Need advice
August 5th, 2016
Scan saved at 11:06:04 AM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\System Protect\SysProtect_srv.exe
C:\WINDOWS\system32\loadGUI.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\gAlwaysIdle\gidle.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
D:\Acrobat\Acrotray.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\System64A.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ViewMate Keyboard KC207\MagicKey.exe
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ViewMate Keyboard KC207\OSD.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60075
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60075
O2 – BHO: Adobe PDF Reader Link Helper – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 – BHO: RealPlayer Download and Record Plugin for Internet Explorer – {3049C3E9-B461-4BC5-8870-4C09146192CA} – C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 – BHO: Spybot-S&D IE Protection – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: Yahoo! IE Services Button – {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} – C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 – BHO: Adobe PDF Conversion Toolbar Helper – {AE7CD045-E861-484f-8273-0445EE161910} – D:\Acrobat\AcroIEFavClient.dll
O2 – BHO: Burn4Free Toolbar Helper – {D187A56B-A33F-4CBE-9D77-459FC0BAE012} – C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O3 – Toolbar: Babylon – {965B54B0-71E0-4611-8DE7-F73FA0B20E26} – (no file)
O3 – Toolbar: Burn4Free Toolbar – {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} – C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O3 – Toolbar: Adobe PDF – {47833539-D0C5-4125-9FA8-0819E2EAAC93} – D:\Acrobat\AcroIEFavClient.dll
O4 – HKLM\..\Run: [BigDog303] “C:\WINDOWS\VM303_STI.EXE” VIMICRO USB PC Camera (ZC0301PLH)
O4 – HKLM\..\Run: [snpstd3] “C:\WINDOWS\vsnpstd3.exe”
O4 – HKLM\..\Run: [NvCplDaemon] “C:\WINDOWS\system32\RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] “C:\WINDOWS\system32\nwiz.exe” /install
O4 – HKLM\..\Run: [gidle] “C:\Program Files\gAlwaysIdle\gidle.exe”
O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 – HKLM\..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 – HKLM\..\Run: [~ Disallowed ~] “C:\WINDOWS\system32\~ Disallowed ~.exe”
O4 – HKLM\..\Run: [HotKeysCmds] “C:\WINDOWS\system32\hkcmd.exe”
O4 – HKLM\..\Run: [Persistence] “C:\WINDOWS\system32\igfxpers.exe”
O4 – HKLM\..\Run: [NSLauncher] “C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe” /startup
O4 – HKLM\..\Run: [IntelAudioStudio] “C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” BOOT
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 – HKLM\..\Run: [NvMediaCenter] “C:\WINDOWS\system32\RUNDLL32.EXE” C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [Acrobat Assistant 8.0] “D:\Acrobat\Acrotray.exe”
O4 – HKLM\..\Run: [System64A] C:\WINDOWS\system32\System64A.exe
O4 – HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 – HKLM\..\Run: [SpySweeper] “C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe” /startintray
O4 – HKCU\..\Run: [ctfmon.exe] “C:\WINDOWS\system32\ctfmon.exe”
O4 – HKCU\..\Run: [SpybotSD TeaTimer] “C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe”
O4 – HKCU\..\Run: [Google Update] “C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 – HKCU\..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 – HKCU\..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 – HKCU\..\Run: [DownloadAccelerator] “C:\Program Files\DAP\DAP.EXE” /STARTUP
O4 – HKCU\..\Run: [amva] “C:\WINDOWS\system32\amvo.exe”
O4 – HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘Default user’)
O4 – Startup: LogSys.exe
O4 – Global Startup: Media Key.lnk = C:\Program Files\ViewMate Keyboard KC207\MagicKey.exe
O8 – Extra context menu item: &Clean Traces – C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 – Extra context menu item: &Download with &DAP – C:\Program Files\DAP\dapextie.htm
O8 – Extra context menu item: Append to existing PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert link target to Adobe PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert link target to existing PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert selected links to Adobe PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 – Extra context menu item: Convert selected links to existing PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 – Extra context menu item: Convert selection to Adobe PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert selection to existing PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert to Adobe PDF – res://D:\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Download &all with DAP – C:\Program Files\DAP\dapextie2.htm
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 – Extra context menu item: Save to &Xdrive – res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O8 – Extra context menu item: Translate with &Babylon – res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 – Extra button: Yahoo! Services – {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} – C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 – Extra button: (no name) – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 – Extra ‘Tools’ menuitem: Spybot – Search & Destroy Configuration – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) – http://go.microsoft.com/fwlink/?LinkId=82580
O16 – DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) – C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 – DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) – http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 – DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) – http://download.divx.com/player/DivXBrowserPlugin.cab
O16 – DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games – Installer) – http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 – DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) – http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 – DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) – https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 – Service: Ares Chatroom server (AresChatServer) – Unknown owner – C:\Program Files\Ares\chatServer.exe (file missing)
O23 – Service: C-DillaSrv – C-Dilla Ltd – C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 – Service: FLEXnet Licensing Service – Macrovision Europe Ltd. – C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 – Service: HP Port Resolver – Hewlett-Packard Company – C:\WINDOWS\system32\hpbpro.exe
O23 – Service: HP Status Server – Hewlett-Packard Company – C:\WINDOWS\system32\hpboid.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 – Service: iPod Service – Apple Inc. – C:\Program Files\iPod\bin\iPodService.exe
O23 – Service: Nakido – Nakido – C:\Program Files\Nakido\nakido.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\system32\HPZipm12.exe
O23 – Service: PnkBstrA – Unknown owner – C:\WINDOWS\system32\PnkBstrA.exe
O23 – Service: ServiceLayer – Nokia. – C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 – Service: System Protect Deletion Prevention Service (SP_Service) – Xacti Corporation – C:\Program Files\System Protect\SysProtect_srv.exe
O23 – Service: TuneUp Drive Defrag Service (TuneUp.Defrag) – TuneUp Software GmbH – C:\WINDOWS\System32\TuneUpDefragService.exe
O23 – Service: VideoAcceleratorService – Speedbit Ltd. – C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 – Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) – Webroot Software, Inc. (www.webroot.com) – C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 – Service: Webroot Client Service (WRConsumerService) – Webroot Software, Inc. – C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
—
End of file – 12129 bytes
It’s my hijackThis logfile
pls give me some advices
i don’t have any antivirus program or firewall
And the problem is can’t run any antivirus program, when i try to run, the windows is auto shut down,, so
could u guys give me some advices how to do in Details pls
I will waiting for advices
I would be much appreciate
Cheer dude
Hey
I need a ComboFix log
- Disable your resident guards (Spy Sweeper, SpyBot and MBAM)
- Download Combofix from the link below
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Save it to your Desktop
- Close all running applications and run Combofix. If the virus prevents you from running it rename it to something else
- Agree to it’s terms and it will start scanning. Do not click anywhere or do anything until it’s done
- It might restart your computer. In any case it will present you with a log.
- Copy/paste the log in this thread inside a [code] box so I can give further instructions
Hey dude
Thanks for u advice.
But when i run your Combofix , it’s took over 40 mins & hang , so i restart the PC & run again, this time the PC move slow & can’t connect to Internet
then i run for the third time,, now the PC is can connected to the Internet but the log file you mean didn’t come out. seem like the Problem haven’t solve yet
when i type anti-virus in browser & click search, the browser auto shut down
but when i type any other it’s allow , so ? what should i do this time
Try Malwarebytes’ Anti-Malware. It can be run in safe mode if needed.
Hey dude
Thanks for u advice.
But when i run your Combofix , it's took over 40 mins & hang , so i restart the PC & run again, this time the PC move slow & can't connect to Internet
then i run for the third time,, now the PC is can connected to the Internet but the log file you mean didn't come out. seem like the Problem haven't solve yet
when i type anti-virus in browser & click search, the browser auto shut down
but when i type any other it's allow , so ? what should i do this time
Are you absolutely positively sure you disabled all the guards?
Here’s a walk through on how to disable SpyBot’s Tea Timer
http://www.malwarehelp.org/how-to-enabledisable-spybot-teatimer.html
Follow it, restart and try ComboFix again. Don’t worry there’s other tricks too if Combofix wont work. Pim’s suggestion is also worth trying
Dude
i have uninstalled above 3 program you indicated (Spy Sweeper, SpyBot and MBAM) and run that Combofix in Safe Mode & get the log file here ~
ComboFix 08-10-18.03 – 2008-10-19 14:34:53.6 – NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1742 [GMT 8:00]
Running from: C:\Documents and Settings\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
—- Previous Run ——-
.
C:\Documents and Settings\Desktop\dream_poem\Desktop_.ini
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\Config.ini
F:\AutoRun.inf
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
2008-10-19 14:40 . 2008-10-19 14:4053,248–a——C:\temp\catchme.dll
2008-10-19 14:24 . 2008-10-19 14:24<DIR>d——–C:\temp\WPDNSE
2008-10-19 11:20 . 2008-10-19 14:40<DIR>d——–C:\temp\plugtmp-8
2008-10-18 03:09 . 2008-10-18 03:09<DIR>d——–C:\temp\hsperfdata_
2008-10-17 22:04 . 2008-10-17 22:04<DIR>d——–C:\WINDOWS\ERUNT
2008-10-17 21:55 . 2008-10-16 12:17<DIR>d——–C:\SDFix
2008-10-17 20:38 . 2008-10-17 20:39<DIR>d——–C:\temp\Rar$ML00.219
2008-10-17 20:38 . 2008-10-19 14:05<DIR>d——–C:\temp\Acrobat Distiller 8
2008-10-17 20:31 . 2008-10-19 14:40<DIR>d——–C:\temp\wrstemp
2008-10-17 20:24 . 2008-10-17 22:20<DIR>d——–C:\temp\is-QF4EM.tmp
2008-10-17 19:58 . 2008-10-17 20:01<DIR>d——–C:\temp\plugtmp-7
2008-10-17 14:28 . 2008-10-17 14:42<DIR>d——–C:\temp\plugtmp-6
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip1
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip
2008-10-16 16:12 . 2008-10-17 01:02<DIR>d——–C:\temp\Google Talk
2008-10-15 19:24 . 2008-10-15 19:24<DIR>d——–C:\temp\VBE
2008-10-14 08:22 . 2008-10-14 08:22<DIR>d——–C:\temp\GUM9.tmp
2008-10-13 23:23 . 2008-10-13 23:23<DIR>d——–C:\temp\OIS
2008-10-13 22:53 . 2003-06-05 21:1353,248–a——C:\WINDOWS\system32\Process.exe
2008-10-13 22:33 . 2008-10-19 14:01<DIR>d——–C:\Program Files\Spybot – Search & Destroy
2008-10-13 19:14 . 2008-10-13 19:14<DIR>d——–C:\Documents and Settings\Application Data\Malwarebytes
2008-10-13 19:13 . 2008-10-13 19:13<DIR>d——–C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 11:14 . 2008-10-13 20:44<DIR>d——–C:\temp\~nsu.tmp
2008-10-13 11:00 . 2008-10-13 19:55<DIR>d——–C:\temp\plugtmp-5
2008-10-13 01:48 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-4
2008-10-13 01:44 . 2008-10-19 14:40<DIR>d——–C:\temp\MessengerCache
2008-10-12 18:25 . 2008-10-13 00:14<DIR>d——–C:\temp\plugtmp-3
2008-10-12 18:03 . 2008-10-12 18:03<DIR>d——–C:\temp\Adobe
2008-10-12 16:03 . 2008-10-17 17:59<DIR>d——–C:\temp\RarSFX0
2008-10-12 13:13 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-2
2008-10-12 12:53 . 2008-10-17 17:59<DIR>d——–C:\temp\nsc23.tmp
2008-10-12 12:51 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-1
2008-10-12 12:45 . 2008-10-17 17:59<DIR>d——–C:\temp\nsnA5.tmp
2008-10-12 10:42 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp
2008-10-11 20:18 . 2008-10-11 20:18<DIR>d——–C:\Program Files\Trend Micro
2008-10-11 19:54 . 2008-10-11 19:54<DIR>d——–C:\Program Files\SmartClose
2008-10-11 19:32 . 2008-10-11 19:3223,600–a——C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\WINDOWS\EffectResources
2008-10-11 17:56 . 2008-10-11 19:20<DIR>d——–C:\WINDOWS\CatRoot
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\Program Files\Vimicro
2008-10-11 17:56 . 2005-05-02 16:4553,248–a——C:\WINDOWS\Sti303.exe
2008-10-11 17:56 . 2005-05-18 10:5532,768–a——C:\WINDOWS\VMZoom.exe
2008-10-11 17:56 . 2005-05-18 10:5424,576–a——C:\WINDOWS\VMPipe.dll
2008-10-11 15:15 . 2008-04-14 00:1560,032–a——C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-10-11 15:15 . 2008-04-14 00:1560,032–a–c—C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-10-08 00:00 . 2004-06-07 14:0918,220–a——C:\WINDOWS\system32\drivers\UsbFltr.sys
2008-10-07 23:59 . 2008-10-08 00:00<DIR>d——–C:\Program Files\ViewMate Keyboard KC207
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Program Files\Proxy Switcher Standard
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Documents and Settings\Application Data\WNR
2008-09-21 20:30 . 2008-09-21 20:30<DIR>d——–C:\Documents and Settings\Application Data\FDRLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 06:29———d—–wC:\Program Files\Nakido
2008-10-19 06:08114—-a-wC:\sccfg.sys
2008-10-19 06:04———d—a-wC:\Documents and Settings\All Users\Application Data\TEMP
2008-10-19 06:01———d—–wC:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy
2008-10-17 07:44———d—–wC:\Program Files\Folder Lock
2008-10-13 14:554,282—-a-wC:\WINDOWS\system32\tmp.reg
2008-10-12 05:52———d—–wC:\Program Files\Common Files\Wise Installation Wizard
2008-10-11 12:05———d—–wC:\Program Files\Common Files\AVSMedia
2008-10-11 09:56———d–h–wC:\Program Files\InstallShield Installation Information
2008-09-27 20:22———d—–wC:\Program Files\Nokia
2008-09-27 20:22———d—–wC:\Program Files\Common Files\Nokia
2008-09-25 04:30———d—–wC:\Program Files\speed-bit
2008-09-25 02:54———d—–wC:\Program Files\Windows Live
2008-09-23 05:35———d—–wC:\Documents and Settings\Application Data\U3
2008-09-17 23:45———d—–wC:\Program Files\Boson Software
2008-09-17 23:38———d—–wC:\Documents and Settings\Application Data\eBookPro6
2008-09-16 06:31———d—–wC:\Program Files\TuneUp Utilities 2008
2008-09-15 17:19———d—–wC:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-15 17:16———d—–wC:\Program Files\Common Files\Macrovision Shared
2008-09-15 17:06———d—–wC:\Program Files\Common Files\Adobe
2008-09-14 06:52———d—–wC:\Program Files\SimpleCenter
2008-09-14 06:39———d—–wC:\Program Files\RA
2008-09-14 05:15———d—–wC:\Program Files\Yahoo!
