Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Astakiller, Smitfraud, Cmdservice Unable To Resolve


  • This topic is locked This topic is locked
3 replies to this topic

#1 madazz

madazz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 20 August 2006 - 05:07 PM

Hello,

I recently got a nasty bit of malware the other day, such as Virtumonde, AstaKiller, Smitfraud-C, and Command Service. I've been fighting them for 3 days now trying to remove, detect, and delete all I can. Normally I do not have much trouble clearing out this stuff myself but this time is a little different.

I've gone through all the listed steps on dealing with them, Vundofix, Spybot, Adaware, etc etc..It feels like I've tried everything and as far as scans go now they report almost nothing. The problem isn't fixed however, it's obvious it is still on my machine because it is running sluggish and observing hijackthis logs producing many weird things. Also, during certain scans or activities in the process of fighting this infection, NT AUTHORITY initiates a system shutdown. It says, "The system process 'C:\WINDOWS\system32\services.exe' terminated unexpectedly with status code 204. The system will now shut down and restart. Other codes have popped up too, the only other one I can remember off-hand is 203. I feel I've reached the end that I can do on my own, not sure if there's anything I'm missing and would appreciate some advice.

This is what I have for my current HijackThis Log.

Logfile of HijackThis v1.99.1
Scan saved at 2:44:21 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jason\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

This was done is safe mode as anytime I run in normal mode it's either lagging horribly and is unuseable for the most part or I get the system shutdown message again. I interrupt it with the shutdown /a command line and by changing the date and what not but it still renders the interface unusable and lagged out.

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 madazz

madazz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 20 August 2006 - 05:37 PM

Situation might seem unclear, trying to find as much information as I can to help. Saw OldTimer's program in another post and ran that through. Funny thing, it triggered another shutdown event mid scan on a certain file in system32. Didn't make out the name before the computer got strung out but this usually means I'm on the right track because it happens anytime I seem to get near a source.

Here is the log generated by WinPFind2

Logfile created on: 08/20/2005 15:27
WinPFind2 by OldTimer - Version 1.0.6 Folder = C:\Documents and Settings\Jason\My Documents\Unzipped\winpfind2[1]\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


< Processes (Non-Microsoft Only) >
c:\program files\common files\autodesk shared\service\adskscsrv.exe - (Autodesk )
c:\program files\autodesk\3dsmax8\mentalray\satellite\raysat_3dsmax8server.exe - ( )
c:\documents and settings\jason\my documents\unzipped\winpfind2[1]\winpfind2\winpfind2.exe - (OldTimer Tools )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Default Page - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM->Main\\Default Search - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Main\\Start Page - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKCU->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

[>> BHO's <<]

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8196 - Reg Data missing or invalid
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8195 - Reg Data missing or invalid
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8197 - Reg Data missing or invalid
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8193 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Reg Data missing or invalid
NextId - 8199

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} - PowerISO = Reg Data missing or invalid (File not found))
{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )
{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
* - Mumtaz - {51131DA7-1D24-40e5-AE07-5E3750F5DE3C} = C:\Program Files\InterVideo\Common\Bin\IviContextMenu.dll (Intervideo )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing LP )
* - ZFAdd - {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
AllFilesystemObjects - SpySweeper - {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll (File not found))
Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
Directory - Mumtaz - {51131DA7-1D24-40e5-AE07-5E3750F5DE3C} = C:\Program Files\InterVideo\Common\Bin\IviContextMenu.dll (Intervideo )
Directory - PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = Reg Data missing or invalid (File not found))
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing LP )
Directory - ZFAdd - {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
Directory\Background - 00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll ( )
Directory\Background - NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )
Folder - Mumtaz - {51131DA7-1D24-40e5-AE07-5E3750F5DE3C} = C:\Program Files\InterVideo\Common\Bin\IviContextMenu.dll (Intervideo )
Folder - PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = Reg Data missing or invalid (File not found))
Folder - SpySweeper - {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll (File not found))
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing LP )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - AutorunsDisabled - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

