner.steal-o-meal\jagex__preferences3.dat
2010-05-10 21:51:21 0 d-----w- c:\windows\.jagex_cache_32
2010-05-10 21:46:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-10 21:46:16 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 20:54:47 0 d-----w- c:\program files\VideoLAN
2010-05-10 02:04:39 2615 ----a-w- C:\Sztringz2S.bat
2010-05-09 17:21:12 2868 ----a-w- C:\aaaaaa.bat
2010-05-09 03:46:30 3003 ----a-w- C:\SztringzS.bat
2010-05-01 01:12:14 0 d-----w- c:\program files\Game_Maker6
2010-04-25 18:46:58 0 d-----w- c:\docume~1\owner~1.ste\applic~1\RealVNC
2010-04-25 18:44:19 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-04-25 18:44:07 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2010-04-25 18:44:07 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-04-25 18:44:03 0 d-----w- c:\program files\RealVNC
2010-04-25 02:44:15 0 d-----w- c:\program files\RYL Battle Lohan
2010-04-25 02:38:46 21609 ----a-w- C:\admin.pl

==================== Find3M ====================

2010-05-24 20:36:15 90112 ----a-w- c:\windows\soundman.exe
2010-05-23 09:01:03 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-23 09:01:01 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-05 02:00:34 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2010-03-28 20:06:54 99774759 ----a-w- C:\cyphers_full_patch.exe

============= FINISH: 18:44:08.63 ===============

=\ here is the original topic if you're wondering what the symptoms are.

http://www.bleepingcomputer.com/forums/topic318683.html

I forgot to include that in my original post I can't boot in safe mode, my computer instantly restarts while it is loading the Drivers...

Edited by ryan12313, 24 May 2010 - 05:52 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:59 PM

Posted 26 May 2010 - 04:16 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 May 2010 - 05:33 PM

Wow I'm really bleeping sick of this god damn bleep its really bleeping stressing just give me an answer!!!

Now im starting to get windows no disk errors of my programs that are currently running example my wireless controller (airlink), WLANmon.exe blah blah blah no disk error blah blah.

#4 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 May 2010 - 05:39 PM

Woah I just realised something really big, that disk drive bleep thats going on, its not some virus error... I found Files and Settings transfer Wizard last opened last night while I was sleeping and it was getting stuff off of my pc onto some other guys and I'm tracing him right now hes in Kentucky and I'm about to drive there and bleeping beat his ass. this really makes me mad. anything I can do to get rid of this virus though, its like not letting me open any anti-virus stuff. I'd rather do this threw teamviewer then have someone tell me over a forum website if you can... reply.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:59 PM

Posted 27 May 2010 - 05:41 PM

QUOTE
just give me an answer!!!


Not that straightforward. I will do my best but with your system going haywire this could be difficult.


Let's start with Combofix and see how we go.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:59 PM

Posted 29 May 2010 - 06:23 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#7 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 30 May 2010 - 08:11 PM

combofix log:

ComboFix 10-05-29.05 - half off 05/30/2010 18:24:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.538 [GMT -4:00]
Running from: c:\documents and settings\half off\Desktop\ComFix.bat
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-30 19:44 . 2010-05-30 19:44 -------- d--h--w- c:\windows\PIF
2010-05-29 23:16 . 2006-12-21 18:18 497496 ----a-w- c:\windows\system32\XceedZip.dll
2010-05-29 23:16 . 2006-09-11 14:53 276352 ----a-w- c:\windows\system32\XceedSco.dll
2010-05-29 23:15 . 2006-09-11 14:56 526184 ----a-w- c:\windows\system32\XceedCry.dll
2010-05-29 23:15 . 2002-08-21 12:13 189952 ----a-w- c:\windows\system32\WISPTIS.EXE
2010-05-29 23:14 . 2010-04-09 20:04 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-05-29 23:14 . 2010-04-09 20:04 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-05-29 23:14 . 2004-07-17 14:08 145 ----a-w- c:\windows\system32\VGASwitch.bat
2010-05-29 23:14 . 2004-07-16 00:19 49152 ----a-w- c:\windows\system32\VGASwitch.exe
2010-05-29 23:14 . 1999-11-25 01:40 40960 ----a-w- c:\windows\system32\VBAME.DLL
2010-05-29 23:14 . 2004-12-07 13:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-05-29 23:14 . 2004-08-10 19:00 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2010-05-29 23:14 . 2004-08-10 19:00 76288 ----a-w- c:\windows\system32\uniime.dll
2010-05-29 23:12 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2010-05-29 23:12 . 2001-11-21 17:15 102400 ----a-w- c:\windows\system32\SimpleRegistry.dll
2010-05-29 23:12 . 2002-09-21 07:42 122880 ----a-w- c:\windows\system32\ShellvRTF.dll
2010-05-29 23:12 . 1998-03-25 04:54 15872 ----a-w- c:\windows\system32\SCP32.DLL
2010-05-29 23:12 . 2006-09-27 12:13 157184 ----a-w- c:\windows\system32\RtlCPAPI.dll
2010-05-29 23:12 . 2006-09-27 12:13 10459648 ----a-w- c:\windows\system32\RTLCPL.exe
2010-05-29 23:12 . 2005-06-23 16:24 1044480 ----a-w- c:\windows\system32\roboex32.dll
2010-05-29 23:11 . 2000-04-04 00:52 151552 ----a-w- c:\windows\system32\RDOCURS.DLL
2010-05-29 23:11 . 2005-03-24 06:27 212480 ----a-w- c:\windows\system32\PCDLIB32.DLL
2010-05-29 23:10 . 2005-01-05 21:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-05-29 23:09 . 2003-04-18 23:46 1233920 ----a-w- c:\windows\system32\msxml4.dll
2010-05-29 23:09 . 2003-04-18 23:29 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-05-29 23:09 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-29 23:09 . 2003-08-13 01:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-29 23:09 . 2000-05-24 05:45 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-05-29 23:09 . 1998-08-09 18:07 94208 ----a-w- c:\windows\system32\MSSTKPRP.DLL
2010-05-29 23:09 . 2000-05-11 20:06 397312 ----a-w- c:\windows\system32\MSRDO20.DLL
2010-05-29 23:09 . 2005-03-24 06:24 91136 ----a-w- c:\windows\system32\msls2.dll
2010-05-29 23:09 . 2004-08-10 19:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-05-29 23:09 . 2004-08-10 19:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-05-29 23:08 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-05-29 23:08 . 2003-03-19 04:12 1047552 ----a-w- c:\windows\system32\mfc71u.dll
2010-05-29 23:08 . 1998-06-18 02:08 53248 ----a-w- c:\windows\system32\MFC42ENU.DLL
2010-05-29 23:08 . 2004-03-22 22:17 24816 ----a-w- c:\windows\system32\mdimon.dll
2010-05-29 23:08 . 2004-09-03 23:07 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-05-29 23:06 . 2004-08-10 19:00 6144 -c--a-w- c:\windows\system32\dllcache\kbdax2.dll
2010-05-29 23:05 . 2005-01-06 01:36 31744 ----a-r- c:\windows\system32\hlp95en.dll
2010-05-29 23:05 . 2005-03-17 21:39 1146320 ----a-w- c:\windows\system32\FM20.DLL
2010-05-29 23:05 . 2003-07-15 05:57 32584 ----a-w- c:\windows\system32\FM20ENU.DLL
2010-05-29 23:05 . 2004-08-10 19:00 7168 -c--a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-05-29 23:05 . 2004-08-10 19:00 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2010-05-29 23:05 . 2005-12-10 00:48 274432 ----a-w- c:\windows\system32\EMicon.dll
2010-05-29 23:04 . 2010-05-10 21:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 23:03 . 2004-08-10 19:00 388608 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2010-05-29 23:03 . 2004-08-10 19:00 388608 ----a-w- c:\windows\system32\cmd.exe
2010-05-29 23:03 . 2004-08-10 19:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-05-29 23:03 . 2006-09-27 12:13 40960 ----a-w- c:\windows\system32\ChCfg.exe
2010-05-29 23:03 . 2004-11-11 00:35 77824 ----a-w- c:\windows\system32\cdrtc.dll
2010-05-29 23:03 . 2004-11-11 00:36 81920 ----a-w- c:\windows\system32\cdral.dll
2010-05-29 23:03 . 2004-03-08 21:05 528384 ----a-w- c:\windows\system32\CDDBControlRoxio.dll
2010-05-29 23:03 . 2004-03-08 21:02 761856 ----a-w- c:\windows\system32\CDDBUIRoxio.dll
2010-05-29 23:01 . 1999-04-17 09:06 10752 ----a-w- c:\windows\system32\aamd532.dll
2010-05-29 22:59 . 2010-05-29 22:59 -------- d-----w- c:\windows\Sun
2010-05-29 22:59 . 2010-05-29 22:59 -------- d-----w- c:\windows\SHELLNEW
2010-05-29 22:58 . 2010-05-29 22:58 -------- d-----w- c:\windows\Downloaded Installations
2010-05-29 22:58 . 2010-05-29 22:58 -------- d-----w- c:\windows\.jagex_cache_32
2010-05-29 22:57 . 2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe
2010-05-29 22:57 . 2005-12-09 03:01 59 ----a-w- c:\windows\update.bat
2010-05-29 22:57 . 1999-11-10 18:05 86016 ----a-w- c:\windows\unvise32qt.exe
2010-05-29 22:57 . 2010-05-28 17:16 90112 ----a-w- c:\windows\soundman.exe
2010-05-29 22:57 . 2003-09-19 03:09 36864 ----a-w- c:\windows\ShowWnd.exe
2010-05-29 22:57 . 2004-08-10 19:00 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2010-05-29 22:57 . 2004-08-10 19:00 146432 ----a-w- c:\windows\regedit.exe
2010-05-29 22:55 . 2005-10-11 19:48 10280 ----a-w- c:\windows\BigFixClientOverride.dll
2010-05-29 02:08 . 2010-05-29 02:08 2030536 ----a-w- c:\documents and settings\half off\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-05-28 15:40 . 2010-05-29 23:02 -------- d-----w- c:\windows\LastGood
2010-05-27 23:14 . 2004-08-10 19:00 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-05-27 23:14 . 2004-08-10 19:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-05-27 22:16 . 2010-05-27 22:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-05-27 20:11 . 2010-05-27 20:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-26 23:55 . 2010-05-26 23:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-26 23:54 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-26 23:54 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-26 23:54 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-05-26 23:54 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-26 23:54 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-26 23:54 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-26 23:54 . 2010-05-26 23:55 -------- d-----w- c:\program files\Google
2010-05-26 23:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-26 23:47 . 2010-05-27 00:18 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-26 23:47 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-26 23:47 . 2010-05-27 00:18 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-26 23:47 . 2010-05-30 22:36 -------- d-----w- c:\program files\Spyware Doctor
2010-05-26 23:47 . 2010-05-26 23:55 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-26 23:47 . 2010-05-26 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-26 23:46 . 2010-05-30 18:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 22:34 . 2006-04-06 17:15 8192 ----a-r- c:\windows\system32\drivers\rt2561.bin
2010-05-26 22:34 . 2005-08-18 22:08 302080 ----a-w- c:\windows\lwd.exe
2010-05-26 22:34 . 2006-06-28 16:15 237568 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-26 22:34 . 2006-06-01 14:12 184320 ----a-w- c:\windows\system32\WlanApp.dll
2010-05-26 22:34 . 2006-04-07 18:40 184320 ----a-w- c:\windows\system32\aIPH.dll