2008-09-14 05:13———d—–wC:\Program Files\Supertintin for Msn
2008-09-14 05:12———d—–wC:\Program Files\USB Disk Security
2008-09-14 05:12———d—–wC:\Program Files\Active WebCam
2008-09-13 20:48———d—–wC:\Documents and Settings\Application Data\Media Player Classic
2008-09-13 02:43———d—–wC:\Program Files\Common Files\Apple
2008-09-12 05:37———d—–wC:\Program Files\Password Protect USB
2008-09-12 05:35———d—–wC:\Program Files\a-squared Free
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\PC Suite
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\Nokia
2008-09-11 20:07———d—–wC:\Documents and Settings\Application Data\dvdcss
2008-09-11 07:04———d—–wC:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-10 02:28———d—–wC:\Program Files\iTunes
2008-09-10 02:28———d—–wC:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 02:27———d—–wC:\Program Files\iPod
2008-09-10 02:22———d—–wC:\Program Files\QuickTime
2008-09-07 16:33———d—–wC:\Program Files\Stronghold Crusader
2008-09-06 16:35720,896—-a-wC:\WINDOWS\iun6002.exe
2008-09-03 10:53———d—–wC:\Documents and Settings\All Users\Application Data\PY_Software
2008-08-31 17:32———d—–wC:\Program Files\APV
2008-08-30 06:3243,520—-a-wC:\WINDOWS\system32\CmdLineExt03.dll
2008-08-30 06:30———d—–wC:\Program Files\Alcohol Soft
2008-08-30 06:28716,272—-a-wC:\WINDOWS\system32\drivers\sptd.sys
2008-08-28 10:58———d—–wC:\Program Files\Microsoft Games
2008-08-27 18:30———d—–wC:\Program Files\SpeedBit Video Accelerator
2008-08-27 17:59———d—–wC:\Program Files\DAP
2008-08-27 12:07———d—–wC:\Documents and Settings\All Users\Application Data\SpeedBit
2008-08-27 04:05———d—–wC:\Program Files\directx
2008-08-23 10:29———d—–wC:\Program Files\Common Files\MainConcept
2008-08-21 19:08878,592—-a-wC:\WINDOWS\system32\wininet.dll
2008-08-21 19:0843,008—-a-wC:\WINDOWS\system32\licmgr10.dll
2008-08-21 19:0718,944—-a-wC:\WINDOWS\system32\corpol.dll
2008-08-21 19:0672,704—-a-wC:\WINDOWS\system32\admparse.dll
2008-08-21 19:0671,680—-a-wC:\WINDOWS\system32\iesetup.dll
2008-08-21 19:06434,176—-a-wC:\WINDOWS\system32\vbscript.dll
2008-08-21 19:0548,640——wC:\WINDOWS\system32\PrivacIE.dll
2008-08-21 19:0548,128—-a-wC:\WINDOWS\system32\mshtmler.dll
2008-08-21 19:0535,840—-a-wC:\WINDOWS\system32\imgutil.dll
2008-08-21 19:0445,568—-a-wC:\WINDOWS\system32\mshta.exe
2008-08-21 18:57156,160—-a-wC:\WINDOWS\system32\msls31.dll
2008-08-21 09:45———d—–wC:\Program Files\Apple Software Update
2008-08-17 01:261,049,784——wC:\WINDOWS\wweb32.dll
2008-08-05 09:55265,720—-a-wC:\WINDOWS\system32\msdbg2.dll
2008-07-11 06:2381,920—-a-wC:\Documents and Settings\Application Data\ezpinst.exe
2008-02-29 16:337,655,024—-a-wC:\Documents and Settings\d0zxs4q2.exe
2008-02-19 14:0724,740—-atwC:\Documents and Settings\SIntfNT.dll
2008-02-19 14:0720,020—-atwC:\Documents and Settings\SIntf32.dll
2008-02-19 14:0712,305—-atwC:\Documents and Settings\SIntf16.dll
2008-02-19 14:0690,112—-a-wC:\Documents and Settings\CmdLineExt03.dll
2008-02-18 16:141,563,232—-atwC:\Documents and Settings\ytb_7.1.1.0_1.4.1_pub_us_setup_.exe
2008-02-07 15:1965,536—-a-wC:\Documents and Settings\drm_dialogs.dll
2008-02-07 15:19212,992—-a-wC:\Documents and Settings\drm_dyndata_7330014.dll
2007-12-31 05:5686,016—-a-wC:\Documents and Settings\cabex.dll
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14D3.exe
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14CB.exe
2007-02-12 06:37150,632—-a-wC:\Documents and Settings\AcDeltree.exe
2007-01-29 07:061,145,896—-a-wC:\Documents and Settings\GoogleToolbarInstaller_SPDx_en_signed.exe
2007-01-09 07:091,636,376—-a-wC:\Documents and Settings\ycomp_setup.exe
2002-01-10 18:1010,240—-a-wC:\Documents and Settings\uitools.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2008-07-11 11:14806912–a——C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedFolder]
@=”{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}”
[HKEY_CLASSES_ROOT\CLSID\{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedSharedFolder]
@=”{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}”
[HKEY_CLASSES_ROOT\CLSID\{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.SharedFolder]
@=”{39C2972F-3338-471B-8D67-FA82E46E3AC2}”
[HKEY_CLASSES_ROOT\CLSID\{39C2972F-3338-471B-8D67-FA82E46E3AC2}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]
“Google Update”=”C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” [2008-09-03 133104]
“msnmsgr”=”C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 5724184]
“Yahoo! Pager”=”C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 4670704]
“DownloadAccelerator”=”C:\Program Files\DAP\DAP.EXE” [2008-08-27 3057152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BigDog303″=”C:\WINDOWS\VM303_STI.EXE” [2005-10-25 61440]
“snpstd3″=”C:\WINDOWS\vsnpstd3.exe” [2006-09-20 827392]
“NvCplDaemon”=”C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 7700480]
“nwiz”=”C:\WINDOWS\system32\nwiz.exe” [2006-10-22 1622016]
“gidle”=”C:\Program Files\gAlwaysIdle\gidle.exe” [2007-09-07 49152]
“Adobe Reader Speed Launcher”=”C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
“TkBellExe”=”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-12-02 185896]
“~ Disallowed ~”=”C:\WINDOWS\system32\~ Disallowed ~.exe” [2008-02-08 135168]
“HotKeysCmds”=”C:\WINDOWS\system32\hkcmd.exe” [2008-02-08 159744]
“Persistence”=”C:\WINDOWS\system32\igfxpers.exe” [2008-02-08 131072]
“NSLauncher”=”C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe” [2007-09-07 3100672]
“IntelAudioStudio”=”C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” [2006-06-07 9129984]
“QuickTime Task”=”C:\Program Files\QuickTime\QTTask.exe” [2008-09-06 413696]
“NvMediaCenter”=”C:\WINDOWS\system32\NvMcTray.dll” [2006-10-22 86016]
“Acrobat Assistant 8.0″=”D:\Acrobat\Acrotray.exe” [2008-01-11 623992]
“System64A”=”C:\WINDOWS\system32\System64A.exe” [2008-01-25 15872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=”C:\Program Files\MySpace\IM\MySpaceIM.exe” [2008-02-02 8699904]
C:\Documents and Settings\Start Menu\Programs\Startup\
LogSys.exe [2008-01-25 15872]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Media Key.lnk – C:\Program Files\ViewMate Keyboard KC207\MagicKey.exe [2008-10-07 159744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-26 11:22 63040 C:\WINDOWS\system32\LMIinit.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^VP-EYE.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\VP-EYE.lnk
backup=C:\WINDOWS\pss\VP-EYE.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb Pro.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\WordWeb Pro.lnk
backup=C:\WINDOWS\pss\WordWeb Pro.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APV]
–a—— 2008-06-27 16:09 192512 C:\Program Files\APV\autostart_and_process_viewer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
–a—— 2008-02-27 11:19 3551456 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
–a—— 2007-12-24 21:35 471040 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
–a—— 2008-08-27 20:07 3057152 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
–a—-t- 2008-09-03 15:43 133104 C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
–a—— 2007-01-02 05:34 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
–a—— 2006-06-07 17:11 9129984 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a—— 2008-09-08 23:02 289576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
——— 2008-04-14 08:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
–a—— 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
–a—— 2008-02-02 04:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
–a—— 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
–a—— 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\protect_autorun]
–a—— 2008-04-04 10:44 139264 C:\Documents and Settings\Desktop\Set up(s)\New\CPE17AntiAutorun1330.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]
–a—— 2007-01-18 00:44 1302528 C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
–a—— 2007-04-15 14:31 1291264 C:\Program Files\Rainlendar2\Rainlendar2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedBitVideoAccelerator]
–a—— 2008-08-27 20:10 2705008 C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
——— 2008-01-28 11:43 2097488 C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtect]
–a—— 2008-03-05 23:09 1223680 C:\Program Files\System Protect\SysProtect_Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VZOchat]
–a—— 2008-10-10 19:34 1928704 C:\PROGRA~1\Visicron\VZOchat\VZOchat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdriveTrayIcon]
–a—— 2008-02-27 19:21 253952 C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
–a—— 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“a2free”=2 (0x2)
“ALG”=3 (0x3)
“avast! Web Scanner”=3 (0x3)
“avast! Mail Scanner”=3 (0x3)
“avast! Antivirus”=2 (0x2)
“aswUpdSv”=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\PnkBstrA.exe”=
“C:\\WINDOWS\\system32\\PnkBstrB.exe”=
“C:\\Program Files\\Real\\RealPlayer\\realplay.exe”=
“C:\\Program Files\\Mozilla Firefox\\firefox.exe”=
“C:\\Program Files\\DAP\\DAP.exe”=
“C:\\Program Files\\Messenger\\msmsgs.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe”=
“C:\\WINDOWS\\system32\\dpvsetup.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\livecall.exe”=
“C:\\Program Files\\iTunes\\iTunes.exe”=
“C:\\Program Files\\Nakido\\nakido.exe”=
“C:\\WINDOWS\\system32\\dplaysvr.exe”=
“C:\\Program Files\\Stronghold Crusader\\Stronghold Crusader.exe”=
“C:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe”=
“C:\\Program Files\\Visicron\\VZOchat\\VZOchat.exe”=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“443:UDP”= 443:UDP:*:Disabled:ooVoo UDP port 443
“37674:TCP”= 37674:TCP:*:Disabled:ooVoo TCP port 37674
“37674:UDP”= 37674:UDP:*:Disabled:ooVoo UDP port 37674
“37675:UDP”= 37675:UDP:*:Disabled:ooVoo UDP port 37675
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2004-06-07 18220]
S1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2003-03-27 11776]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [ ]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-06 46112]
S2 Nakido;Nakido;C:\Program Files\Nakido\nakido.exe [2008-09-19 320000]
S2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-08-27 35584]
S2 SP_Service;System Protect Deletion Prevention Service;C:\Program Files\System Protect\SysProtect_srv.exe [2008-03-05 598528]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2008-08-27 292472]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2008-04-14 4992]
S3 sp_prot;System Protect Filter Driver;C:\WINDOWS\system32\drivers\sp_prot.sys [2008-03-05 12288]
S3 tenCapture;tenCapture;C:\WINDOWS\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-07 355584]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;C:\Program Files\Ufasoft\Sniffer\usft_sn4.sys [ ]
S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2008-03-07 23040]
S4 F0F92E57;F0F92E57;C:\WINDOWS\system32\1746D986.EXE [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command – H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21191b38-765d-11dd-aca1-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46116219-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4611621b-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e039-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e081-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597eae32-5fde-11dc-a98d-001676d671aa}]
\Shell\AutoRun\command – setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603b7856-81b1-11dd-acc9-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61031e97-6056-11dd-ac58-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ad066-7656-11dd-ac9f-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e3be63-3acf-11dd-ab7c-001676d671aa}]
\Shell\AutoRun\command – 1ce.cmd
\Shell\explore\Command – 1ce.cmd
\Shell\open\Command – 1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f3acc6-9d83-11dc-a9e0-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85412080-5ac4-11dc-a97f-001676d671aa}]
\Shell\AutoRun\command – H:\1ce.cmd
\Shell\explore\Command – H:\1ce.cmd
\Shell\open\Command – H:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149ce56-2a43-11dd-ab40-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b37f420b-304b-11dd-ab4a-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca88c492-ed36-11dc-aaa6-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4efe450-cbb6-11dc-aa14-001676d671aa}]
\Shell\AutoRun\command – G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1c-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1d-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1e-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1f-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eba683cd-30c9-11dd-ab4c-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0bbc194-7ea5-11dc-a9cc-001676d671aa}]
\Shell\1\Command – F:\syssetup.exe
\Shell\AutoRun\command – C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
.