[>> Registry Run Keys <<]
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )

[>> Startup Lnks <<]
HKLM->Common Startup - desktop.ini - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - desktop.ini - C:\Documents and Settings\Jason\Start Menu\Programs\Startup\desktop.ini ( )

[>> Disabled MSConfig Items <<]
Services - Adobe LM Service
Services - cmdService
Services - Electronic Arts Licensing Service
Services - ewido anti-spyware 4.0 guard
Services - ewido security suite control
Services - IDriverT
Services - iPodService
Services - MDM
Services - NVSvc
Services - ose
Services - SDhelper
Services - WebrootSpySweeperService
Services - WmiApSrv
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - Adobe Reader Speed Launch = C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE (Adobe Systems Incorporated )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk - InterVideo WinCinema Manager = C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE (File not found))
StartUpFolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^Adobe Gamma.lnk - Adobe Gamma = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc. )
StartUpReg\!ewido - ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized (Anti-Malware Development a.s. )
StartUpReg\Aaui - csrss = "C:\PROGRA~1\RACLE~1\csrss.exe" -vt yazr (File not found))
StartUpReg\AGEIA PhysX SysTray - TrayIcon = C:\Program Files\AGEIA Technologies\TrayIcon.exe (File not found))
StartUpReg\AIM - aim = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl (File not found))
StartUpReg\Aqvrnsh - r?ndll32 = C:\Program Files\Common Files\?ystem\r?ndll32.exe (File not found))
StartUpReg\ctfmon.exe - ctfmon = C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
StartUpReg\DAEMON Tools-1033 - daemon = "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (File not found))
StartUpReg\eix38c0b - RUNDLL32 = RUNDLL32.EXE w008ce36.dll,n 00338c0800000002008ce36 (Microsoft Corporation )
StartUpReg\hix38c0e - RUNDLL32 = RUNDLL32.EXE w008ce65.dll,n 00338c0b00000011008ce65 (Microsoft Corporation )
StartUpReg\iTunesHelper - iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc. )
StartUpReg\KernelFaultCheck - dumprep 0 -k = %systemroot%\system32\dumprep 0 -k (File not found))
StartUpReg\keyboard - kybrdff_11 = C:\\kybrdff_11.exe (File not found))
StartUpReg\loaddr - dqrn = c:\dqrn.exe (File not found))
StartUpReg\ms059466416844 - ms059466416844 = C:\WINDOWS\ms059466416844.exe (File not found))
StartUpReg\MSMSGS - msmsgs = "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation )
StartUpReg\MsnMsgr - MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation )
StartUpReg\NvCplDaemon - NvCpl = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (File not found))
StartUpReg\NvMediaCenter - RunDLL32 = RunDLL32.exe NvMCTray.dll,NvTaskbarInit (Microsoft Corporation )
StartUpReg\nwiz - nwiz = nwiz.exe /install ( )
StartUpReg\pop06apelt - thiselt = C:\WINDOWS\thiselt.exe (File not found))
StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
StartUpReg\SoundMan - SOUNDMAN = SOUNDMAN.EXE (Realtek Semiconductor Corp. )
StartUpReg\SpyHunter - SpyHunter = C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe (File not found))
StartUpReg\SpySweeper - SpySweeperUI = "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray (File not found))
StartUpReg\Steam - = (File not found))
StartUpReg\SunJavaUpdateSched - jusched = "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" (Sun Microsystems, Inc. )
StartUpReg\ttool - svcs = C:\WINDOWS\svcs.exe (File not found))
StartUpReg\updateMgr - AdobeUpdateManager = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 (Adobe Systems Incorporated )
StartUpReg\ViewMgr - ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (File not found))
StartUpReg\win32076641684494 - win32076641684494 = C:\WINDOWS\win32076641684494.exe (File not found))
StartUpReg\WINCINEMAMGR - WinCinemaMgr = "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" (File not found))

[>> User Agent Post Platform <<]
SV1 -

[>> AppInit DLLs <<]