2010-05-26 22:34 . 2005-10-27 12:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2010-05-26 22:34 . 2005-10-19 22:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2010-05-26 22:34 . 2005-10-19 22:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2010-05-26 21:48 . 2010-05-26 22:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 21:48 . 2010-05-26 22:33 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-26 21:47 . 2010-05-26 21:47 -------- d-----w- c:\documents and settings\rawasawq\Application Data\TeamViewer
2010-05-26 15:34 . 2010-05-17 07:52 61440 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-130649ab-n\decora-sse.dll
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Adobe
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\ErrorLogs
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\ApplicationHistory
2010-05-26 15:13 . 2010-05-26 15:13 -------- d--h--w- c:\documents and settings\half off\Local Settings\Application Data\b74TtthB
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\DNA
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Deployment
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\ATI
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\AskToolbar
2010-05-26 15:09 . 2010-05-27 00:20 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Google
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Help
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\LogMeIn Hamachi
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\LogMeIn
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Identities
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\HHD Software
2010-05-26 14:23 . 2010-05-26 06:48 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2010-05-26 14:23 . 2010-05-26 06:48 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory
2010-05-26 14:23 . 2006-06-19 04:25 13104 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 07:28 . 2010-05-26 06:48 -------- d-----w- c:\documents and settings\Default User\WINDOWS
2010-05-26 07:27 . 2010-05-26 07:27 -------- d-----w- c:\program files\CONEXANT
2010-05-26 07:25 . 2004-08-04 06:08 17024 ----a-w- c:\windows\system32\drivers\usbohci.sys
2010-05-26 06:55 . 2010-05-26 06:55 -------- d-----w- c:\windows\creator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 15:43 . 2010-05-26 15:35 45056 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2010-05-29 15:42 . 2010-05-26 15:35 45056 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-05-29 15:42 . 2010-05-26 15:35 49152 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-05-29 15:42 . 2010-05-26 15:35 69632 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{66F49D6A-E999-4DB0-ADB6-EE546806E340}\NewShortcut2_33D628D2DE174DBC9E7D9A4B4649EF81.exe
2010-05-28 19:16 . 2010-05-26 15:35 128496 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\ARPPRODUCTICON.exe
2010-05-28 19:16 . 2010-05-26 15:35 144880 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut11_9D70A61FD7214BC585565549793FFA8A.exe
2010-05-28 19:16 . 2010-05-26 15:35 148976 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut1_9F88E99FAF234356849120C5725C6B5F.exe
2010-05-28 19:16 . 2010-05-26 15:35 148976 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut21_C207166A39DE4B35B3CE8F35C423973B.exe
2010-05-28 19:16 . 2010-05-26 15:35 140784 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut2_8D2B9DEE2E7249CEB360F463F3370804.exe
2010-05-28 19:16 . 2010-05-26 15:35 136688 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\UNINST_Uninstall_F_CF49ABBD814F419BA60B0CCC15F0A1F0.exe
2010-05-28 19:16 . 2010-05-26 15:34 53760 ----a-w- c:\documents and settings\half off\Application Data\Thinstall\WORD 2007\300000002ca00002h\OffDiag.exe
2010-05-28 19:16 . 2010-05-26 15:34 53760 ----a-w- c:\documents and settings\half off\Application Data\Thinstall\WORD 2007\30000000d900002h\DW20.EXE
2010-05-28 15:41 . 2010-05-28 15:41 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\OLD836.tmp
2010-05-28 15:40 . 2008-12-30 06:02 588800 ----a-w- c:\windows\system32\autochk.exe
2010-05-28 15:40 . 2008-12-30 06:02 580608 ----a-w- c:\windows\system32\autofmt.exe
2010-05-28 15:40 . 2008-12-30 06:03 15872 ----a-w- c:\windows\system32\expand.exe
2010-05-28 15:40 . 2010-05-28 15:40 39424 ----a-w- c:\windows\system32\OLD82B.tmp
2010-05-28 15:40 . 2010-05-28 15:40 96768 ----a-w- c:\windows\system32\OLD81C.tmp
2010-05-28 15:40 . 2010-05-28 15:40 29184 ----a-w- c:\windows\system32\OLD817.tmp
2010-05-28 15:40 . 2010-05-28 15:40 12288 ----a-w- c:\windows\system32\OLD812.tmp
2010-05-28 15:40 . 2008-12-30 06:07 329728 ----a-w- c:\windows\system32\netsetup.exe
2010-05-28 15:40 . 2008-12-30 06:07 69632 ----a-w- c:\windows\system32\odbcconf.exe
2010-05-27 00:21 . 2008-12-30 06:07 31744 ----a-w- c:\windows\system32\ntsd.exe
2010-05-26 21:48 . 2006-06-19 04:25 13888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\TeamViewer
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Template
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Thinstall
2010-05-22 01:43 . 2010-05-26 14:29 75 ----a-w- c:\documents and settings\half off\jagex_runescape_preferences2.dat
2010-05-22 01:32 . 2010-05-26 14:29 42 ----a-w- c:\documents and settings\half off\jagex_runescape_preferences.dat
2010-05-17 07:52 . 2010-05-26 15:34 503808 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a0028d9-n\msvcp71.dll
2010-05-17 07:52 . 2010-05-26 15:34 499712 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a0028d9-n\jmc.dll
2010-05-17 07:52 . 2010-05-26 15:34 348160 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a0028d9-n\msvcr71.dll
2010-05-17 07:52 . 2010-05-26 15:34 12800 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-130649ab-n\decora-d3d.dll
2010-05-10 21:53 . 2010-05-26 14:29 0 ----a-w- c:\documents and settings\half off\jagex__preferences3.dat
2010-04-05 08:02 . 2010-04-05 08:02 -------- d-----w- c:\program files\ANI
2010-04-05 08:01 . 2010-04-05 08:01 -------- d-----w- c:\program files\Airlink101
2010-04-05 05:41 . 2010-05-26 15:07 141 ----a-w- c:\documents and settings\half off\Local Settings\Application Data\fusioncache.dat
2010-04-05 01:59 . 2010-05-29 22:56 335 ----a-w- c:\windows\nsreg.dat
2010-04-05 01:56 . 2010-05-29 22:56 4 ----a-w- c:\windows\Pix11.dat
2010-03-22 03:15 . 2010-05-26 15:34 152576 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-22 03:15 . 2010-05-26 15:34 79488 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.
CODE
<pre>
c:\program files\Airlink101\WLAN Monitor\wlanmon .exe
c:\program files\ANI\ANIWZCS2 Service\wzcsldr2 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2010-05-27 64512]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\WLAN Monitor\WLANmon.exe" [2010-05-29 1024000]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2010-05-29 131072]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\options\\oemreset.exe"=
"c:\\WINDOWS\\system32\\grpconv.exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
"c:\\Program Files\\Outlook Express\\setup50.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
"c:\\Documents and Settings\\rawasawq\\Desktop\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\ANIWZCSdS.exe"=
"c:\\Program Files\\Airlink101\\WLAN Monitor\\WLANmon.exe"=
"c:\\My Backup -- 10-05-25 1143PM\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Documents and Settings\\half off\\Desktop\\DoS!t\\DoS!t\\DoS!t.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-27 214000]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-05-27 218592]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
S3 AL101;Airlink101 802.11g PCI Driver;c:\windows\system32\DRIVERS\AL101.sys [2006-07-04 380928]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANIWZCSDSERVICE
*NewlyCreated* - GUSVC
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 00:21]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 00:21]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 18:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(14104)
c:\program files\Spyware Doctor\pctgmhk.dll
.
Completion time: 2010-05-30 18:41:34
ComboFix-quarantined-files.txt 2010-05-30 22:41