Contents of the ‘Scheduled Tasks’ folder
2008-10-19 C:\WINDOWS\Tasks\1-Click Maintenance.job
– C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
– C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-10-19 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
– C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 15:43]
.
– – – – ORPHANS REMOVED – – – –
HKLM-Run-Malwarebytes Anti-Malware (reboot) – C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
MSConfigStartUp-amva – C:\WINDOWS\system32\amvo.exe
MSConfigStartUp-ares – C:\Program Files\Ares\Ares.exe
MSConfigStartUp-HP Component Manager – C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
MSConfigStartUp-HP Software Update – C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-USB Antivirus – C:\Program Files\USB Disk Security\USBGuard.exe
.
——- Supplementary Scan ——-
.
FireFox -: Profile – C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\yco8kbj6.default\
FireFox -: prefs.js – STARTUP.HOMEPAGE – www.google.com
FF -: plugin – C:\Documents and Settings\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin – C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin – C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin – C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin – C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 14:40:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … **************************************************************************
.
Completion time: 2008-10-19 14:44:52
ComboFix-quarantined-files.txt 2008-10-19 06:43:47
Pre-Run: 2,395,979,776 bytes free
Post-Run: 2,381,426,688 bytes free
433— E O F —2008-09-10 10:49:23
So, what should I have to do next ?
also thank to ,,
Here’s the thing. Combofix cannot be used properly in safe mode. It’s out of the question. Anyway we got the log. Let’s just hope it got everything. Remember you must do this in Normal windows. Not safe mode.
Open Notepad. Copy/paste the following in the code box into it
File::
C:\sccfg.sys C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\Application Data\ezpinst.exe
C:\Documents and Settings\d0zxs4q2.exe
C:\Documents and Settings\_is14D3.exe
C:\Documents and Settings\_is14CB.exe
C:\WINDOWS\system32\System64A.exe
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.exe
C:\WINDOWS\system32\1746D986.EXE
Save it as CFScript.txt on the desktop. Drag and drop CFScript onto Combofix (meaning drag CFScript’s icon and drop it over Combofix’s icon)
Hopefully it will run now. Come back with the new log
Yap,, it’s worked now . here is the new log ~
ComboFix 08-10-18.03 – 2008-10-19 15:15:36.7 – NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1493 [GMT 8:00]
Running from: C:\Documents and Settings\\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\_is14CB.exe
C:\Documents and Settings\_is14D3.exe
C:\Documents and Settings\Application Data\ezpinst.exe
C:\Documents and Settings\d0zxs4q2.exe
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.exe
C:\sccfg.sys
C:\WINDOWS\system32\1746D986.EXE
C:\WINDOWS\system32\System64A.exe
C:\WINDOWS\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\System64A.exe
C:\WINDOWS\system32\tmp.reg
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
2008-10-19 15:16 . 2008-10-19 15:16<DIR>d——–C:\temp\WPDNSE
2008-10-19 11:20 . 2008-10-19 14:40<DIR>d——–C:\temp\plugtmp-8
2008-10-18 03:09 . 2008-10-18 03:09<DIR>d——–C:\temp\hsperfdata_
2008-10-17 22:04 . 2008-10-17 22:04<DIR>d——–C:\WINDOWS\ERUNT
2008-10-17 21:55 . 2008-10-16 12:17<DIR>d——–C:\SDFix
2008-10-17 20:38 . 2008-10-17 20:39<DIR>d——–C:\temp\Rar$ML00.219
2008-10-17 20:38 . 2008-10-19 14:48<DIR>d——–C:\temp\Acrobat Distiller 8
2008-10-17 20:31 . 2008-10-19 14:40<DIR>d——–C:\temp\wrstemp
2008-10-17 20:24 . 2008-10-17 22:20<DIR>d——–C:\temp\is-QF4EM.tmp
2008-10-17 19:58 . 2008-10-17 20:01<DIR>d——–C:\temp\plugtmp-7
2008-10-17 14:28 . 2008-10-17 14:42<DIR>d——–C:\temp\plugtmp-6
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip1
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip
2008-10-16 16:12 . 2008-10-17 01:02<DIR>d——–C:\temp\Google Talk
2008-10-15 19:24 . 2008-10-15 19:24<DIR>d——–C:\temp\VBE
2008-10-14 08:22 . 2008-10-14 08:22<DIR>d——–C:\temp\GUM9.tmp
2008-10-13 23:23 . 2008-10-13 23:23<DIR>d——–C:\temp\OIS
2008-10-13 22:53 . 2003-06-05 21:1353,248–a——C:\WINDOWS\system32\Process.exe
2008-10-13 22:33 . 2008-10-19 14:01<DIR>d——–C:\Program Files\Spybot – Search & Destroy
2008-10-13 19:14 . 2008-10-13 19:14<DIR>d——–C:\Documents and Settings\\Application Data\Malwarebytes
2008-10-13 19:13 . 2008-10-13 19:13<DIR>d——–C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 11:14 . 2008-10-13 20:44<DIR>d——–C:\temp\~nsu.tmp
2008-10-13 11:00 . 2008-10-13 19:55<DIR>d——–C:\temp\plugtmp-5
2008-10-13 01:48 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-4
2008-10-13 01:44 . 2008-10-19 14:40<DIR>d——–C:\temp\MessengerCache
2008-10-12 18:25 . 2008-10-13 00:14<DIR>d——–C:\temp\plugtmp-3
2008-10-12 18:03 . 2008-10-12 18:03<DIR>d——–C:\temp\Adobe
2008-10-12 16:03 . 2008-10-17 17:59<DIR>d——–C:\temp\RarSFX0
2008-10-12 13:13 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-2
2008-10-12 12:53 . 2008-10-17 17:59<DIR>d——–C:\temp\nsc23.tmp
2008-10-12 12:51 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-1
2008-10-12 12:45 . 2008-10-17 17:59<DIR>d——–C:\temp\nsnA5.tmp
2008-10-12 10:42 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp
2008-10-11 20:18 . 2008-10-11 20:18<DIR>d——–C:\Program Files\Trend Micro
2008-10-11 19:54 . 2008-10-11 19:54<DIR>d——–C:\Program Files\SmartClose
2008-10-11 19:32 . 2008-10-11 19:3223,600–a——C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\WINDOWS\EffectResources
2008-10-11 17:56 . 2008-10-11 19:20<DIR>d——–C:\WINDOWS\CatRoot
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\Program Files\Vimicro
2008-10-11 17:56 . 2005-05-02 16:4553,248–a——C:\WINDOWS\Sti303.exe
2008-10-11 17:56 . 2005-05-18 10:5532,768–a——C:\WINDOWS\VMZoom.exe
2008-10-11 17:56 . 2005-05-18 10:5424,576–a——C:\WINDOWS\VMPipe.dll
2008-10-11 15:15 . 2008-04-14 00:1560,032–a——C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-10-11 15:15 . 2008-04-14 00:1560,032–a–c—C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-10-08 00:00 . 2004-06-07 14:0918,220–a——C:\WINDOWS\system32\drivers\UsbFltr.sys
2008-10-07 23:59 . 2008-10-08 00:00<DIR>d——–C:\Program Files\ViewMate Keyboard KC207
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Program Files\Proxy Switcher Standard
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Documents and Settings\\Application Data\WNR
2008-09-21 20:30 . 2008-09-21 20:30<DIR>d——–C:\Documents and Settings\\Application Data\FDRLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 06:48———d—a-wC:\Documents and Settings\All Users\Application Data\TEMP
2008-10-19 06:48———d—–wC:\Program Files\Nakido
2008-10-19 06:01———d—–wC:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy
2008-10-17 07:44———d—–wC:\Program Files\Folder Lock
2008-10-12 05:52———d—–wC:\Program Files\Common Files\Wise Installation Wizard
2008-10-11 12:05———d—–wC:\Program Files\Common Files\AVSMedia
2008-10-11 09:56———d–h–wC:\Program Files\InstallShield Installation Information
2008-09-27 20:22———d—–wC:\Program Files\Nokia
2008-09-27 20:22———d—–wC:\Program Files\Common Files\Nokia
2008-09-25 04:30———d—–wC:\Program Files\speed-bit
2008-09-25 02:54———d—–wC:\Program Files\Windows Live
2008-09-23 05:35———d—–wC:\Documents and Settings\\Application Data\U3
2008-09-17 23:45———d—–wC:\Program Files\Boson Software
2008-09-17 23:38———d—–wC:\Documents and Settings\\Application Data\eBookPro6
2008-09-16 06:31———d—–wC:\Program Files\TuneUp Utilities 2008
2008-09-15 17:19———d—–wC:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-15 17:16———d—–wC:\Program Files\Common Files\Macrovision Shared
2008-09-15 17:06———d—–wC:\Program Files\Common Files\Adobe
2008-09-14 06:52———d—–wC:\Program Files\SimpleCenter
2008-09-14 06:39———d—–wC:\Program Files\RA
2008-09-14 05:15———d—–wC:\Program Files\Yahoo!
2008-09-14 05:13———d—–wC:\Program Files\Supertintin for Msn
2008-09-14 05:12———d—–wC:\Program Files\USB Disk Security
2008-09-14 05:12———d—–wC:\Program Files\Active WebCam
2008-09-13 20:48———d—–wC:\Documents and Settings\\Application Data\Media Player Classic
2008-09-13 02:43———d—–wC:\Program Files\Common Files\Apple
2008-09-12 05:37———d—–wC:\Program Files\Password Protect USB
2008-09-12 05:35———d—–wC:\Program Files\a-squared Free
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\PC Suite
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\Nokia
2008-09-11 20:07———d—–wC:\Documents and Settings\Application Data\dvdcss
2008-09-11 07:04———d—–wC:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-10 02:28———d—–wC:\Program Files\iTunes
2008-09-10 02:28———d—–wC:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 02:27———d—–wC:\Program Files\iPod
2008-09-10 02:22———d—–wC:\Program Files\QuickTime
2008-09-07 16:33———d—–wC:\Program Files\Stronghold Crusader
2008-09-06 16:35720,896—-a-wC:\WINDOWS\iun6002.exe
2008-09-03 10:53———d—–wC:\Documents and Settings\All Users\Application Data\PY_Software
2008-08-31 17:32———d—–wC:\Program Files\APV
2008-08-30 06:3243,520—-a-wC:\WINDOWS\system32\CmdLineExt03.dll
2008-08-30 06:30———d—–wC:\Program Files\Alcohol Soft
2008-08-30 06:28716,272—-a-wC:\WINDOWS\system32\drivers\sptd.sys
2008-08-28 10:58———d—–wC:\Program Files\Microsoft Games
2008-08-27 18:30———d—–wC:\Program Files\SpeedBit Video Accelerator
2008-08-27 17:59———d—–wC:\Program Files\DAP
2008-08-27 12:07———d—–wC:\Documents and Settings\All Users\Application Data\SpeedBit
2008-08-27 04:05———d—–wC:\Program Files\directx
2008-08-23 10:29———d—–wC:\Program Files\Common Files\MainConcept
2008-08-21 19:08878,592—-a-wC:\WINDOWS\system32\wininet.dll
2008-08-21 19:0843,008—-a-wC:\WINDOWS\system32\licmgr10.dll
2008-08-21 19:0718,944—-a-wC:\WINDOWS\system32\corpol.dll
2008-08-21 19:0672,704—-a-wC:\WINDOWS\system32\admparse.dll
2008-08-21 19:0671,680—-a-wC:\WINDOWS\system32\iesetup.dll
2008-08-21 19:06434,176—-a-wC:\WINDOWS\system32\vbscript.dll
2008-08-21 19:0548,640——wC:\WINDOWS\system32\PrivacIE.dll
2008-08-21 19:0548,128—-a-wC:\WINDOWS\system32\mshtmler.dll
2008-08-21 19:0535,840—-a-wC:\WINDOWS\system32\imgutil.dll
2008-08-21 19:0445,568—-a-wC:\WINDOWS\system32\mshta.exe
2008-08-21 18:57156,160—-a-wC:\WINDOWS\system32\msls31.dll
2008-08-21 09:45———d—–wC:\Program Files\Apple Software Update
2008-08-17 01:261,049,784——wC:\WINDOWS\wweb32.dll
2008-08-05 09:55265,720—-a-wC:\WINDOWS\system32\msdbg2.dll
2008-07-11 06:2381,920—-a-wC:\Documents and Settings\Application Data\ezpinst.exe
2008-02-29 16:337,655,024—-a-wC:\Documents and Settings\d0zxs4q2.exe
2008-02-19 14:0724,740—-atwC:\Documents and Settings\SIntfNT.dll
2008-02-19 14:0720,020—-atwC:\Documents and Settings\SIntf32.dll
2008-02-19 14:0712,305—-atwC:\Documents and Settings\SIntf16.dll
2008-02-19 14:0690,112—-a-wC:\Documents and Settings\CmdLineExt03.dll
2008-02-18 16:141,563,232—-atwC:\Documents and Settings\ytb_7.1.1.0_1.4.1_pub_us_setup_.exe
2008-02-07 15:1965,536—-a-wC:\Documents and Settings\drm_dialogs.dll
2008-02-07 15:19212,992—-a-wC:\Documents and Settings\drm_dyndata_7330014.dll
2007-12-31 05:5686,016—-a-wC:\Documents and Settings\cabex.dll
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14D3.exe
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14CB.exe
2007-02-12 06:37150,632—-a-wC:\Documents and Settings\AcDeltree.exe
2007-01-29 07:061,145,896—-a-wC:\Documents and Settings\GoogleToolbarInstaller_SPDx_en_signed.exe
2007-01-09 07:091,636,376—-a-wC:\Documents and Settings\ycomp_setup.exe
2002-01-10 18:1010,240—-a-wC:\Documents and Settings\uitools.dll
.