[>> Image File Execution Options <<]
Your Image File Name Here without a path - Debugger = ntsd -d

[>> Shell Service Object Delay Load <<]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

[>> Shell Execute Hooks <<]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[>> Shared Task Scheduler <<]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[>> Winlogon <<]
UserInit - C:\WINDOWS\SYSTEM32\Userinit.exe, (Microsoft Corporation )
Shell - Explorer.exe (Microsoft Corporation )
System - (File not found))
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{27C4A6A2-A7E6-4A9A-87C7-625FAD1B0EFB} - ()
{42665D94-D7E8-4848-90E6-D64943608163} - (Intel® PRO/1000 MT Network Connection)
{78F1073C-D094-46E9-812B-05DC2B08537B} - (1394 Net Adapter)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
AutorunsDisabled - (File not found))
ipp - (File not found))
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
Autodesk Licensing Service (Autodesk Licensing Service) - "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe" (Autodesk ) [Automatic - Running - Win32, running in it's own process]
RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - "C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe" ( ) [Automatic - Running - Win32, running in it's own process]

< Files >

%SystemDrive%

%ProgramFilesDir%

%WinDir%

%System%
C:\WINDOWS\SYSTEM32\alsndmgr.cpl - Abf:CFIILWSUd^_jgihgj_XYwtv(Realtek Semiconductor Corp. [Ver = 2, 2, 0, 60 | Size = 18796544 bytes | Date = 05/19/2006 08:01 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_25.dll - D3DXUVAtlasPack (Microsoft Corporation [Ver = 9.06.168.0000 | Size = 2337488 bytes | Date = 03/18/2005 17:19 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_26.dll - D3DXUVAtlasPack (Microsoft Corporation [Ver = 9.07.239.0000 | Size = 2297552 bytes | Date = 05/26/2005 16:34 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_27.dll - D3DXUVAtlasPack (Microsoft Corporation [Ver = 9.08.299.0000 | Size = 2319568 bytes | Date = 07/22/2005 20:59 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_28.dll - D3DXUVAtlasPack (Microsoft Corporation [Ver = 9.10.455.0000 | Size = 2323664 bytes | Date = 12/05/2005 18:09 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_29.dll - D3DXUVAtlasPack (Microsoft Corporation [Ver = 9.11.519.0000 | Size = 2332368 bytes | Date = 02/03/2006 08:43 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_30.dll - D3DXUVAtlasPack (Microsoft Corporation [Ver = 9.12.589.0000 | Size = 2388176 bytes | Date = 03/31/2006 12:40 | Attr = ])
C:\WINDOWS\SYSTEM32\dfrg.msc - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213( [Ver = | Size = 41397 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\DivX.dll - PEC2 (DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Date = 07/15/2005 11:36 | Attr = ])
C:\WINDOWS\SYSTEM32\DivX.dll - PECompact2 (DivXNetworks [Ver = 6,0,0,1571 | Size = 692736 bytes | Date = 07/15/2005 11:36 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - (PeCompact2) (Microsoft Corporation [Ver = 1.19.1567.0 | Size = 8325544 bytes | Date = 08/09/2006 12:03 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - (ASPack) (Microsoft Corporation [Ver = 1.19.1567.0 | Size = 8325544 bytes | Date = 08/09/2006 12:03 | Attr = ])
C:\WINDOWS\SYSTEM32\ntbackup.exe - VWSuD (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1200128 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\ntdll.dll - .aspack (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 708096 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - Pln``pmlidb_[ZYWSUdxa\^`^Tsfbeffhjol(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\rasdlg.dll - \DuMonitor SendMessage(WM_RASEVENT) done(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 657920 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\SATA.bmp - GGH][]WSUDAC ( [Ver = | Size = 810056 bytes | Date = 04/07/2005 22:47 | Attr = R ])
C:\WINDOWS\SYSTEM32\VundoFixSVC.exe - UPX! (Atribune.org [Ver = 1.00 | Size = 9216 bytes | Date = 08/19/2006 15:59 | Attr = ])
C:\WINDOWS\SYSTEM32\wbdbase.deu - msubjsuchsullsupeswinsyncszens( [Ver = | Size = 1309184 bytes | Date = 08/23/2001 05:00 | Attr = ])