Pre-Run: 22,483,173,376 bytes free
Post-Run: 22,617,333,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 17C0681409FBF0AB62DFBAB705D42594


my bad for the long wait =D

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:59 PM

Posted 31 May 2010 - 01:09 PM

We have a file infector in the PC, it only has two files at the moment but will multiply when you reboot. Do not reboot until you have run this script with Combofix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
c:\program files\Airlink101\WLAN Monitor\wlanmon .exe
c:\program files\ANI\ANIWZCS2 Service\wzcsldr2 .exe


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 31 May 2010 - 07:15 PM

ok I renamed combofix.exe to comfix.bat though because i cant execute exe's so hope that doesn't change anything. ill post log in about 2 hours.

edit: nevermind its every file, i don't have permission to execute any files unless i rename the extension and rename it back so ill run it as comfix.exe it will say spywaer doctor real-time scanner is still active in the log but i assure you it isn't, i need to restart my pc to turn it all the way off and i can't do that without multiplying the virus as you stated.

Edited by ryan12313, 31 May 2010 - 07:25 PM.


#10 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 31 May 2010 - 08:58 PM

log:
ComboFix 10-05-31.02 - half off 05/31/2010 20:27:45.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.547 [GMT -4:00]
Running from: c:\documents and settings\half off\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\half off\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-05-31 01:33 . 2008-09-24 14:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2010-05-31 01:33 . 2004-08-04 03:15 145792 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-05-31 01:33 . 2004-08-04 03:15 145792 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-05-31 01:33 . 2004-08-04 03:08 60288 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-05-31 01:33 . 2004-08-04 03:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-05-31 01:33 . 2010-05-31 01:33 -------- d-----w- c:\program files\Realtek AC97
2010-05-31 01:33 . 2006-07-31 15:27 217088 ----a-w- c:\windows\Alcrmv.exe
2010-05-31 01:33 . 2006-07-31 15:19 315392 ----a-w- c:\windows\alcupd.exe
2010-05-30 19:51 . 2010-05-30 22:41 -------- d-----w- C:\ComFix
2010-05-30 19:44 . 2010-05-30 19:44 -------- d--h--w- c:\windows\PIF
2010-05-29 23:16 . 2006-12-21 18:18 497496 ----a-w- c:\windows\system32\XceedZip.dll
2010-05-29 23:16 . 2006-09-11 14:53 276352 ----a-w- c:\windows\system32\XceedSco.dll
2010-05-29 23:15 . 2006-09-11 14:56 526184 ----a-w- c:\windows\system32\XceedCry.dll
2010-05-29 23:15 . 2002-08-21 12:13 189952 ----a-w- c:\windows\system32\WISPTIS.EXE
2010-05-29 23:14 . 2010-04-09 20:04 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-05-29 23:14 . 2010-04-09 20:04 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-05-29 23:14 . 2004-07-17 14:08 145 ----a-w- c:\windows\system32\VGASwitch.bat
2010-05-29 23:14 . 2004-07-16 00:19 49152 ----a-w- c:\windows\system32\VGASwitch.exe
2010-05-29 23:14 . 1999-11-25 01:40 40960 ----a-w- c:\windows\system32\VBAME.DLL
2010-05-29 23:14 . 2004-12-07 13:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-05-29 23:14 . 2004-08-10 19:00 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2010-05-29 23:14 . 2004-08-10 19:00 76288 ----a-w- c:\windows\system32\uniime.dll
2010-05-29 23:12 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2010-05-29 23:12 . 2001-11-21 17:15 102400 ----a-w- c:\windows\system32\SimpleRegistry.dll
2010-05-29 23:12 . 2002-09-21 07:42 122880 ----a-w- c:\windows\system32\ShellvRTF.dll
2010-05-29 23:12 . 1998-03-25 04:54 15872 ----a-w- c:\windows\system32\SCP32.DLL
2010-05-29 23:12 . 2006-12-08 19:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2010-05-29 23:12 . 2006-10-18 06:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2010-05-29 23:12 . 2005-06-23 16:24 1044480 ----a-w- c:\windows\system32\roboex32.dll
2010-05-29 23:11 . 2000-04-04 00:52 151552 ----a-w- c:\windows\system32\RDOCURS.DLL
2010-05-29 23:11 . 2005-03-24 06:27 212480 ----a-w- c:\windows\system32\PCDLIB32.DLL
2010-05-29 23:10 . 2005-01-05 21:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-05-29 23:09 . 2003-04-18 23:46 1233920 ----a-w- c:\windows\system32\msxml4.dll
2010-05-29 23:09 . 2003-04-18 23:29 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-05-29 23:09 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-29 23:09 . 2003-08-13 01:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-29 23:09 . 2000-05-24 05:45 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-05-29 23:09 . 1998-08-09 18:07 94208 ----a-w- c:\windows\system32\MSSTKPRP.DLL
2010-05-29 23:09 . 2000-05-11 20:06 397312 ----a-w- c:\windows\system32\MSRDO20.DLL
2010-05-29 23:09 . 2005-03-24 06:24 91136 ----a-w- c:\windows\system32\msls2.dll
2010-05-29 23:09 . 2004-08-10 19:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-05-29 23:09 . 2004-08-10 19:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-05-29 23:08 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-05-29 23:08 . 2003-03-19 04:12 1047552 ----a-w- c:\windows\system32\mfc71u.dll
2010-05-29 23:08 . 1998-06-18 02:08 53248 ----a-w- c:\windows\system32\MFC42ENU.DLL
2010-05-29 23:08 . 2004-03-22 22:17 24816 ----a-w- c:\windows\system32\mdimon.dll
2010-05-29 23:08 . 2004-09-03 23:07 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-05-29 23:06 . 2004-08-10 19:00 6144 -c--a-w- c:\windows\system32\dllcache\kbdax2.dll
2010-05-29 23:05 . 2005-01-06 01:36 31744 ----a-r- c:\windows\system32\hlp95en.dll
2010-05-29 23:05 . 2005-03-17 21:39 1146320 ----a-w- c:\windows\system32\FM20.DLL
2010-05-29 23:05 . 2003-07-15 05:57 32584 ----a-w- c:\windows\system32\FM20ENU.DLL