((((((((((((((((((((((((((((( snapshot@2008-10-19_14.42.50.76 )))))))))))))))))))))))))))))))))))))))))
.
– 2008-10-19 03:05:352,444—-a-wC:\WINDOWS\SoftwareDistribution\EventCache\{2458EBB5-91E2-40D0-BB56-EC4D35B8AE9C}.bin
+ 2008-10-19 03:05:353,662—-a-wC:\WINDOWS\SoftwareDistribution\EventCache\{2458EBB5-91E2-40D0-BB56-EC4D35B8AE9C}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2008-07-11 11:14806912–a——C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedFolder]
@=”{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}”
[HKEY_CLASSES_ROOT\CLSID\{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedSharedFolder]
@=”{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}”
[HKEY_CLASSES_ROOT\CLSID\{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.SharedFolder]
@=”{39C2972F-3338-471B-8D67-FA82E46E3AC2}”
[HKEY_CLASSES_ROOT\CLSID\{39C2972F-3338-471B-8D67-FA82E46E3AC2}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]
“Google Update”=”C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” [2008-09-03 133104]
“msnmsgr”=”C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 5724184]
“Yahoo! Pager”=”C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 4670704]
“DownloadAccelerator”=”C:\Program Files\DAP\DAP.EXE” [2008-08-27 3057152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BigDog303″=”C:\WINDOWS\VM303_STI.EXE” [2005-10-25 61440]
“snpstd3″=”C:\WINDOWS\vsnpstd3.exe” [2006-09-20 827392]
“NvCplDaemon”=”C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 7700480]
“nwiz”=”C:\WINDOWS\system32\nwiz.exe” [2006-10-22 1622016]
“gidle”=”C:\Program Files\gAlwaysIdle\gidle.exe” [2007-09-07 49152]
“Adobe Reader Speed Launcher”=”C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
“TkBellExe”=”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-12-02 185896]
“~ Disallowed ~”=”C:\WINDOWS\system32\~ Disallowed ~.exe” [2008-02-08 135168]
“HotKeysCmds”=”C:\WINDOWS\system32\hkcmd.exe” [2008-02-08 159744]
“Persistence”=”C:\WINDOWS\system32\igfxpers.exe” [2008-02-08 131072]
“NSLauncher”=”C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe” [2007-09-07 3100672]
“IntelAudioStudio”=”C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” [2006-06-07 9129984]
“QuickTime Task”=”C:\Program Files\QuickTime\QTTask.exe” [2008-09-06 413696]
“NvMediaCenter”=”C:\WINDOWS\system32\NvMcTray.dll” [2006-10-22 86016]
“Acrobat Assistant 8.0″=”D:\Acrobat\Acrotray.exe” [2008-01-11 623992]
“System64A”=”C:\WINDOWS\system32\System64A.exe” [2008-01-25 15872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=”C:\Program Files\MySpace\IM\MySpaceIM.exe” [2008-02-02 8699904]
C:\Documents and Settings\Start Menu\Programs\Startup\
LogSys.exe [2008-01-25 15872]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Media Key.lnk – C:\Program Files\ViewMate Keyboard KC207\MagicKey.exe [2008-10-07 159744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-26 11:22 63040 C:\WINDOWS\system32\LMIinit.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^VP-EYE.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\VP-EYE.lnk
backup=C:\WINDOWS\pss\VP-EYE.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb Pro.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\WordWeb Pro.lnk
backup=C:\WINDOWS\pss\WordWeb Pro.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APV]
–a—— 2008-06-27 16:09 192512 C:\Program Files\APV\autostart_and_process_viewer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
–a—— 2008-02-27 11:19 3551456 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
–a—— 2007-12-24 21:35 471040 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
–a—— 2008-08-27 20:07 3057152 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
–a—-t- 2008-09-03 15:43 133104 C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
–a—— 2007-01-02 05:34 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
–a—— 2006-06-07 17:11 9129984 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a—— 2008-09-08 23:02 289576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
——— 2008-04-14 08:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
–a—— 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
–a—— 2008-02-02 04:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
–a—— 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
–a—— 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\protect_autorun]
–a—— 2008-04-04 10:44 139264 C:\Documents and Settings\Desktop\Set up(s)\New\CPE17AntiAutorun1330.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]
–a—— 2007-01-18 00:44 1302528 C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
–a—— 2007-04-15 14:31 1291264 C:\Program Files\Rainlendar2\Rainlendar2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedBitVideoAccelerator]
–a—— 2008-08-27 20:10 2705008 C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
——— 2008-01-28 11:43 2097488 C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtect]
–a—— 2008-03-05 23:09 1223680 C:\Program Files\System Protect\SysProtect_Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VZOchat]
–a—— 2008-10-10 19:34 1928704 C:\PROGRA~1\Visicron\VZOchat\VZOchat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdriveTrayIcon]
–a—— 2008-02-27 19:21 253952 C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
–a—— 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“a2free”=2 (0x2)
“ALG”=3 (0x3)
“avast! Web Scanner”=3 (0x3)
“avast! Mail Scanner”=3 (0x3)
“avast! Antivirus”=2 (0x2)
“aswUpdSv”=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\PnkBstrA.exe”=
“C:\\WINDOWS\\system32\\PnkBstrB.exe”=
“C:\\Program Files\\Real\\RealPlayer\\realplay.exe”=
“C:\\Program Files\\Mozilla Firefox\\firefox.exe”=
“C:\\Program Files\\DAP\\DAP.exe”=
“C:\\Program Files\\Messenger\\msmsgs.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe”=
“C:\\WINDOWS\\system32\\dpvsetup.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\livecall.exe”=
“C:\\Program Files\\iTunes\\iTunes.exe”=
“C:\\Program Files\\Nakido\\nakido.exe”=
“C:\\WINDOWS\\system32\\dplaysvr.exe”=
“C:\\Program Files\\Stronghold Crusader\\Stronghold Crusader.exe”=
“C:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe”=
“C:\\Program Files\\Visicron\\VZOchat\\VZOchat.exe”=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“443:UDP”= 443:UDP:*:Disabled:ooVoo UDP port 443
“37674:TCP”= 37674:TCP:*:Disabled:ooVoo TCP port 37674
“37674:UDP”= 37674:UDP:*:Disabled:ooVoo UDP port 37674
“37675:UDP”= 37675:UDP:*:Disabled:ooVoo UDP port 37675
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2003-03-27 11776]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2004-06-07 18220]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-06 46112]
R2 Nakido;Nakido;C:\Program Files\Nakido\nakido.exe [2008-09-19 320000]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-08-27 35584]
R2 SP_Service;System Protect Deletion Prevention Service;C:\Program Files\System Protect\SysProtect_srv.exe [2008-03-05 598528]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2008-08-27 292472]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2008-04-14 4992]
R3 sp_prot;System Protect Filter Driver;C:\WINDOWS\system32\drivers\sp_prot.sys [2008-03-05 12288]
R3 tenCapture;tenCapture;C:\WINDOWS\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [ ]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-07 355584]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;C:\Program Files\Ufasoft\Sniffer\usft_sn4.sys [ ]
S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2008-03-07 23040]
S4 F0F92E57;F0F92E57;C:\WINDOWS\system32\1746D986.EXE [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command – H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21191b38-765d-11dd-aca1-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46116219-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4611621b-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e039-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e081-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597eae32-5fde-11dc-a98d-001676d671aa}]
\Shell\AutoRun\command – setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603b7856-81b1-11dd-acc9-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61031e97-6056-11dd-ac58-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ad066-7656-11dd-ac9f-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e3be63-3acf-11dd-ab7c-001676d671aa}]
\Shell\AutoRun\command – 1ce.cmd
\Shell\explore\Command – 1ce.cmd
\Shell\open\Command – 1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f3acc6-9d83-11dc-a9e0-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85412080-5ac4-11dc-a97f-001676d671aa}]
\Shell\AutoRun\command – H:\1ce.cmd
\Shell\explore\Command – H:\1ce.cmd
\Shell\open\Command – H:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149ce56-2a43-11dd-ab40-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b37f420b-304b-11dd-ab4a-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca88c492-ed36-11dc-aaa6-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4efe450-cbb6-11dc-aa14-001676d671aa}]
\Shell\AutoRun\command – G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1c-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1d-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1e-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1f-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eba683cd-30c9-11dd-ab4c-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0bbc194-7ea5-11dc-a9cc-001676d671aa}]
\Shell\1\Command – F:\syssetup.exe
\Shell\AutoRun\command – C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
*Newly Created Service* – CATCHME
.
Contents of the ‘Scheduled Tasks’ folder
2008-10-19 C:\WINDOWS\Tasks\1-Click Maintenance.job
– C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
– C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-10-19 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
– C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 15:43]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 15:18:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … scan completed successfully
hidden files: **************************************************************************
.
Completion time: 2008-10-19 15:21:01
ComboFix-quarantined-files.txt 2008-10-19 07:20:56
Pre-Run: 2,360,745,984 bytes free
Post-Run: 2,344,517,632 bytes free
426— E O F —2008-09-10 10:49:23
So, what else now?
Sorry was a bit busy
Anyway it’s clean now
You can install your stuff back. Also if you use a lot of USB drives etc I recommend you keep this installed
http://www.davisr.com/cgi-bin/content/products/flashguard.htm
Take care mate
hey but now when i try to open your link, the browser is shut down, I tried to use both Firefox & IE, can’t go to such link ( i.e anti-virus , any pc scan link or set up also can’t run )
so what should I do to make my PC can run such program??