%System%\Drivers folder and sub-folders
C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys - V90NEC, --------ERROR--------- occured in adaptecho(Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Date = 08/03/2004 23:41 | Attr = ])

%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINDOWS\bootstat.dat - ( [Ver = | Size = 2048 bytes | Date = 08/20/2005 15:13 | Attr = S])
C:\WINDOWS\WindowsShell.Manifest - ( [Ver = | Size = 749 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\assembly\Desktop.ini - ( [Ver = | Size = 227 bytes | Date = 08/17/2006 12:03 | Attr = RHS])
C:\WINDOWS\assembly\PublisherPolicy.tme - ( [Ver = | Size = 0 bytes | Date = 08/17/2006 12:03 | Attr = RH ])
C:\WINDOWS\assembly\pubpol1.dat - ( [Ver = | Size = 0 bytes | Date = 08/17/2006 12:03 | Attr = RH ])
C:\WINDOWS\CSC\00000001 - ( [Ver = | Size = 64 bytes | Date = 08/20/2006 14:26 | Attr = S])
C:\WINDOWS\CSC\00000002 - ( [Ver = | Size = 64 bytes | Date = 08/20/2006 14:26 | Attr = S])
C:\WINDOWS\CSC\csc1.tmp - ( [Ver = | Size = 64 bytes | Date = 08/20/2006 12:37 | Attr = S])
C:\WINDOWS\Downloaded Program Files\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 01/20/2006 13:07 | Attr = H ])
C:\WINDOWS\Fonts\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\Offline Web Pages\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 01/20/2006 13:07 | Attr = H ])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab - ( [Ver = | Size = 242478 bytes | Date = 01/20/2006 13:07 | Attr = RHS])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab - ( [Ver = | Size = 19959 bytes | Date = 01/20/2006 13:07 | Attr = RHS])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab - ( [Ver = | Size = 727 bytes | Date = 01/20/2006 13:07 | Attr = RHS])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab - ( [Ver = | Size = 305145 bytes | Date = 01/20/2006 14:05 | Attr = RHS])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab - ( [Ver = | Size = 68327 bytes | Date = 01/20/2006 14:06 | Attr = RHS])
C:\WINDOWS\repair\ntuser.dat - ( [Ver = | Size = 233472 bytes | Date = 01/20/2006 13:07 | Attr = H ])
C:\WINDOWS\system32\cdplayer.exe.manifest - ( [Ver = | Size = 749 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\system32\logonui.exe.manifest - ( [Ver = | Size = 488 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\system32\ncpa.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\system32\nwc.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\system32\sapi.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\system32\tbhogt.dll - ( [Ver = 1, 0, 0, 1 | Size = 225280 bytes | Date = 08/19/2006 06:46 | Attr = H ])
C:\WINDOWS\system32\tbhogttb.dll - ( [Ver = | Size = 167936 bytes | Date = 08/19/2006 06:46 | Attr = H ])
C:\WINDOWS\system32\WindowsLogon.manifest - ( [Ver = | Size = 488 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\system32\wuaucpl.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 01/20/2006 13:07 | Attr = RH ])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\d3dx9_27_x86.CAT - ( [Ver = | Size = 7740 bytes | Date = 07/22/2005 21:08 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\d3dx9_28_x86.CAT - ( [Ver = | Size = 7927 bytes | Date = 12/05/2005 18:27 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\d3dx9_29_x86.CAT - ( [Ver = | Size = 7927 bytes | Date = 02/03/2006 08:54 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\d3dx9_30_x86.CAT - ( [Ver = | Size = 7927 bytes | Date = 03/31/2006 12:49 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem6.CAT - ( [Ver = | Size = 29771 bytes | Date = 06/08/2006 04:12 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem7.CAT - ( [Ver = | Size = 221091 bytes | Date = 12/23/2005 02:13 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem9.CAT - ( [Ver = | Size = 227571 bytes | Date = 06/05/2006 22:41 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xact2_1_x86.CAT - ( [Ver = | Size = 8225 bytes | Date = 03/31/2006 12:49 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xact2_2_x86.CAT - ( [Ver = | Size = 8225 bytes | Date = 05/31/2006 07:33 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xact_x86.CAT - ( [Ver = | Size = 8225 bytes | Date = 02/03/2006 08:54 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xinput1_1_x86.CAT - ( [Ver = | Size = 7927 bytes | Date = 03/31/2006 12:49 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xinput9_1_0_x86.CAT - ( [Ver = | Size = 7927 bytes | Date = 12/05/2005 18:27 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\xinput_x86.CAT - ( [Ver = | Size = 7740 bytes | Date = 09/28/2005 16:43 | Attr = S])
C:\WINDOWS\system32\config\default.LOG - ( [Ver = | Size = 1024 bytes | Date = 08/20/2005 15:13 | Attr = H ])
C:\WINDOWS\system32\config\SAM.LOG - ( [Ver = | Size = 1024 bytes | Date = 08/20/2005 15:13 | Attr = H ])
C:\WINDOWS\system32\config\SECURITY.LOG - ( [Ver = | Size = 1024 bytes | Date = 08/20/2006 15:23 | Attr = H ])
C:\WINDOWS\system32\config\software.LOG - ( [Ver = | Size = 1024 bytes | Date = 08/20/2006 15:26 | Attr = H ])
C:\WINDOWS\system32\config\system.LOG - ( [Ver = | Size = 1024 bytes | Date = 08/20/2005 15:16 | Attr = H ])
C:\WINDOWS\system32\config\TempKey.LOG - ( [Ver = | Size = 1024 bytes | Date = 01/20/2006 04:58 | Attr = H ])
C:\WINDOWS\system32\config\userdiff.LOG - ( [Ver = | Size = 1024 bytes | Date = 01/20/2006 04:58 | Attr = H ])
C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG - ( [Ver = | Size = 1024 bytes | Date = 08/19/2006 22:56 | Attr = H ])
C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 01/20/2006 05:00 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 - ( [Ver = | Size = 558 bytes | Date = 01/20/2006 14:06 | Attr = S])
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 - ( [Ver = | Size = 144 bytes | Date = 01/20/2006 14:06 | Attr = S])
C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 01/20/2006 05:00 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini - ( [Ver = | Size = 113 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini - ( [Ver = | Size = 113 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini - ( [Ver = | Size = 181 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 01/20/2006 05:00 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini - ( [Ver = | Size = 206 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini - ( [Ver = | Size = 482 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini - ( [Ver = | Size = 348 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 01/20/2006 13:07 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\229e8b0e-7275-469a-941e-feaca7a85a75 - ( [Ver = | Size = 388 bytes | Date = 08/19/2006 23:15 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred - ( [Ver = | Size = 24 bytes | Date = 08/19/2006 23:15 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2634f1bc-afeb-43a1-9120-89f8b9a465e6 - ( [Ver = | Size = 388 bytes | Date = 08/19/2085 17:50 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\337b6810-009b-4a56-bc98-2886ec3a7f0e - ( [Ver = | Size = 388 bytes | Date = 08/19/2006 23:32 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\34fc1c89-15ee-4ab9-8e88-2ac9b77cc8a3 - ( [Ver = | Size = 388 bytes | Date = 07/19/2006 22:58 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\62b76c2a-3a6c-4e15-a6be-f8e975da6671 - ( [Ver = | Size = 388 bytes | Date = 01/20/2006 14:10 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\66ba53b6-732e-4db9-96fc-2435f4815681 - ( [Ver = | Size = 388 bytes | Date = 04/20/2006 22:20 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a97827fd-d689-4e0f-8da4-c53b73fdf87f - ( [Ver = | Size = 388 bytes | Date = 08/17/2097 14:28 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bbf25806-9392-45ba-b887-683fba9c9223 - ( [Ver = | Size = 388 bytes | Date = 08/19/2005 20:00 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\fb424239-189f-45d5-828c-2cc57708288a - ( [Ver = | Size = 388 bytes | Date = 08/17/2006 15:20 | Attr = HS])
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\NV4_DISP.CAT - ( [Ver = | Size = 22345 bytes | Date = 12/14/2005 03:31 | Attr = S])
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\alcxwdm0.cat - ( [Ver = | Size = 221091 bytes | Date = 12/23/2005 02:13 | Attr = S])
C:\WINDOWS\Tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 08/20/2005 15:13 | Attr = H ])
CPL files -
C:\WINDOWS\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\alsndmgr.cpl - (Realtek Semiconductor Corp. [Ver = 2, 2, 0, 60 | Size = 18796544 bytes | Date = 05/19/2006 08:01 | Attr = ])
C:\WINDOWS\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 549888 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\bthprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 110592 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\firewall.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 80384 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 155136 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 358400 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\irprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 380416 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\jpicpl32.cpl - (Sun Microsystems, Inc. [Ver = 5.0.80.3 | Size = 49265 bytes | Date = 07/26/2006 03:03 | Attr = ])
C:\WINDOWS\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 618496 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\netsetup.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nvcpl.cpl - (NVIDIA Corporation [Ver = 1.2.1.11 | Size = 69632 bytes | Date = 06/01/2006 17:22 | Attr = ])
C:\WINDOWS\SYSTEM32\nvtuicpl.cpl - ( [Ver = | Size = 73728 bytes | Date = 06/01/2006 17:22 | Attr = ])
C:\WINDOWS\SYSTEM32\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) | Size = 32768 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 114688 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\RTSndMgr.Cpl - (Realtek Semiconductor Corp. [Ver = 1.0.0.8 | Size = 266240 bytes | Date = 01/10/2006 14:58 | Attr = ])
C:\WINDOWS\SYSTEM32\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 94208 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wscui.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 148480 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 162304 bytes | Date = 08/04/2004 01:56 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/23/2001 05:00 | Attr = ])
C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\ALSNDMGR.CPL - (Realtek Semiconductor Corp. [Ver = 1, 0, 0, 10 | Size = 299008 bytes | Date = 09/21/2005 11:25 | Attr = ])