2010-05-29 23:05 . 2004-08-10 19:00 7168 -c--a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-05-29 23:05 . 2004-08-10 19:00 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2010-05-29 23:05 . 2005-12-10 00:48 274432 ----a-w- c:\windows\system32\EMicon.dll
2010-05-29 23:04 . 2010-05-10 21:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 23:03 . 2004-08-10 19:00 388608 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2010-05-29 23:03 . 2004-08-10 19:00 388608 ----a-w- c:\windows\system32\cmd.exe
2010-05-29 23:03 . 2004-08-10 19:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-05-29 23:03 . 2006-08-01 19:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2010-05-29 23:03 . 2004-11-11 00:35 77824 ----a-w- c:\windows\system32\cdrtc.dll
2010-05-29 23:03 . 2004-11-11 00:36 81920 ----a-w- c:\windows\system32\cdral.dll
2010-05-29 23:03 . 2004-03-08 21:05 528384 ----a-w- c:\windows\system32\CDDBControlRoxio.dll
2010-05-29 23:03 . 2004-03-08 21:02 761856 ----a-w- c:\windows\system32\CDDBUIRoxio.dll
2010-05-29 23:01 . 1999-04-17 09:06 10752 ----a-w- c:\windows\system32\aamd532.dll
2010-05-29 22:59 . 2010-05-29 22:59 -------- d-----w- c:\windows\Sun
2010-05-29 22:59 . 2010-05-29 22:59 -------- d-----w- c:\windows\SHELLNEW
2010-05-29 22:58 . 2010-05-29 22:58 -------- d-----w- c:\windows\Downloaded Installations
2010-05-29 22:58 . 2010-05-29 22:58 -------- d-----w- c:\windows\.jagex_cache_32
2010-05-29 22:57 . 2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe
2010-05-29 22:57 . 2005-12-09 03:01 59 ----a-w- c:\windows\update.bat
2010-05-29 22:57 . 1999-11-10 18:05 86016 ----a-w- c:\windows\unvise32qt.exe
2010-05-29 22:57 . 2007-04-16 19:28 577536 ----a-w- c:\windows\soundman.exe
2010-05-29 22:57 . 2003-09-19 03:09 36864 ----a-w- c:\windows\ShowWnd.exe
2010-05-29 22:57 . 2004-08-10 19:00 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2010-05-29 22:57 . 2004-08-10 19:00 146432 ----a-w- c:\windows\regedit.exe
2010-05-29 22:55 . 2005-10-11 19:48 10280 ----a-w- c:\windows\BigFixClientOverride.dll
2010-05-29 02:08 . 2010-05-29 02:08 2030536 ----a-w- c:\documents and settings\half off\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-05-28 15:40 . 2010-05-31 01:34 -------- d-----w- c:\windows\LastGood
2010-05-27 23:14 . 2004-08-10 19:00 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-05-27 23:14 . 2004-08-10 19:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-05-27 22:16 . 2010-05-27 22:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-05-27 20:11 . 2010-05-27 20:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-26 23:55 . 2010-05-26 23:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-26 23:54 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-26 23:54 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-26 23:54 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-05-26 23:54 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-26 23:54 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-26 23:54 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-26 23:54 . 2010-05-26 23:55 -------- d-----w- c:\program files\Google
2010-05-26 23:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-26 23:47 . 2010-05-27 00:18 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-26 23:47 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-26 23:47 . 2010-05-27 00:18 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-26 23:47 . 2010-06-01 00:17 -------- d-----w- c:\program files\Spyware Doctor
2010-05-26 23:47 . 2010-05-26 23:55 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-26 23:47 . 2010-05-26 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-26 23:46 . 2010-06-01 00:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 22:34 . 2006-04-06 17:15 8192 ----a-r- c:\windows\system32\drivers\rt2561.bin
2010-05-26 22:34 . 2005-08-18 22:08 302080 ----a-w- c:\windows\lwd.exe
2010-05-26 22:34 . 2006-06-28 16:15 237568 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-26 22:34 . 2006-06-01 14:12 184320 ----a-w- c:\windows\system32\WlanApp.dll
2010-05-26 22:34 . 2006-04-07 18:40 184320 ----a-w- c:\windows\system32\aIPH.dll
2010-05-26 22:34 . 2005-10-27 12:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2010-05-26 22:34 . 2005-10-19 22:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2010-05-26 22:34 . 2005-10-19 22:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2010-05-26 21:48 . 2010-05-31 01:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 21:48 . 2010-05-31 01:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-26 21:47 . 2010-05-26 21:47 -------- d-----w- c:\documents and settings\rawasawq\Application Data\TeamViewer
2010-05-26 15:34 . 2010-05-17 07:52 61440 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-130649ab-n\decora-sse.dll
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Adobe
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\ErrorLogs
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\ApplicationHistory
2010-05-26 15:13 . 2010-05-26 15:13 -------- d--h--w- c:\documents and settings\half off\Local Settings\Application Data\b74TtthB
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\DNA
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Deployment
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\ATI
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\AskToolbar
2010-05-26 15:09 . 2010-05-27 00:20 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Google
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Help
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\LogMeIn Hamachi
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\LogMeIn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 15:43 . 2010-05-26 15:35 45056 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2010-05-29 15:42 . 2010-05-26 15:35 45056 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-05-29 15:42 . 2010-05-26 15:35 49152 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2010-05-29 15:42 . 2010-05-26 15:35 69632 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{66F49D6A-E999-4DB0-ADB6-EE546806E340}\NewShortcut2_33D628D2DE174DBC9E7D9A4B4649EF81.exe