Dang. Must be some hosts file jargon happening in there
Download SmitFraudFix from this link
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Boot into safe mode. Run it. Press 2 to start cleaning. Answer yes if asked for a registry clean. It will reset your hosts file and a number of things to default. Also I need the end SmitFraudFix log (rapport.txt) along with a new Combofix log
Hey i have run your SmitFraudFix in Safe Mode , here is the log ~
SmitFraudFix v2.226
Scan done at 16:28:22.03, Sun 10/19/2008
Run from C:\Documents and Settings\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] – Windows_NT
The filesystem type is NTFS
Fix run in safe mode
������������������������ SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
������������������������ Killing process
������������������������ hosts
127.0.0.1 localhost
������������������������ Generic Renos Fix
GenericRenosFix by S!Ri
������������������������ Deleting infected files
������������������������ DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7C94B4D-4D3E-4463-8857-3357D4C82AF1}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A7C94B4D-4D3E-4463-8857-3357D4C82AF1}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A7C94B4D-4D3E-4463-8857-3357D4C82AF1}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A7C94B4D-4D3E-4463-8857-3357D4C82AF1}: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.58 202.156.1.78 218.186.1.38
������������������������ Deleting Temp Files
������������������������ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=””
������������������������ Registry Cleaning
Registry Cleaning done. ������������������������ SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
������������������������ End
And again I run the ComboFix with Normal Windown Mode . Here is new log ~
ComboFix 08-10-18.03 – 2008-10-19 16:43:16.9 – NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1554 [GMT 8:00]
Running from: C:\Documents and Settings\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
2008-10-19 16:43 . 2008-10-19 16:43<DIR>d——–C:\temp\WPDNSE
2008-10-19 16:28 . 2008-10-19 16:283,984–a——C:\WINDOWS\system32\tmp.reg
2008-10-19 15:46 . 2008-10-19 16:02<DIR>d——–C:\temp\plugtmp-9
2008-10-19 11:20 . 2008-10-19 14:40<DIR>d——–C:\temp\plugtmp-8
2008-10-18 03:09 . 2008-10-18 03:09<DIR>d——–C:\temp\hsperfdata_
2008-10-17 22:04 . 2008-10-17 22:04<DIR>d——–C:\WINDOWS\ERUNT
2008-10-17 21:55 . 2008-10-16 12:17<DIR>d——–C:\SDFix
2008-10-17 20:38 . 2008-10-17 20:39<DIR>d——–C:\temp\Rar$ML00.219
2008-10-17 20:38 . 2008-10-19 16:34<DIR>d——–C:\temp\Acrobat Distiller 8
2008-10-17 20:31 . 2008-10-19 14:40<DIR>d——–C:\temp\wrstemp
2008-10-17 20:24 . 2008-10-17 22:20<DIR>d——–C:\temp\is-QF4EM.tmp
2008-10-17 19:58 . 2008-10-17 20:01<DIR>d——–C:\temp\plugtmp-7
2008-10-17 14:28 . 2008-10-17 14:42<DIR>d——–C:\temp\plugtmp-6
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip1
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip
2008-10-16 16:12 . 2008-10-17 01:02<DIR>d——–C:\temp\Google Talk
2008-10-15 19:24 . 2008-10-15 19:24<DIR>d——–C:\temp\VBE
2008-10-14 08:22 . 2008-10-14 08:22<DIR>d——–C:\temp\GUM9.tmp
2008-10-13 23:23 . 2008-10-13 23:23<DIR>d——–C:\temp\OIS
2008-10-13 22:33 . 2008-10-19 14:01<DIR>d——–C:\Program Files\Spybot – Search & Destroy
2008-10-13 19:14 . 2008-10-13 19:14<DIR>d——–C:\Documents and Settings\Application Data\Malwarebytes
2008-10-13 19:13 . 2008-10-13 19:13<DIR>d——–C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 11:14 . 2008-10-13 20:44<DIR>d——–C:\temp\~nsu.tmp
2008-10-13 11:00 . 2008-10-13 19:55<DIR>d——–C:\temp\plugtmp-5
2008-10-13 01:48 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-4
2008-10-13 01:44 . 2008-10-19 14:40<DIR>d——–C:\temp\MessengerCache
2008-10-12 18:25 . 2008-10-13 00:14<DIR>d——–C:\temp\plugtmp-3
2008-10-12 18:03 . 2008-10-12 18:03<DIR>d——–C:\temp\Adobe
2008-10-12 16:03 . 2008-10-17 17:59<DIR>d——–C:\temp\RarSFX0
2008-10-12 13:13 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-2
2008-10-12 12:53 . 2008-10-17 17:59<DIR>d——–C:\temp\nsc23.tmp
2008-10-12 12:51 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-1
2008-10-12 12:45 . 2008-10-17 17:59<DIR>d——–C:\temp\nsnA5.tmp
2008-10-12 10:42 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp
2008-10-11 20:18 . 2008-10-11 20:18<DIR>d——–C:\Program Files\Trend Micro
2008-10-11 19:54 . 2008-10-11 19:54<DIR>d——–C:\Program Files\SmartClose
2008-10-11 19:32 . 2008-10-11 19:3223,600–a——C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\WINDOWS\EffectResources
2008-10-11 17:56 . 2008-10-11 19:20<DIR>d——–C:\WINDOWS\CatRoot
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\Program Files\Vimicro
2008-10-11 17:56 . 2005-05-02 16:4553,248–a——C:\WINDOWS\Sti303.exe
2008-10-11 17:56 . 2005-05-18 10:5532,768–a——C:\WINDOWS\VMZoom.exe
2008-10-11 17:56 . 2005-05-18 10:5424,576–a——C:\WINDOWS\VMPipe.dll
2008-10-11 15:15 . 2008-04-14 00:1560,032–a——C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-10-11 15:15 . 2008-04-14 00:1560,032–a–c—C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-10-08 00:00 . 2004-06-07 14:0918,220–a——C:\WINDOWS\system32\drivers\UsbFltr.sys
2008-10-07 23:59 . 2008-10-08 00:00<DIR>d——–C:\Program Files\ViewMate Keyboard KC207
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Program Files\Proxy Switcher Standard
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Documents and Settings\Application Data\WNR
2008-09-21 20:30 . 2008-09-21 20:30<DIR>d——–C:\Documents and Settings\Application Data\FDRLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 08:33———d—a-wC:\Documents and Settings\All Users\Application Data\TEMP
2008-10-19 08:32———d—–wC:\Program Files\Nakido
2008-10-19 06:01———d—–wC:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy
2008-10-17 07:44———d—–wC:\Program Files\Folder Lock
2008-10-12 05:52———d—–wC:\Program Files\Common Files\Wise Installation Wizard
2008-10-11 12:05———d—–wC:\Program Files\Common Files\AVSMedia
2008-10-11 09:56———d–h–wC:\Program Files\InstallShield Installation Information
2008-09-27 20:22———d—–wC:\Program Files\Nokia
2008-09-27 20:22———d—–wC:\Program Files\Common Files\Nokia
2008-09-25 04:30———d—–wC:\Program Files\speed-bit
2008-09-25 02:54———d—–wC:\Program Files\Windows Live
2008-09-23 05:35———d—–wC:\Documents and Settings\Application Data\U3
2008-09-17 23:45———d—–wC:\Program Files\Boson Software
2008-09-17 23:38———d—–wC:\Documents and Settings\Application Data\eBookPro6
2008-09-16 06:31———d—–wC:\Program Files\TuneUp Utilities 2008
2008-09-15 17:19———d—–wC:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-15 17:16———d—–wC:\Program Files\Common Files\Macrovision Shared
2008-09-15 17:06———d—–wC:\Program Files\Common Files\Adobe
2008-09-14 06:52———d—–wC:\Program Files\SimpleCenter
2008-09-14 06:39———d—–wC:\Program Files\RA
2008-09-14 05:15———d—–wC:\Program Files\Yahoo!
2008-09-14 05:13———d—–wC:\Program Files\Supertintin for Msn
2008-09-14 05:12———d—–wC:\Program Files\USB Disk Security
2008-09-14 05:12———d—–wC:\Program Files\Active WebCam
2008-09-13 20:48———d—–wC:\Documents and Settings\Application Data\Media Player Classic
2008-09-13 02:43———d—–wC:\Program Files\Common Files\Apple
2008-09-12 05:37———d—–wC:\Program Files\Password Protect USB
2008-09-12 05:35———d—–wC:\Program Files\a-squared Free
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\PC Suite
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\Nokia
2008-09-11 20:07———d—–wC:\Documents and Settings\Application Data\dvdcss
2008-09-11 07:04———d—–wC:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-10 02:28———d—–wC:\Program Files\iTunes
2008-09-10 02:28———d—–wC:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 02:27———d—–wC:\Program Files\iPod
2008-09-10 02:22———d—–wC:\Program Files\QuickTime
2008-09-07 16:33———d—–wC:\Program Files\Stronghold Crusader
2008-09-06 16:35720,896—-a-wC:\WINDOWS\iun6002.exe
2008-09-03 10:53———d—–wC:\Documents and Settings\All Users\Application Data\PY_Software
2008-08-31 17:32———d—–wC:\Program Files\APV
2008-08-30 06:3243,520—-a-wC:\WINDOWS\system32\CmdLineExt03.dll
2008-08-30 06:30———d—–wC:\Program Files\Alcohol Soft
2008-08-30 06:28716,272—-a-wC:\WINDOWS\system32\drivers\sptd.sys
2008-08-28 10:58———d—–wC:\Program Files\Microsoft Games
2008-08-27 18:30———d—–wC:\Program Files\SpeedBit Video Accelerator
2008-08-27 17:59———d—–wC:\Program Files\DAP
2008-08-27 12:07———d—–wC:\Documents and Settings\All Users\Application Data\SpeedBit
2008-08-27 04:05———d—–wC:\Program Files\directx
2008-08-23 10:29———d—–wC:\Program Files\Common Files\MainConcept
2008-08-21 19:08878,592—-a-wC:\WINDOWS\system32\wininet.dll
2008-08-21 19:0843,008—-a-wC:\WINDOWS\system32\licmgr10.dll
2008-08-21 19:0718,944—-a-wC:\WINDOWS\system32\corpol.dll
2008-08-21 19:0672,704—-a-wC:\WINDOWS\system32\admparse.dll
2008-08-21 19:0671,680—-a-wC:\WINDOWS\system32\iesetup.dll
2008-08-21 19:06434,176—-a-wC:\WINDOWS\system32\vbscript.dll
2008-08-21 19:0548,640——wC:\WINDOWS\system32\PrivacIE.dll
2008-08-21 19:0548,128—-a-wC:\WINDOWS\system32\mshtmler.dll
2008-08-21 19:0535,840—-a-wC:\WINDOWS\system32\imgutil.dll
2008-08-21 19:0445,568—-a-wC:\WINDOWS\system32\mshta.exe
2008-08-21 18:57156,160—-a-wC:\WINDOWS\system32\msls31.dll
2008-08-21 09:45———d—–wC:\Program Files\Apple Software Update
2008-08-17 01:261,049,784——wC:\WINDOWS\wweb32.dll
2008-08-05 09:55265,720—-a-wC:\WINDOWS\system32\msdbg2.dll
2008-07-11 06:2381,920—-a-wC:\Documents and Settings\Application Data\ezpinst.exe
2008-02-29 16:337,655,024—-a-wC:\Documents and Settings\d0zxs4q2.exe
2008-02-19 14:0724,740—-atwC:\Documents and Settings\SIntfNT.dll
2008-02-19 14:0720,020—-atwC:\Documents and Settings\SIntf32.dll
2008-02-19 14:0712,305—-atwC:\Documents and Settings\SIntf16.dll
2008-02-19 14:0690,112—-a-wC:\Documents and Settings\CmdLineExt03.dll
2008-02-18 16:141,563,232—-atwC:\Documents and Settings\ytb_7.1.1.0_1.4.1_pub_us_setup_.exe
2008-02-07 15:1965,536—-a-wC:\Documents and Settings\drm_dialogs.dll
2008-02-07 15:19212,992—-a-wC:\Documents and Settings\drm_dyndata_7330014.dll
2007-12-31 05:5686,016—-a-wC:\Documents and Settings\cabex.dll
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14D3.exe
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14CB.exe
2007-02-12 06:37150,632—-a-wC:\Documents and Settings\AcDeltree.exe
2007-01-29 07:061,145,896—-a-wC:\Documents and Settings\GoogleToolbarInstaller_SPDx_en_signed.exe
2007-01-09 07:091,636,376—-a-wC:\Documents and Settings\ycomp_setup.exe
2002-01-10 18:1010,240—-a-wC:\Documents and Settings\uitools.dll
.
((((((((((((((((((((((((((((( snapshot@2008-10-19_14.42.50.76 )))))))))))))))))))))))))))))))))))))))))
.