AllUsers Startup Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 01/20/2006 13:07 | Attr = HS])

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 01/20/2006 05:00 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1755 bytes | Date = 02/28/2006 11:43 | Attr = ])

CurrentUser Startup Folder
C:\Documents and Settings\Jason\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 01/20/2006 13:07 | Attr = HS])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Jason\Application Data\AdobeDLM.log - ( [Ver = | Size = 877 bytes | Date = 02/05/2006 13:07 | Attr = ])
C:\Documents and Settings\Jason\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 01/20/2006 05:00 | Attr = HS])
C:\Documents and Settings\Jason\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 02/05/2006 13:07 | Attr = ])

DPF files
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - FilePlanet Download Control Class - CodeBase = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc3.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 5
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - F6 A0 6D E0 FC C3 C6 01
Desktop\General\\WallpaperLocalFileTime - F6 C8 0E 34 C2 C3 C6 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 0
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 05 00 00 E4 03 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file HKLM_IE_Main.def<<<<

KEY - HKLM\software\microsoft\internet explorer\main - No SUBKEYS
HKLM\software\microsoft\internet explorer\main -
main\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
main\\Enable_Disk_Cache - yes
main\\Cache_Percent_of_Disk - 0A 00 00 00
main\\Delete_Temp_Files_On_Exit - yes
main\\Local Page - C:\WINDOWS\system32\blank.htm
main\\Anchor_Visitation_Horizon - 01 00 00 00
main\\Use_Async_DNS - yes
main\\Placeholder_Width - 1A 00 00 00
main\\Placeholder_Height - 1A 00 00 00
main\\Start Page - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
main\\CompanyName - Microsoft Corporation
main\\Custom_Key - MICROSO
main\\Wizard_Version - 6.0.2600.0000
main\\FullScreen - no
main\\Check_Associations - yes
main\\Search Bar - http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
main\ErrorThresholds -
main\FeatureControl -
main\UrlTemplate -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoActiveDesktopChanges - 0
policies\Explorer\Run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1
policies\system\\DisableTaskMgr - 0

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\ActiveDesktop -
policies\ActiveDesktop\\NoComponents - 0
policies\ActiveDesktop\\NoAddingComponents - 0
policies\ActiveDesktop\\NoDeletingComponents - 0
policies\ActiveDesktop\\NoEditingComponents - 0
policies\ActiveDesktop\\NoHTMLWallPaper - 1
policies\ActiveDesktop\\NoChangingWallPaper - 0
policies\ActiveDesktop\\NoCloseDragDropBands - 0
policies\ActiveDesktop\\NoMovingBands - 0
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 0
policies\Explorer\\NoActiveDesktop - 0
policies\Explorer\\NoSaveSettings - 0
policies\Explorer\\ClassicShell - 0
policies\Explorer\\NoThemesTab - 0
policies\Explorer\\ForceActiveDesktopOn - 0
policies\System -
policies\System\\DisableTaskMgr - 0
policies\System\\NoDispAppearancePage - 0
policies\System\\NoColorChoice - 0
policies\System\\NoSizeChoice - 0
policies\System\\NoDispBackgroundPage - 0
policies\System\\NoDispScrSavPage - 0
policies\System\\NoDispCPL - 0
policies\System\\NoVisualStyleChoice - 0
policies\System\\NoDispSettingsPage - 0
policies\System\\DisableRegistryTools - 0

>>>>Output for AddOn file Security.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Security Center -
Security Center\\AntiVirusDisableNotify - 1
Security Center\\FirewallDisableNotify - 1
Security Center\\UpdatesDisableNotify - 1
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0
Security Center\Monitoring -
Security Center\Monitoring\AhnlabAntiVirus -
Security Center\Monitoring\ComputerAssociatesAntiVirus -
Security Center\Monitoring\KasperskyAntiVirus -
Security Center\Monitoring\McAfeeAntiVirus -
Security Center\Monitoring\McAfeeFirewall -
Security Center\Monitoring\PandaAntiVirus -
Security Center\Monitoring\PandaFirewall -
Security Center\Monitoring\SophosAntiVirus -
Security Center\Monitoring\SymantecAntiVirus -
Security Center\Monitoring\SymantecFirewall -
Security Center\Monitoring\TinyFirewall -
Security Center\Monitoring\TrendAntiVirus -
Security Center\Monitoring\TrendFirewall -
Security Center\Monitoring\ZoneLabsFirewall -

KEY - HKLM\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\BITS -
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - Rpcss;
BITS\\DependOnGroup -
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
BITS\Parameters -
BITS\Parameters\\ServiceDll - C:\WINDOWS\System32\qmgr.dll
BITS\Security -
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
BITS\Enum -
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

KEY - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess -
SharedAccess\\Type - 32
SharedAccess\\Start - 2
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\DependOnGroup -
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
SharedAccess\Epoch -
SharedAccess\Epoch\\Epoch - 1791
SharedAccess\Enum -
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1

KEY - HKLM\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv -
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemRoot%\System32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
wuauserv\Parameters -
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\System32\wuauserv.dll
wuauserv\Security -
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
wuauserv\Enum -
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

< End of report >

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 PM

Posted 22 August 2006 - 09:11 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

We need to take a step backwards before we can go forward.
Please run msconfig and enable all startup items that were disabled.

Do the same with Autoruns if you have used it to disable anything.


Then reboot and post just a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 PM

Posted 05 September 2006 - 04:28 PM

Unfortunately there has been no response, and this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users