2010-05-28 19:16 . 2010-05-26 15:35 128496 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\ARPPRODUCTICON.exe
2010-05-28 19:16 . 2010-05-26 15:35 144880 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut11_9D70A61FD7214BC585565549793FFA8A.exe
2010-05-28 19:16 . 2010-05-26 15:35 148976 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut1_9F88E99FAF234356849120C5725C6B5F.exe
2010-05-28 19:16 . 2010-05-26 15:35 148976 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut21_C207166A39DE4B35B3CE8F35C423973B.exe
2010-05-28 19:16 . 2010-05-26 15:35 140784 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut2_8D2B9DEE2E7249CEB360F463F3370804.exe
2010-05-28 19:16 . 2010-05-26 15:35 136688 ----a-r- c:\documents and settings\half off\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\UNINST_Uninstall_F_CF49ABBD814F419BA60B0CCC15F0A1F0.exe
2010-05-28 19:16 . 2010-05-26 15:34 53760 ----a-w- c:\documents and settings\half off\Application Data\Thinstall\WORD 2007\300000002ca00002h\OffDiag.exe
2010-05-28 19:16 . 2010-05-26 15:34 53760 ----a-w- c:\documents and settings\half off\Application Data\Thinstall\WORD 2007\30000000d900002h\DW20.EXE
2010-05-28 15:41 . 2010-05-28 15:41 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\OLD836.tmp
2010-05-28 15:40 . 2008-12-30 06:02 588800 ----a-w- c:\windows\system32\autochk.exe
2010-05-28 15:40 . 2008-12-30 06:02 580608 ----a-w- c:\windows\system32\autofmt.exe
2010-05-28 15:40 . 2008-12-30 06:03 15872 ----a-w- c:\windows\system32\expand.exe
2010-05-28 15:40 . 2010-05-28 15:40 39424 ----a-w- c:\windows\system32\OLD82B.tmp
2010-05-28 15:40 . 2010-05-28 15:40 96768 ----a-w- c:\windows\system32\OLD81C.tmp
2010-05-28 15:40 . 2010-05-28 15:40 29184 ----a-w- c:\windows\system32\OLD817.tmp
2010-05-28 15:40 . 2010-05-28 15:40 12288 ----a-w- c:\windows\system32\OLD812.tmp
2010-05-28 15:40 . 2008-12-30 06:07 329728 ----a-w- c:\windows\system32\netsetup.exe
2010-05-28 15:40 . 2008-12-30 06:07 69632 ----a-w- c:\windows\system32\odbcconf.exe
2010-05-27 00:21 . 2008-12-30 06:07 31744 ----a-w- c:\windows\system32\ntsd.exe
2010-05-26 21:48 . 2006-06-19 04:25 13888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\TeamViewer
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Template
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Thinstall
2010-05-22 01:43 . 2010-05-26 14:29 75 ----a-w- c:\documents and settings\half off\jagex_runescape_preferences2.dat
2010-05-22 01:32 . 2010-05-26 14:29 42 ----a-w- c:\documents and settings\half off\jagex_runescape_preferences.dat
2010-05-17 07:52 . 2010-05-26 15:34 503808 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a0028d9-n\msvcp71.dll
2010-05-17 07:52 . 2010-05-26 15:34 499712 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a0028d9-n\jmc.dll
2010-05-17 07:52 . 2010-05-26 15:34 348160 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a0028d9-n\msvcr71.dll
2010-05-17 07:52 . 2010-05-26 15:34 12800 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-130649ab-n\decora-d3d.dll
2010-05-10 21:53 . 2010-05-26 14:29 0 ----a-w- c:\documents and settings\half off\jagex__preferences3.dat
2010-04-05 08:02 . 2010-04-05 08:02 -------- d-----w- c:\program files\ANI
2010-04-05 08:01 . 2010-04-05 08:01 -------- d-----w- c:\program files\Airlink101
2010-04-05 05:41 . 2010-05-26 15:07 141 ----a-w- c:\documents and settings\half off\Local Settings\Application Data\fusioncache.dat
2010-04-05 01:59 . 2010-05-29 22:56 335 ----a-w- c:\windows\nsreg.dat
2010-04-05 01:56 . 2010-05-29 22:56 4 ----a-w- c:\windows\Pix11.dat
2010-03-22 03:15 . 2010-05-26 15:34 152576 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-22 03:15 . 2010-05-26 15:34 79488 ----a-w- c:\documents and settings\half off\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.
CODE
<pre>
c:\program files\Airlink101\WLAN Monitor\wlanmon .exe
c:\program files\ANI\ANIWZCS2 Service\wzcsldr2 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2010-05-27 64512]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\WLAN Monitor\WLANmon.exe" [2010-06-01 954368]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2010-06-01 49152]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\options\\oemreset.exe"=
"c:\\WINDOWS\\system32\\grpconv.exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
"c:\\Program Files\\Outlook Express\\setup50.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
"c:\\Documents and Settings\\rawasawq\\Desktop\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\ANIWZCSdS.exe"=
"c:\\Program Files\\Airlink101\\WLAN Monitor\\WLANmon.exe"=
"c:\\My Backup -- 10-05-25 1143PM\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Documents and Settings\\half off\\Desktop\\DoS!t\\DoS!t\\DoS!t.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/26/2010 7:47 PM 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/26/2010 7:54 PM 112592]
R3 AL101;Airlink101 802.11g PCI Driver;c:\windows\system32\drivers\AL101.sys [4/5/2010 4:01 AM 380928]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2010 7:55 PM 214000]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/26/2010 7:47 PM 366840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANIWZCSDSERVICE
*NewlyCreated* - GUSVC
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 00:21]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 00:21]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 20:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(13168)
c:\program files\Spyware Doctor\pctgmhk.dll
.
Completion time: 2010-05-31 20:42:40
ComboFix-quarantined-files.txt 2010-06-01 00:42
ComboFix2.txt 2010-05-30 22:41