– 2008-10-19 03:05:352,444—-a-wC:\WINDOWS\SoftwareDistribution\EventCache\{2458EBB5-91E2-40D0-BB56-EC4D35B8AE9C}.bin
+ 2008-10-19 08:23:263,662—-a-wC:\WINDOWS\SoftwareDistribution\EventCache\{2458EBB5-91E2-40D0-BB56-EC4D35B8AE9C}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2008-07-11 11:14806912–a——C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedFolder]
@=”{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}”
[HKEY_CLASSES_ROOT\CLSID\{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedSharedFolder]
@=”{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}”
[HKEY_CLASSES_ROOT\CLSID\{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.SharedFolder]
@=”{39C2972F-3338-471B-8D67-FA82E46E3AC2}”
[HKEY_CLASSES_ROOT\CLSID\{39C2972F-3338-471B-8D67-FA82E46E3AC2}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]
“Google Update”=”C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” [2008-09-03 133104]
“msnmsgr”=”C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 5724184]
“Yahoo! Pager”=”C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 4670704]
“DownloadAccelerator”=”C:\Program Files\DAP\DAP.EXE” [2008-08-27 3057152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BigDog303″=”C:\WINDOWS\VM303_STI.EXE” [2005-10-25 61440]
“snpstd3″=”C:\WINDOWS\vsnpstd3.exe” [2006-09-20 827392]
“NvCplDaemon”=”C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 7700480]
“nwiz”=”C:\WINDOWS\system32\nwiz.exe” [2006-10-22 1622016]
“gidle”=”C:\Program Files\gAlwaysIdle\gidle.exe” [2007-09-07 49152]
“Adobe Reader Speed Launcher”=”C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
“TkBellExe”=”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-12-02 185896]
“~ Disallowed ~”=”C:\WINDOWS\system32\~ Disallowed ~.exe” [2008-02-08 135168]
“HotKeysCmds”=”C:\WINDOWS\system32\hkcmd.exe” [2008-02-08 159744]
“Persistence”=”C:\WINDOWS\system32\igfxpers.exe” [2008-02-08 131072]
“NSLauncher”=”C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe” [2007-09-07 3100672]
“IntelAudioStudio”=”C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” [2006-06-07 9129984]
“QuickTime Task”=”C:\Program Files\QuickTime\QTTask.exe” [2008-09-06 413696]
“NvMediaCenter”=”C:\WINDOWS\system32\NvMcTray.dll” [2006-10-22 86016]
“Acrobat Assistant 8.0″=”D:\Acrobat\Acrotray.exe” [2008-01-11 623992]
“System64A”=”C:\WINDOWS\system32\System64A.exe” [2008-01-25 15872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=”C:\Program Files\MySpace\IM\MySpaceIM.exe” [2008-02-02 8699904]
C:\Documents and Settings\Kyiminthan\Start Menu\Programs\Startup\
LogSys.exe [2008-01-25 15872]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Media Key.lnk – C:\Program Files\ViewMate Keyboard KC207\MagicKey.exe [2008-10-07 159744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-26 11:22 63040 C:\WINDOWS\system32\LMIinit.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Kyiminthan\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^VP-EYE.lnk]
path=C:\Documents and Settings\Kyiminthan\Start Menu\Programs\Startup\VP-EYE.lnk
backup=C:\WINDOWS\pss\VP-EYE.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb Pro.lnk]
path=C:\Documents and Settings\Kyiminthan\Start Menu\Programs\Startup\WordWeb Pro.lnk
backup=C:\WINDOWS\pss\WordWeb Pro.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Kyiminthan\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APV]
–a—— 2008-06-27 16:09 192512 C:\Program Files\APV\autostart_and_process_viewer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
–a—— 2008-02-27 11:19 3551456 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
–a—— 2007-12-24 21:35 471040 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
–a—— 2008-08-27 20:07 3057152 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
–a—-t- 2008-09-03 15:43 133104 C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
–a—— 2007-01-02 05:34 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
–a—— 2006-06-07 17:11 9129984 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a—— 2008-09-08 23:02 289576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
——— 2008-04-14 08:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
–a—— 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
–a—— 2008-02-02 04:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
–a—— 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
–a—— 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\protect_autorun]
–a—— 2008-04-04 10:44 139264 C:\Documents and Settings\Kyiminthan\Desktop\Set up(s)\New\CPE17AntiAutorun1330.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]
–a—— 2007-01-18 00:44 1302528 C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
–a—— 2007-04-15 14:31 1291264 C:\Program Files\Rainlendar2\Rainlendar2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedBitVideoAccelerator]
–a—— 2008-08-27 20:10 2705008 C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
——— 2008-01-28 11:43 2097488 C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtect]
–a—— 2008-03-05 23:09 1223680 C:\Program Files\System Protect\SysProtect_Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VZOchat]
–a—— 2008-10-10 19:34 1928704 C:\PROGRA~1\Visicron\VZOchat\VZOchat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdriveTrayIcon]
–a—— 2008-02-27 19:21 253952 C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
–a—— 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“a2free”=2 (0x2)
“ALG”=3 (0x3)
“avast! Web Scanner”=3 (0x3)
“avast! Mail Scanner”=3 (0x3)
“avast! Antivirus”=2 (0x2)
“aswUpdSv”=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\PnkBstrA.exe”=
“C:\\WINDOWS\\system32\\PnkBstrB.exe”=
“C:\\Program Files\\Real\\RealPlayer\\realplay.exe”=
“C:\\Program Files\\Mozilla Firefox\\firefox.exe”=
“C:\\Program Files\\DAP\\DAP.exe”=
“C:\\Program Files\\Messenger\\msmsgs.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe”=
“C:\\WINDOWS\\system32\\dpvsetup.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\livecall.exe”=
“C:\\Program Files\\iTunes\\iTunes.exe”=
“C:\\Program Files\\Nakido\\nakido.exe”=
“C:\\WINDOWS\\system32\\dplaysvr.exe”=
“C:\\Program Files\\Stronghold Crusader\\Stronghold Crusader.exe”=
“C:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe”=
“C:\\Program Files\\Visicron\\VZOchat\\VZOchat.exe”=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“443:UDP”= 443:UDP:*:Disabled:ooVoo UDP port 443
“37674:TCP”= 37674:TCP:*:Disabled:ooVoo TCP port 37674
“37674:UDP”= 37674:UDP:*:Disabled:ooVoo UDP port 37674
“37675:UDP”= 37675:UDP:*:Disabled:ooVoo UDP port 37675
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2003-03-27 11776]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2004-06-07 18220]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-06 46112]
R2 Nakido;Nakido;C:\Program Files\Nakido\nakido.exe [2008-09-19 320000]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-08-27 35584]
R2 SP_Service;System Protect Deletion Prevention Service;C:\Program Files\System Protect\SysProtect_srv.exe [2008-03-05 598528]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2008-08-27 292472]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2008-04-14 4992]
R3 sp_prot;System Protect Filter Driver;C:\WINDOWS\system32\drivers\sp_prot.sys [2008-03-05 12288]
R3 tenCapture;tenCapture;C:\WINDOWS\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [ ]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-07 355584]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;C:\Program Files\Ufasoft\Sniffer\usft_sn4.sys [ ]
S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2008-03-07 23040]
S4 F0F92E57;F0F92E57;C:\WINDOWS\system32\1746D986.EXE [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command – H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21191b38-765d-11dd-aca1-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46116219-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4611621b-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e039-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e081-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597eae32-5fde-11dc-a98d-001676d671aa}]
\Shell\AutoRun\command – setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603b7856-81b1-11dd-acc9-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61031e97-6056-11dd-ac58-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ad066-7656-11dd-ac9f-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e3be63-3acf-11dd-ab7c-001676d671aa}]
\Shell\AutoRun\command – 1ce.cmd
\Shell\explore\Command – 1ce.cmd
\Shell\open\Command – 1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f3acc6-9d83-11dc-a9e0-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85412080-5ac4-11dc-a97f-001676d671aa}]
\Shell\AutoRun\command – H:\1ce.cmd
\Shell\explore\Command – H:\1ce.cmd
\Shell\open\Command – H:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149ce56-2a43-11dd-ab40-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b37f420b-304b-11dd-ab4a-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca88c492-ed36-11dc-aaa6-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4efe450-cbb6-11dc-aa14-001676d671aa}]
\Shell\AutoRun\command – G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1c-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1d-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1e-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1f-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eba683cd-30c9-11dd-ab4c-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0bbc194-7ea5-11dc-a9cc-001676d671aa}]
\Shell\1\Command – F:\syssetup.exe
\Shell\AutoRun\command – C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
.
Contents of the ‘Scheduled Tasks’ folder
2008-10-19 C:\WINDOWS\Tasks\1-Click Maintenance.job
– C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
– C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-10-19 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
– C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 15:43]
.
.
——- Supplementary Scan ——-
.
FireFox -: Profile – C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\yco8kbj6.default\
FireFox -: prefs.js – STARTUP.HOMEPAGE – www.google.com
FF -: plugin – C:\Documents and Settings\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin – C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin – C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin – C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin – C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 16:46:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … scan completed successfully
hidden files: **************************************************************************
.
——————— DLLs Loaded Under Running Processes ———————
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
-> C:\Program Files\gAlwaysIdle\gidle.dll
.
Completion time: 2008-10-19 16:49:08
ComboFix-quarantined-files.txt 2008-10-19 08:49:02
ComboFix2.txt 2008-10-19 07:21:03
Pre-Run: 2,286,718,976 bytes free
Post-Run: 2,270,416,896 bytes free
426— E O F —2008-09-10 10:49:23
but seem like the problem haven’t solve yet ,, here is how i test ,, i open Google.com & type anti virus, click search,, it’s close suddenly.
but type any other didn’t related to Anti virus or any Malware or spyware,, it allow search , so what should i do dude
Now this is a dilemma. SmitFraudFix is actually supposed to remove it.
The funny thing is there is no difference between that last Combofix log and the first log. It means the virus is regenerating itself somehow.
Follow these instructions again
http://www.google.com?p=12665714#12665714
If this doesn’t work we’ll have to resort to the last method (OTMoveIt)
Sorry i have late to post dude
i’ve done what u said on those step and i got the new log here ~
ComboFix 08-10-18.03 – 2008-10-19 18:00:45.11 – NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1480 [GMT 8:00]
Running from: C:\Documents and Settings\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\_is14CB.exe
C:\Documents and Settings\_is14D3.exe
C:\Documents and Settings\Application Data\ezpinst.exe
C:\Documents and Settings\d0zxs4q2.exe
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.exe
C:\sccfg.sys
C:\WINDOWS\system32\1746D986.EXE
C:\WINDOWS\system32\System64A.exe
C:\WINDOWS\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\System64A.exe
.
—- Previous Run ——-
.
C:\WINDOWS\system32\System64A.exe
C:\WINDOWS\system32\tmp.reg
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
2008-10-19 18:01 . 2008-10-19 18:01<DIR>d——–C:\temp\WPDNSE
2008-10-19 15:46 . 2008-10-19 16:02<DIR>d——–C:\temp\plugtmp-9
2008-10-19 11:20 . 2008-10-19 14:40<DIR>d——–C:\temp\plugtmp-8
2008-10-18 03:09 . 2008-10-18 03:09<DIR>d——–C:\temp\hsperfdata_
2008-10-17 22:04 . 2008-10-17 22:04<DIR>d——–C:\WINDOWS\ERUNT
2008-10-17 21:55 . 2008-10-16 12:17<DIR>d——–C:\SDFix
2008-10-17 20:38 . 2008-10-17 20:39<DIR>d——–C:\temp\Rar$ML00.219
2008-10-17 20:38 . 2008-10-19 17:51<DIR>d——–C:\temp\Acrobat Distiller 8
2008-10-17 20:31 . 2008-10-19 14:40<DIR>d——–C:\temp\wrstemp
2008-10-17 20:24 . 2008-10-17 22:20<DIR>d——–C:\temp\is-QF4EM.tmp
2008-10-17 19:58 . 2008-10-17 20:01<DIR>d——–C:\temp\plugtmp-7
2008-10-17 14:28 . 2008-10-17 14:42<DIR>d——–C:\temp\plugtmp-6
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip1
2008-10-16 21:07 . 2008-10-16 21:07<DIR>d——–C:\temp\msohtmlclip
2008-10-16 16:12 . 2008-10-17 01:02<DIR>d——–C:\temp\Google Talk
2008-10-15 19:24 . 2008-10-15 19:24<DIR>d——–C:\temp\VBE
2008-10-14 08:22 . 2008-10-14 08:22<DIR>d——–C:\temp\GUM9.tmp
2008-10-13 23:23 . 2008-10-13 23:23<DIR>d——–C:\temp\OIS
2008-10-13 22:33 . 2008-10-19 14:01<DIR>d——–C:\Program Files\Spybot – Search & Destroy
2008-10-13 19:14 . 2008-10-13 19:14<DIR>d——–C:\Documents and Settings\Application Data\Malwarebytes
2008-10-13 19:13 . 2008-10-13 19:13<DIR>d——–C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 11:14 . 2008-10-13 20:44<DIR>d——–C:\temp\~nsu.tmp
2008-10-13 11:00 . 2008-10-13 19:55<DIR>d——–C:\temp\plugtmp-5
2008-10-13 01:48 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-4
2008-10-13 01:44 . 2008-10-19 14:40<DIR>d——–C:\temp\MessengerCache
2008-10-12 18:25 . 2008-10-13 00:14<DIR>d——–C:\temp\plugtmp-3
2008-10-12 18:03 . 2008-10-12 18:03<DIR>d——–C:\temp\Adobe
2008-10-12 16:03 . 2008-10-17 17:59<DIR>d——–C:\temp\RarSFX0
2008-10-12 13:13 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-2
2008-10-12 12:53 . 2008-10-17 17:59<DIR>d——–C:\temp\nsc23.tmp
2008-10-12 12:51 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp-1
2008-10-12 12:45 . 2008-10-17 17:59<DIR>d——–C:\temp\nsnA5.tmp
2008-10-12 10:42 . 2008-10-17 17:59<DIR>d——–C:\temp\plugtmp
2008-10-11 20:18 . 2008-10-11 20:18<DIR>d——–C:\Program Files\Trend Micro
2008-10-11 19:54 . 2008-10-11 19:54<DIR>d——–C:\Program Files\SmartClose
2008-10-11 19:32 . 2008-10-11 19:3223,600–a——C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\WINDOWS\EffectResources
2008-10-11 17:56 . 2008-10-11 19:20<DIR>d——–C:\WINDOWS\CatRoot
2008-10-11 17:56 . 2008-10-11 17:56<DIR>d——–C:\Program Files\Vimicro
2008-10-11 17:56 . 2005-05-02 16:4553,248–a——C:\WINDOWS\Sti303.exe
2008-10-11 17:56 . 2005-05-18 10:5532,768–a——C:\WINDOWS\VMZoom.exe
2008-10-11 17:56 . 2005-05-18 10:5424,576–a——C:\WINDOWS\VMPipe.dll
2008-10-11 15:15 . 2008-04-14 00:1560,032–a——C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-10-11 15:15 . 2008-04-14 00:1560,032–a–c—C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-10-08 00:00 . 2004-06-07 14:0918,220–a——C:\WINDOWS\system32\drivers\UsbFltr.sys
2008-10-07 23:59 . 2008-10-08 00:00<DIR>d——–C:\Program Files\ViewMate Keyboard KC207
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Program Files\Proxy Switcher Standard
2008-09-23 20:44 . 2008-09-23 20:44<DIR>d——–C:\Documents and Settings\Application Data\WNR
2008-09-21 20:30 . 2008-09-21 20:30<DIR>d——–C:\Documents and Settings\Application Data\FDRLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 09:51———d—a-wC:\Documents and Settings\All Users\Application Data\TEMP
2008-10-19 09:51———d—–wC:\Program Files\Nakido
2008-10-19 06:01———d—–wC:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy
2008-10-17 07:44———d—–wC:\Program Files\Folder Lock
2008-10-12 05:52———d—–wC:\Program Files\Common Files\Wise Installation Wizard
2008-10-11 12:05———d—–wC:\Program Files\Common Files\AVSMedia
2008-10-11 09:56———d–h–wC:\Program Files\InstallShield Installation Information
2008-09-27 20:22———d—–wC:\Program Files\Nokia
2008-09-27 20:22———d—–wC:\Program Files\Common Files\Nokia
2008-09-25 04:30———d—–wC:\Program Files\speed-bit
2008-09-25 02:54———d—–wC:\Program Files\Windows Live
2008-09-23 05:35———d—–wC:\Documents and Settings\Application Data\U3
2008-09-17 23:45———d—–wC:\Program Files\Boson Software
2008-09-17 23:38———d—–wC:\Documents and Settings\Application Data\eBookPro6
2008-09-16 06:31———d—–wC:\Program Files\TuneUp Utilities 2008
2008-09-15 17:19———d—–wC:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-15 17:16———d—–wC:\Program Files\Common Files\Macrovision Shared
2008-09-15 17:06———d—–wC:\Program Files\Common Files\Adobe
2008-09-14 06:52———d—–wC:\Program Files\SimpleCenter
2008-09-14 06:39———d—–wC:\Program Files\RA
2008-09-14 05:15———d—–wC:\Program Files\Yahoo!