Pre-Run: 22,372,954,112 bytes free
Post-Run: 22,439,858,176 bytes free

- - End Of File - - E7EF6274638241902A13CB4549D12342


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:59 PM

Posted 01 June 2010 - 11:43 AM

Okay, that failed. My fault. whistling.gif

Let's try and kill the process that is stopping you running the .exes

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Now try Combofix again with the same script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RenV::
c:\program files\Airlink101\WLAN Monitor\wlanmon .exe
c:\program files\ANI\ANIWZCS2 Service\wzcsldr2 .exe


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 02 June 2010 - 03:34 PM

exehelper log:
exeHelper by Raktor
Build 20100414
Run at 16:32:51 on 06/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Rkill log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as half off on 06/02/2010 at 16:32:11.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\half off\Desktop\rkill(1).scr


Rkill completed on 06/02/2010 at 16:32:13.

ComboFix 10-06-02.01 - half off 06/02/2010 16:39:24.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.593 [GMT -4:00]
Running from: c:\documents and settings\half off\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\half off\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-02 00:58 . 2010-06-02 00:59 -------- d-----w- c:\program files\Unlocker
2010-05-31 01:33 . 2008-09-24 14:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2010-05-31 01:33 . 2004-08-04 03:15 145792 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-05-31 01:33 . 2004-08-04 03:15 145792 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-05-31 01:33 . 2004-08-04 03:08 60288 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-05-31 01:33 . 2004-08-04 03:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-05-31 01:33 . 2010-05-31 01:33 -------- d-----w- c:\program files\Realtek AC97
2010-05-31 01:33 . 2006-07-31 15:27 217088 ----a-w- c:\windows\Alcrmv.exe
2010-05-31 01:33 . 2006-07-31 15:19 315392 ----a-w- c:\windows\alcupd.exe
2010-05-30 19:51 . 2010-05-30 22:41 -------- d-----w- C:\ComFix
2010-05-30 19:44 . 2010-05-30 19:44 -------- d--h--w- c:\windows\PIF
2010-05-29 23:16 . 2006-12-21 18:18 497496 ----a-w- c:\windows\system32\XceedZip.dll
2010-05-29 23:16 . 2006-09-11 14:53 276352 ----a-w- c:\windows\system32\XceedSco.dll
2010-05-29 23:15 . 2006-09-11 14:56 526184 ----a-w- c:\windows\system32\XceedCry.dll
2010-05-29 23:15 . 2002-08-21 12:13 189952 ----a-w- c:\windows\system32\WISPTIS.EXE
2010-05-29 23:14 . 2010-04-09 20:04 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-05-29 23:14 . 2010-04-09 20:04 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-05-29 23:14 . 2004-07-17 14:08 145 ----a-w- c:\windows\system32\VGASwitch.bat
2010-05-29 23:14 . 2004-07-16 00:19 49152 ----a-w- c:\windows\system32\VGASwitch.exe
2010-05-29 23:14 . 1999-11-25 01:40 40960 ----a-w- c:\windows\system32\VBAME.DLL
2010-05-29 23:14 . 2004-12-07 13:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-05-29 23:14 . 2004-08-10 19:00 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2010-05-29 23:14 . 2004-08-10 19:00 76288 ----a-w- c:\windows\system32\uniime.dll
2010-05-29 23:12 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2010-05-29 23:12 . 2001-11-21 17:15 102400 ----a-w- c:\windows\system32\SimpleRegistry.dll
2010-05-29 23:12 . 2002-09-21 07:42 122880 ----a-w- c:\windows\system32\ShellvRTF.dll
2010-05-29 23:12 . 1998-03-25 04:54 15872 ----a-w- c:\windows\system32\SCP32.DLL
2010-05-29 23:12 . 2006-12-08 19:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2010-05-29 23:12 . 2006-10-18 06:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2010-05-29 23:12 . 2005-06-23 16:24 1044480 ----a-w- c:\windows\system32\roboex32.dll
2010-05-29 23:11 . 2000-04-04 00:52 151552 ----a-w- c:\windows\system32\RDOCURS.DLL
2010-05-29 23:11 . 2005-03-24 06:27 212480 ----a-w- c:\windows\system32\PCDLIB32.DLL
2010-05-29 23:10 . 2005-01-05 21:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-05-29 23:09 . 2003-04-18 23:46 1233920 ----a-w- c:\windows\system32\msxml4.dll
2010-05-29 23:09 . 2003-04-18 23:29 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-05-29 23:09 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-29 23:09 . 2003-08-13 01:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-29 23:09 . 2000-05-24 05:45 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-05-29 23:09 . 1998-08-09 18:07 94208 ----a-w- c:\windows\system32\MSSTKPRP.DLL
2010-05-29 23:09 . 2000-05-11 20:06 397312 ----a-w- c:\windows\system32\MSRDO20.DLL
2010-05-29 23:09 . 2005-03-24 06:24 91136 ----a-w- c:\windows\system32\msls2.dll
2010-05-29 23:09 . 2004-08-10 19:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-05-29 23:09 . 2004-08-10 19:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-05-29 23:08 . 2003-03-19 04:20 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-05-29 23:08 . 2003-03-19 04:12 1047552 ----a-w- c:\windows\system32\mfc71u.dll
2010-05-29 23:08 . 1998-06-18 02:08 53248 ----a-w- c:\windows\system32\MFC42ENU.DLL
2010-05-29 23:08 . 2004-03-22 22:17 24816 ----a-w- c:\windows\system32\mdimon.dll
2010-05-29 23:08 . 2004-09-03 23:07 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-05-29 23:06 . 2004-08-10 19:00 6144 -c--a-w- c:\windows\system32\dllcache\kbdax2.dll
2010-05-29 23:05 . 2005-01-06 01:36 31744 ----a-r- c:\windows\system32\hlp95en.dll
2010-05-29 23:05 . 2005-03-17 21:39 1146320 ----a-w- c:\windows\system32\FM20.DLL
2010-05-29 23:05 . 2003-07-15 05:57 32584 ----a-w- c:\windows\system32\FM20ENU.DLL
2010-05-29 23:05 . 2004-08-10 19:00 7168 -c--a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-05-29 23:05 . 2004-08-10 19:00 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2010-05-29 23:05 . 2005-12-10 00:48 274432 ----a-w- c:\windows\system32\EMicon.dll
2010-05-29 23:04 . 2010-05-10 21:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 23:03 . 2004-08-10 19:00 388608 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2010-05-29 23:03 . 2004-08-10 19:00 388608 ----a-w- c:\windows\system32\cmd.exe
2010-05-29 23:03 . 2004-08-10 19:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-05-29 23:03 . 2004-08-10 19:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-05-29 23:03 . 2006-08-01 19:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2010-05-29 23:03 . 2004-11-11 00:35 77824 ----a-w- c:\windows\system32\cdrtc.dll
2010-05-29 23:03 . 2004-11-11 00:36 81920 ----a-w- c:\windows\system32\cdral.dll
2010-05-29 23:03 . 2004-03-08 21:05 528384 ----a-w- c:\windows\system32\CDDBControlRoxio.dll
2010-05-29 23:03 . 2004-03-08 21:02 761856 ----a-w- c:\windows\system32\CDDBUIRoxio.dll
2010-05-29 23:01 . 1999-04-17 09:06 10752 ----a-w- c:\windows\system32\aamd532.dll
2010-05-29 22:59 . 2010-05-29 22:59 -------- d-----w- c:\windows\Sun
2010-05-29 22:59 . 2010-05-29 22:59 -------- d-----w- c:\windows\SHELLNEW
2010-05-29 22:58 . 2010-05-29 22:58 -------- d-----w- c:\windows\Downloaded Installations
2010-05-29 22:58 . 2010-05-29 22:58 -------- d-----w- c:\windows\.jagex_cache_32
2010-05-29 22:57 . 2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe
2010-05-29 22:57 . 2005-12-09 03:01 59 ----a-w- c:\windows\update.bat
2010-05-29 22:57 . 1999-11-10 18:05 86016 ----a-w- c:\windows\unvise32qt.exe
2010-05-29 22:57 . 2007-04-16 19:28 577536 ----a-w- c:\windows\soundman.exe
2010-05-29 22:57 . 2003-09-19 03:09 36864 ----a-w- c:\windows\ShowWnd.exe
2010-05-29 22:57 . 2004-08-10 19:00 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2010-05-29 22:57 . 2004-08-10 19:00 146432 ----a-w- c:\windows\regedit.exe
2010-05-29 22:55 . 2005-10-11 19:48 10280 ----a-w- c:\windows\BigFixClientOverride.dll
2010-05-27 23:14 . 2004-08-10 19:00 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-05-27 23:14 . 2004-08-10 19:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-05-27 22:16 . 2010-05-27 22:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-05-27 20:11 . 2010-05-27 20:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-26 23:55 . 2010-05-26 23:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2010-05-26 23:54 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-26 23:54 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-26 23:54 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-05-26 23:54 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-26 23:54 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-26 23:54 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-26 23:54 . 2010-05-26 23:55 -------- d-----w- c:\program files\Google
2010-05-26 23:47 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-26 23:47 . 2010-05-27 00:18 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-26 23:47 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-26 23:47 . 2010-05-27 00:18 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-26 23:47 . 2010-06-02 20:28 -------- d-----w- c:\program files\Spyware Doctor