2008-09-14 05:13———d—–wC:\Program Files\Supertintin for Msn
2008-09-14 05:12———d—–wC:\Program Files\USB Disk Security
2008-09-14 05:12———d—–wC:\Program Files\Active WebCam
2008-09-13 20:48———d—–wC:\Documents and Settings\Application Data\Media Player Classic
2008-09-13 02:43———d—–wC:\Program Files\Common Files\Apple
2008-09-12 05:37———d—–wC:\Program Files\Password Protect USB
2008-09-12 05:35———d—–wC:\Program Files\a-squared Free
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\PC Suite
2008-09-12 05:21———d—–wC:\Documents and Settings\Administrator\Application Data\Nokia
2008-09-11 20:07———d—–wC:\Documents and Settings\Application Data\dvdcss
2008-09-11 07:04———d—–wC:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-10 02:28———d—–wC:\Program Files\iTunes
2008-09-10 02:28———d—–wC:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-10 02:27———d—–wC:\Program Files\iPod
2008-09-10 02:22———d—–wC:\Program Files\QuickTime
2008-09-07 16:33———d—–wC:\Program Files\Stronghold Crusader
2008-09-06 16:35720,896—-a-wC:\WINDOWS\iun6002.exe
2008-09-03 10:53———d—–wC:\Documents and Settings\All Users\Application Data\PY_Software
2008-08-31 17:32———d—–wC:\Program Files\APV
2008-08-30 06:3243,520—-a-wC:\WINDOWS\system32\CmdLineExt03.dll
2008-08-30 06:30———d—–wC:\Program Files\Alcohol Soft
2008-08-30 06:28716,272—-a-wC:\WINDOWS\system32\drivers\sptd.sys
2008-08-28 10:58———d—–wC:\Program Files\Microsoft Games
2008-08-27 18:30———d—–wC:\Program Files\SpeedBit Video Accelerator
2008-08-27 17:59———d—–wC:\Program Files\DAP
2008-08-27 12:07———d—–wC:\Documents and Settings\All Users\Application Data\SpeedBit
2008-08-27 04:05———d—–wC:\Program Files\directx
2008-08-23 10:29———d—–wC:\Program Files\Common Files\MainConcept
2008-08-21 19:08878,592—-a-wC:\WINDOWS\system32\wininet.dll
2008-08-21 19:0843,008—-a-wC:\WINDOWS\system32\licmgr10.dll
2008-08-21 19:0718,944—-a-wC:\WINDOWS\system32\corpol.dll
2008-08-21 19:0672,704—-a-wC:\WINDOWS\system32\admparse.dll
2008-08-21 19:0671,680—-a-wC:\WINDOWS\system32\iesetup.dll
2008-08-21 19:06434,176—-a-wC:\WINDOWS\system32\vbscript.dll
2008-08-21 19:0548,640——wC:\WINDOWS\system32\PrivacIE.dll
2008-08-21 19:0548,128—-a-wC:\WINDOWS\system32\mshtmler.dll
2008-08-21 19:0535,840—-a-wC:\WINDOWS\system32\imgutil.dll
2008-08-21 19:0445,568—-a-wC:\WINDOWS\system32\mshta.exe
2008-08-21 18:57156,160—-a-wC:\WINDOWS\system32\msls31.dll
2008-08-21 09:45———d—–wC:\Program Files\Apple Software Update
2008-08-17 01:261,049,784——wC:\WINDOWS\wweb32.dll
2008-08-05 09:55265,720—-a-wC:\WINDOWS\system32\msdbg2.dll
2008-07-11 06:2381,920—-a-wC:\Documents and Settings\Application Data\ezpinst.exe
2008-02-29 16:337,655,024—-a-wC:\Documents and Settings\d0zxs4q2.exe
2008-02-19 14:0724,740—-atwC:\Documents and Settings\SIntfNT.dll
2008-02-19 14:0720,020—-atwC:\Documents and Settings\SIntf32.dll
2008-02-19 14:0712,305—-atwC:\Documents and Settings\SIntf16.dll
2008-02-19 14:0690,112—-a-wC:\Documents and Settings\CmdLineExt03.dll
2008-02-18 16:141,563,232—-atwC:\Documents and Settings\ytb_7.1.1.0_1.4.1_pub_us_setup_.exe
2008-02-07 15:1965,536—-a-wC:\Documents and Settings\drm_dialogs.dll
2008-02-07 15:19212,992—-a-wC:\Documents and Settings\drm_dyndata_7330014.dll
2007-12-31 05:5686,016—-a-wC:\Documents and Settings\cabex.dll
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14D3.exe
2007-02-27 14:08456,416—-a-rC:\Documents and Settings\_is14CB.exe
2007-02-12 06:37150,632—-a-wC:\Documents and Settings\AcDeltree.exe
2007-01-29 07:061,145,896—-a-wC:\Documents and Settings\GoogleToolbarInstaller_SPDx_en_signed.exe
2007-01-09 07:091,636,376—-a-wC:\Documents and Settings\ycomp_setup.exe
2002-01-10 18:1010,240—-a-wC:\Documents and Settings\uitools.dll
.
((((((((((((((((((((((((((((( snapshot@2008-10-19_14.42.50.76 )))))))))))))))))))))))))))))))))))))))))
.
– 2008-10-19 03:05:352,444—-a-wC:\WINDOWS\SoftwareDistribution\EventCache\{2458EBB5-91E2-40D0-BB56-EC4D35B8AE9C}.bin
+ 2008-10-19 08:23:264,880—-a-wC:\WINDOWS\SoftwareDistribution\EventCache\{2458EBB5-91E2-40D0-BB56-EC4D35B8AE9C}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2008-07-11 11:14806912–a——C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}”= “C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll” [2008-07-11 806912]
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedFolder]
@=”{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}”
[HKEY_CLASSES_ROOT\CLSID\{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedSharedFolder]
@=”{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}”
[HKEY_CLASSES_ROOT\CLSID\{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.SharedFolder]
@=”{39C2972F-3338-471B-8D67-FA82E46E3AC2}”
[HKEY_CLASSES_ROOT\CLSID\{39C2972F-3338-471B-8D67-FA82E46E3AC2}]
2008-02-27 19:1877824–a——C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]
“Google Update”=”C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” [2008-09-03 133104]
“msnmsgr”=”C:\Program Files\Windows Live\Messenger\msnmsgr.exe” [2007-10-18 5724184]
“Yahoo! Pager”=”C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 4670704]
“DownloadAccelerator”=”C:\Program Files\DAP\DAP.EXE” [2008-08-27 3057152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BigDog303″=”C:\WINDOWS\VM303_STI.EXE” [2005-10-25 61440]
“snpstd3″=”C:\WINDOWS\vsnpstd3.exe” [2006-09-20 827392]
“NvCplDaemon”=”C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 7700480]
“nwiz”=”C:\WINDOWS\system32\nwiz.exe” [2006-10-22 1622016]
“gidle”=”C:\Program Files\gAlwaysIdle\gidle.exe” [2007-09-07 49152]
“Adobe Reader Speed Launcher”=”C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 39792]
“TkBellExe”=”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-12-02 185896]
“~ Disallowed ~”=”C:\WINDOWS\system32\~ Disallowed ~.exe” [2008-02-08 135168]
“HotKeysCmds”=”C:\WINDOWS\system32\hkcmd.exe” [2008-02-08 159744]
“Persistence”=”C:\WINDOWS\system32\igfxpers.exe” [2008-02-08 131072]
“NSLauncher”=”C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe” [2007-09-07 3100672]
“IntelAudioStudio”=”C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” [2006-06-07 9129984]
“QuickTime Task”=”C:\Program Files\QuickTime\QTTask.exe” [2008-09-06 413696]
“NvMediaCenter”=”C:\WINDOWS\system32\NvMcTray.dll” [2006-10-22 86016]
“Acrobat Assistant 8.0″=”D:\Acrobat\Acrotray.exe” [2008-01-11 623992]
“System64A”=”C:\WINDOWS\system32\System64A.exe” [2008-01-25 15872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=”C:\Program Files\MySpace\IM\MySpaceIM.exe” [2008-02-02 8699904]
C:\Documents and Settings\Kyiminthan\Start Menu\Programs\Startup\
LogSys.exe [2008-01-25 15872]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Media Key.lnk – C:\Program Files\ViewMate Keyboard KC207\MagicKey.exe [2008-10-07 159744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-26 11:22 63040 C:\WINDOWS\system32\LMIinit.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^VP-EYE.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\VP-EYE.lnk
backup=C:\WINDOWS\pss\VP-EYE.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb Pro.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\WordWeb Pro.lnk
backup=C:\WINDOWS\pss\WordWeb Pro.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APV]
–a—— 2008-06-27 16:09 192512 C:\Program Files\APV\autostart_and_process_viewer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
–a—— 2008-02-27 11:19 3551456 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
–a—— 2007-12-24 21:35 471040 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
–a—— 2008-08-27 20:07 3057152 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
–a—-t- 2008-09-03 15:43 133104 C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
–a—— 2007-01-02 05:34 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
–a—— 2006-06-07 17:11 9129984 C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a—— 2008-09-08 23:02 289576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
——— 2008-04-14 08:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
–a—— 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
–a—— 2008-02-02 04:32 8699904 C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
–a—— 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
–a—— 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\protect_autorun]
–a—— 2008-04-04 10:44 139264 C:\Documents and Settings\Desktop\Set up(s)\New\CPE17AntiAutorun1330.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]
–a—— 2007-01-18 00:44 1302528 C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
–a—— 2007-04-15 14:31 1291264 C:\Program Files\Rainlendar2\Rainlendar2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedBitVideoAccelerator]
–a—— 2008-08-27 20:10 2705008 C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
——— 2008-01-28 11:43 2097488 C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtect]
–a—— 2008-03-05 23:09 1223680 C:\Program Files\System Protect\SysProtect_Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VZOchat]
–a—— 2008-10-10 19:34 1928704 C:\PROGRA~1\Visicron\VZOchat\VZOchat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdriveTrayIcon]
–a—— 2008-02-27 19:21 253952 C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
–a—— 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“a2free”=2 (0x2)
“ALG”=3 (0x3)
“avast! Web Scanner”=3 (0x3)
“avast! Mail Scanner”=3 (0x3)
“avast! Antivirus”=2 (0x2)
“aswUpdSv”=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe”=
“C:\\WINDOWS\\system32\\PnkBstrA.exe”=
“C:\\WINDOWS\\system32\\PnkBstrB.exe”=
“C:\\Program Files\\Real\\RealPlayer\\realplay.exe”=
“C:\\Program Files\\Mozilla Firefox\\firefox.exe”=
“C:\\Program Files\\DAP\\DAP.exe”=
“C:\\Program Files\\Messenger\\msmsgs.exe”=
“%windir%\\system32\\sessmgr.exe”=
“C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe”=
“C:\\WINDOWS\\system32\\dpvsetup.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”=
“C:\\Program Files\\Windows Live\\Messenger\\livecall.exe”=
“C:\\Program Files\\iTunes\\iTunes.exe”=
“C:\\Program Files\\Nakido\\nakido.exe”=
“C:\\WINDOWS\\system32\\dplaysvr.exe”=
“C:\\Program Files\\Stronghold Crusader\\Stronghold Crusader.exe”=
“C:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe”=
“C:\\Program Files\\Visicron\\VZOchat\\VZOchat.exe”=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“443:UDP”= 443:UDP:*:Disabled:ooVoo UDP port 443
“37674:TCP”= 37674:TCP:*:Disabled:ooVoo TCP port 37674
“37674:UDP”= 37674:UDP:*:Disabled:ooVoo UDP port 37674
“37675:UDP”= 37675:UDP:*:Disabled:ooVoo UDP port 37675
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2003-03-27 11776]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2004-06-07 18220]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-06 46112]
R2 Nakido;Nakido;C:\Program Files\Nakido\nakido.exe [2008-09-19 320000]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2008-08-27 35584]
R2 SP_Service;System Protect Deletion Prevention Service;C:\Program Files\System Protect\SysProtect_srv.exe [2008-03-05 598528]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe [2008-08-27 292472]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2008-04-14 4992]
R3 sp_prot;System Protect Filter Driver;C:\WINDOWS\system32\drivers\sp_prot.sys [2008-03-05 12288]
R3 tenCapture;tenCapture;C:\WINDOWS\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [ ]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-07-07 355584]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;C:\Program Files\Ufasoft\Sniffer\usft_sn4.sys [ ]
S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2008-03-07 23040]
S4 F0F92E57;F0F92E57;C:\WINDOWS\system32\1746D986.EXE [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command – H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21191b38-765d-11dd-aca1-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46116219-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4611621b-07f7-11dd-aaec-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e039-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e081-5c1f-11dc-a98b-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597eae32-5fde-11dc-a98d-001676d671aa}]
\Shell\AutoRun\command – setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603b7856-81b1-11dd-acc9-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61031e97-6056-11dd-ac58-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ad066-7656-11dd-ac9f-001676d671aa}]
\Shell\AutoRun\command – F:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e3be63-3acf-11dd-ab7c-001676d671aa}]
\Shell\AutoRun\command – 1ce.cmd
\Shell\explore\Command – 1ce.cmd
\Shell\open\Command – 1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f3acc6-9d83-11dc-a9e0-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85412080-5ac4-11dc-a97f-001676d671aa}]
\Shell\AutoRun\command – H:\1ce.cmd
\Shell\explore\Command – H:\1ce.cmd
\Shell\open\Command – H:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149ce56-2a43-11dd-ab40-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b37f420b-304b-11dd-ab4a-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca88c492-ed36-11dc-aaa6-001676d671aa}]
\Shell\AutoRun\command – F:\1ce.cmd
\Shell\explore\Command – F:\1ce.cmd
\Shell\open\Command – F:\1ce.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4efe450-cbb6-11dc-aa14-001676d671aa}]
\Shell\AutoRun\command – G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1c-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1d-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1e-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1f-5e15-11dd-ac41-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eba683cd-30c9-11dd-ab4c-001676d671aa}]
\Shell\AutoRun\command – THE FLASH.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0bbc194-7ea5-11dc-a9cc-001676d671aa}]
\Shell\1\Command – F:\syssetup.exe
\Shell\AutoRun\command – C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL syssetup.exe
.
Contents of the ‘Scheduled Tasks’ folder
2008-10-19 C:\WINDOWS\Tasks\1-Click Maintenance.job
– C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
– C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-10-19 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
– C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 15:43]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 18:04:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … scan completed successfully
hidden files: **************************************************************************
.
Completion time: 2008-10-19 18:06:22
ComboFix-quarantined-files.txt 2008-10-19 10:06:18
ComboFix2.txt 2008-10-19 07:21:03
Pre-Run: 2,210,979,840 bytes free
Post-Run: 2,194,071,552 bytes free
430— E O F —2008-09-10 10:49:23
So, how is it now?
This is just frustrating. That one file is refusing to get deleted. See if SUPERAntiSpyware can do something about it
Download it from this forum. Do a quick scan with it in Safe Mode. There’s some copy of the file somewhere that’s copying itself to the System32 dir. Hopefully SAS can find it
you probably picked something very bad, try to download some bootable antivirus and try to run it… after he cleans your PC, boot into win and give us report if that helped you?
Hey Dudes ,,
The problem is I can’t download such anti-virus or any other -wares,, Malware or spyware,,
can’t even go into that site, when I try go into that sites , the browser is auto closed.
I got some Anti-virus set up , but it’s not allow,, the set up also shut down LOL so how can I overpass such things?
Download from Rapidshare?
Link to latest version
http://~ Dead file host ~/files/142715723/SUPERAntiSpyware.Pro.v4.21.1004.Final.Incl.Keygen.and.Patch-NGEN.rar
Sorry Dude
i don’t have Rapid accout
how about upload in Zshare or Mediafire??
Here you go
http://www.mediafire.com/file/mwzhyminddn/SuperAntiSpyware.Pro.v4.21.0.1004.rar
Hello ^|^.
Think I found the problem.
This from CF log.
C:\Documents and Settings\Start Menu\Programs\Startup\
LogSys.exe
See here.
http://www.sophos.com/security/analyses/viruses-and-spyware/w32smita.html
(Yeah, SFF should of taken it down, but it didn’t)
====
Hello .
Now open a new notepad file.
Input this into the notepad file:
File::
C:\Documents and Settings\Application Data\ezpinst.exe C:\Documents and Settings\d0zxs4q2.exe
C:\Documents and Settings\SIntfNT.dll C:\Documents and Settings\SIntf32.dll C:\Documents and Settings\SIntf16.dll C:\Documents and Settings\CmdLineExt03.dll C:\Documents and Settings\ytb_7.1.1.0_1.4.1_pub_us_setup_.exe C:\Documents and Settings\_is14D3.exe C:\Documents and Settings\_is14CB.exe C:\Documents and Settings\AcDeltree.exe C:\Documents and Settings\GoogleToolbarInstaller_SPDx_en_signed.exe C:\Documents and Settings\ycomp_setup.exe C:\Documents and Settings\uitools.dll C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sys
F:\1ce.cmd F:\syssetup.exe
H:\1ce.cmd Driver::
F0F92E57
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21191b38-765d-11dd-aca1-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4611621b-07f7-11dd-aaec-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e081-5c1f-11dc-a98b-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597eae32-5fde-11dc-a98d-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603b7856-81b1-11dd-acc9-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61031e97-6056-11dd-ac58-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ad066-7656-11dd-ac9f-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e3be63-3acf-11dd-ab7c-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f3acc6-9d83-11dc-a9e0-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85412080-5ac4-11dc-a97f-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149ce56-2a43-11dd-ab40-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b37f420b-304b-11dd-ab4a-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca88c492-ed36-11dc-aaa6-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1d-5e15-11dd-ac41-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1f-5e15-11dd-ac41-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eba683cd-30c9-11dd-ab4c-001676d671aa}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0bbc194-7ea5-11dc-a9cc-001676d671aa}]
Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
This will open combofix.exe again, agree to it’s terms and allow it to run, it may want to reboot after it’s done. Post the resulting log back here.
C:\Documents and Settings\SIntfNT.dll C:\Documents and Settings\SIntf32.dll C:\Documents and Settings\SIntf16.dll C:\Documents and Settings\CmdLineExt03.dll
I thought these files were for SecureROM. Well anyway I guess you know better
Thank Dudes
yap, again i tried to download the link that you provided above in Mediafire,, my brower shut down,, so i have to restart the PC now i will try to do what said first, let you guys know later on
Dunno about SecureROM, I couldn’t find anything on Google if I search the entire life location, but entering the file alone, it shows as a trojan.
Hey Dudes
I have been tried what said , copy & paste that CFScript.txt over to ComboFix.exe & run.
but it’s took so long time & hang, i have tried 3 times & restart the PC now, but seem like the problem haven’t solve yet.
And i didn’t got any log file.
so how?
And about the Mediafire link u gave, when i try to open that link the brower shut down, could u pls change the name of that .exe?
Okay, we’ll use OTMoveIt.
Please download the OTMoveIt by OldTimer from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
.
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Documents and Settings\Application Data\ezpinst.exe
C:\Documents and Settings\d0zxs4q2.exe
C:\Documents and Settings\SIntfNT.dll
C:\Documents and Settings\SIntf32.dll
C:\Documents and Settings\SIntf16.dll
C:\Documents and Settings\CmdLineExt03.dll
C:\Documents and Settings\ytb_7.1.1.0_1.4.1_pub_us_setup_.exe
C:\Documents and Settings\_is14D3.exe
C:\Documents and Settings\_is14CB.exe
C:\Documents and Settings\AcDeltree.exe
C:\Documents and Settings\GoogleToolbarInstaller_SPDx_en_signed.exe
C:\Documents and Settings\ycomp_setup.exe
C:\Documents and Settings\uitools.dll
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sys
C:\WINDOWS\system32\System64A.exe F:\1ce.cmd
F:\syssetup.exe
H:\1ce.cmd - Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===
- Now open a new notepad file.
- Input this into the notepad file:
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21191b38-765d-11dd-aca1-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4611621b-07f7-11dd-aaec-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4728e081-5c1f-11dc-a98b-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597eae32-5fde-11dc-a98d-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603b7856-81b1-11dd-acc9-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61031e97-6056-11dd-ac58-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{661ad066-7656-11dd-ac9f-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e3be63-3acf-11dd-ab7c-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f3acc6-9d83-11dc-a9e0-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85412080-5ac4-11dc-a97f-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149ce56-2a43-11dd-ab40-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b37f420b-304b-11dd-ab4a-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca88c492-ed36-11dc-aaa6-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1d-5e15-11dd-ac41-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db807b1f-5e15-11dd-ac41-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eba683cd-30c9-11dd-ab4c-001676d671aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0bbc194-7ea5-11dc-a9cc-001676d671aa}]
- Save this as fix.reg, save it to your desktop.
- Double click fix.reg to run it.
- Select yes to the registry merge prompt.
I think you missed C:\WINDOWS\system32\System64A.exe
Better put that in there
Edited it in. Thank you.
OK dude , here is the OTMoveIt Results file.
And I have already run the fix.reg you gave.
File~ Folders are not allowed ~ not found.
File~ Folders are not allowed ~ C:\Documents and Settings\Application Data\ezpinst.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\d0zxs4q2.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\SIntfNT.dll not found.
File~ Folders are not allowed ~ C:\Documents and Settings\SIntf32.dll not found.
File~ Folders are not allowed ~ C:\Documents and Settings\SIntf16.dll not found.
File~ Folders are not allowed ~ C:\Documents and Settings\CmdLineExt03.dll not found.
File~ Folders are not allowed ~ C:\Documents and Settings\ytb_7.1.1.0_1.4.1_pub_us_setup_.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\_is14D3.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\_is14CB.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\AcDeltree.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\GoogleToolbarInstaller_SPDx_en_signed.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\ycomp_setup.exe not found.
File~ Folders are not allowed ~ C:\Documents and Settings\uitools.dll not found.
File~ Folders are not allowed ~ C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sys not found.
C:\WINDOWS\system32\System64A.exe moved successfully.
File~ Folders are not allowed ~ F:\1ce.cmd not found.
File~ Folders are not allowed ~ F:\syssetup.exe not found.
File~ Folders are not allowed ~ H:\1ce.cmd not found.
OTMoveIt2 by OldTimer – Version 1.0.4.3 log created on 10202008_005553
Hey Dudes, it’s the latest with the one 64A in it,, so how about now?
None were found? o.o
Ah well, probably not present anymore. But make sure this file isn’t present, follow the path and let me know if OTMoveIt went wrong somewhere.
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sysp <– delete if present.
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sysp <– delete if present. >> I found that folder. It’s only 16KB, but not allow to deleted. Error Deleting File or Folder . it said, so ??
See if Killbox can nuke it.
http://killbox.net/downloads/KillBox.exe
Paste the entire path into it
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sys
Press the Red X to kill it.
yap,, already Deleted that Logsys.exe by using KillBox.exe
But seem like the problem still remain Dudes
Is the file still there? Check with Windows explorer. You might want to check for all of these files here. If any of them exists kill them one by one.
C:\Documents and Settings\Application Data\ezpinst.exe C:\Documents and Settings\d0zxs4q2.exe C:\Documents and Settings\SIntfNT.dll C:\Documents and Settings\SIntf32.dll C:\Documents and Settings\SIntf16.dll C:\Documents and Settings\CmdLineExt03.dll C:\Documents and Settings\_is14D3.exe C:\Documents and Settings\_is14CB.exe C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sys C:\WINDOWS\system32\System64A.exe
OK Thnk Dudes
I have Install the ssisetup.exe & run
But it’s stop in half way,, i have been try to do 3 times. here is what happen in imageVenue ~
http://img221.imagevenue.com/img.php?image=36848_2008-10-20_012227_122_422lo.jpg
Have you tried killing the files yet?
C:\Documents and Settings\Application Data\ezpinst.exe
C:\Documents and Settings\d0zxs4q2.exe
C:\Documents and Settings\SIntfNT.dll
C:\Documents and Settings\SIntf32.dll
C:\Documents and Settings\SIntf16.dll
C:\Documents and Settings\CmdLineExt03.dll
C:\Documents and Settings\_is14D3.exe
C:\Documents and Settings\_is14CB.exe
C:\Documents and Settings\Start Menu\Programs\Startup\LogSys.sys
C:\WINDOWS\system32\System64A.exe
Deleted all those above files Dudes But the problem still remain
Still checking for ideas
C:\Windows\System32\nwprovau.dll >> Already Deleted that one & restart PC now
but still the problem remain Dude
I kind of figured that. Edited before you posted.
I found this
http://techrepublic.com.com/5208-11193-0.html?forumID=94&threadID=201674&start=0
Seems Avast’s boot time scanner did the trick for him. Worth a shot. You might want to download from another PC and then transfer it to yours
Hey Dude ,, can’t open that link ~
Are you sure it’s ~ http://techrepublic.com.com/5208-11193-0.html?forumID=94&threadID=201674&start=0
Edited before >> yap just deleted my name but I can find the places of those files correctly & deleted
Yep this is the correct link. Copy pasted.
http://techrepublic.com.com/5208-11193-0.html?forumID=94&threadID=201674&start=0
Use another PC and download Avast. Take it to your PC and install it
Dude,, I have already got the Avast set up (Free version) on my desk top.
but can’t Run.
when I double click or Run the set up,
it just Run for a while & closed.
so how?
Ok then does Dr Web’s CureIt run. It can’t possibly just block every single antivirus. One has to work. Try Dr Web in Safe mode
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
I had almost the same problem. I couldn’t open the sites of antivirus softwares, and i couldn’t open my instant messengers, and of course, couldn’t install anti spyware/antiviruses. I tried everthing possible, but then the older version of AVG (7.5 I think ) did the trick for me.