2010-05-26 23:47 . 2010-05-26 23:55 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-26 23:47 . 2010-05-26 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-26 23:46 . 2010-06-02 20:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 22:34 . 2006-04-06 17:15 8192 ----a-r- c:\windows\system32\drivers\rt2561.bin
2010-05-26 22:34 . 2005-08-18 22:08 302080 ----a-w- c:\windows\lwd.exe
2010-05-26 22:34 . 2006-06-28 16:15 237568 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-26 22:34 . 2006-06-01 14:12 184320 ----a-w- c:\windows\system32\WlanApp.dll
2010-05-26 22:34 . 2006-04-07 18:40 184320 ----a-w- c:\windows\system32\aIPH.dll
2010-05-26 22:34 . 2005-10-27 12:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2010-05-26 22:34 . 2005-10-19 22:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2010-05-26 22:34 . 2005-10-19 22:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2010-05-26 21:48 . 2010-05-31 01:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 21:48 . 2010-05-31 01:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-26 21:47 . 2010-05-26 21:47 -------- d-----w- c:\documents and settings\rawasawq\Application Data\TeamViewer
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Adobe
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\ErrorLogs
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\ApplicationHistory
2010-05-26 15:13 . 2010-05-26 15:13 -------- d--h--w- c:\documents and settings\half off\Local Settings\Application Data\b74TtthB
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\DNA
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Deployment
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\ATI
2010-05-26 15:13 . 2010-05-26 15:13 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\AskToolbar
2010-05-26 15:09 . 2010-05-27 00:20 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Google
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Help
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\LogMeIn Hamachi
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\LogMeIn
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\Identities
2010-05-26 15:09 . 2010-05-26 15:09 -------- d-----w- c:\documents and settings\half off\Local Settings\Application Data\HHD Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 15:40 . 2008-12-30 06:02 588800 ----a-w- c:\windows\system32\autochk.exe
2010-05-28 15:40 . 2008-12-30 06:02 580608 ----a-w- c:\windows\system32\autofmt.exe
2010-05-28 15:40 . 2008-12-30 06:03 15872 ----a-w- c:\windows\system32\expand.exe
2010-05-28 15:40 . 2008-12-30 06:07 329728 ----a-w- c:\windows\system32\netsetup.exe
2010-05-28 15:40 . 2008-12-30 06:07 69632 ----a-w- c:\windows\system32\odbcconf.exe
2010-05-27 00:21 . 2008-12-30 06:07 31744 ----a-w- c:\windows\system32\ntsd.exe
2010-05-26 21:48 . 2006-06-19 04:25 13888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\TeamViewer
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Template
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Thinstall
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Vidalia
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\uniblue
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\U3
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\TortoiseSVN
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\Tor
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\vlc
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\You've Got Pictures Screensaver
2010-05-26 15:34 . 2010-05-26 15:34 -------- d-----w- c:\documents and settings\half off\Application Data\WildTangent
2010-05-26 06:48 . 2006-06-17 09:36 -------- d-----w- c:\program files\Windows Plus
2010-05-26 06:48 . 2006-06-17 09:41 -------- d-----w- c:\program files\microsoft frontpage
2010-05-26 06:48 . 2006-06-19 06:36 -------- d-----w- c:\program files\Common Files\New Boundary
2010-05-26 06:48 . 2006-06-19 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Prism Deploy
2010-05-22 01:43 . 2010-05-26 14:29 75 ----a-w- c:\documents and settings\half off\jagex_runescape_preferences2.dat
2010-05-22 01:32 . 2010-05-26 14:29 42 ----a-w- c:\documents and settings\half off\jagex_runescape_preferences.dat
2010-05-10 21:53 . 2010-05-26 14:29 0 ----a-w- c:\documents and settings\half off\jagex__preferences3.dat
2010-04-05 08:02 . 2010-04-05 08:02 -------- d-----w- c:\program files\ANI
2010-04-05 08:01 . 2010-04-05 08:01 -------- d-----w- c:\program files\Airlink101
2010-04-05 05:41 . 2010-05-26 15:07 141 ----a-w- c:\documents and settings\half off\Local Settings\Application Data\fusioncache.dat
2010-04-05 01:59 . 2010-05-29 22:56 335 ----a-w- c:\windows\nsreg.dat
2010-04-05 01:56 . 2010-05-29 22:56 4 ----a-w- c:\windows\Pix11.dat
.
CODE
<pre>
c:\program files\Airlink101\WLAN Monitor\wlanmon .exe
c:\program files\ANI\ANIWZCS2 Service\wzcsldr2 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2010-05-27 64512]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\WLAN Monitor\WLANmon.exe" [2010-06-01 1032192]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2010-05-29 126976]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 85504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\options\\oemreset.exe"=
"c:\\WINDOWS\\system32\\grpconv.exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
"c:\\Program Files\\Outlook Express\\setup50.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
"c:\\Documents and Settings\\rawasawq\\Desktop\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\ANIWZCSdS.exe"=
"c:\\Program Files\\Airlink101\\WLAN Monitor\\WLANmon.exe"=
"c:\\My Backup -- 10-05-25 1143PM\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Documents and Settings\\half off\\Desktop\\DoS!t\\DoS!t\\DoS!t.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"c:\\WINDOWS\\TEMP\\pfsc.exe"=
"c:\\WINDOWS\\TEMP\\bgco.exe"=
"c:\\WINDOWS\\TEMP\\wc7e3e.exe"=
"c:\\DOCUME~1\\HALFOF~1\\LOCALS~1\\Temp\\yckmm.exe"=
"c:\\DOCUME~1\\HALFOF~1\\LOCALS~1\\Temp\\twog.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/26/2010 7:47 PM 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/26/2010 7:54 PM 112592]
R3 AL101;Airlink101 802.11g PCI Driver;c:\windows\system32\drivers\AL101.sys [4/5/2010 4:01 AM 380928]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2010 7:55 PM 214000]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/26/2010 7:47 PM 436472]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASC3360PR
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 00:21]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-26 00:21]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: + &Mass Downloader: download this file - c:\my backup -- 10-05-25 1143pm\Program Files\Mass Downloader\Add_Url.htm
IE: + Mass Downloader: download &All files - c:\my backup -- 10-05-25 1143pm\Program Files\Mass Downloader\Add_All.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_A22A7357696681C5.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 16:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\TEMP\pfsc.exe
c:\windows\SOUNDMAN.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\taskmgr.exe
c:\windows\TEMP\wc7e3e.exe
c:\program files\Internet Explorer\iexplore.exe
c:\docume~1\HALFOF~1\LOCALS~1\Temp\yckmm.exe
c:\docume~1\HALFOF~1\LOCALS~1\Temp\twog.exe
.
**************************************************************************
.
Completion time: 2010-06-02 17:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-02 21:07
ComboFix2.txt 2010-06-01 00:42
ComboFix3.txt 2010-05-30 22:41

Pre-Run: 24,087,535,616 bytes free
Post-Run: 24,041,480,192 bytes free

- - End Of File - - EA059CDC445929F191377B81E89AACF8

Edited by ryan12313, 02 June 2010 - 04:09 PM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:59 PM

Posted 02 June 2010 - 06:21 PM

Okay, it failed again but this wasn't my fault this time dry.gif .

The two files we were trying to disinfect failed to go nicely:

c:\program files\Airlink101\WLAN Monitor\wlanmon .exe
c:\program files\ANI\ANIWZCS2 Service\wzcsldr2 .exe


Please reinstall both of these programs, Airlink101 and ANI. This may involve rebooting the PC which can't be helped.

When you have done so please rerun Combofix without scripts as you did the first time you ran it. Reinstalling the programs will kill the infected files but will probably regenerate some new ones.
Posted Image
m0le is a proud member of UNITE

#14 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 02 June 2010 - 08:49 PM

k ill do it tomorrow at around 4:30pm

#15 ryan12313

ryan12313
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 03 June 2010 - 10:39 PM

update! I think you need to see this!!!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users