[Resolved] Malware accessing 82.98.235.70

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] Malware accessing 82.98.235.70, malware tries to access 82.98.235.70 and always carshes explorer.exe

Options

m_superberg View Member Profile	Apr 13 2008, 10:08 PM Post #1
New Member Group: New Member Posts: 5 Joined: 13-April 08 Member No.: 78,387 Operating System: Windows XP	Hi, Since yesterday I have this problem that some malware software is trying to access the 82.98.235.70 web but it's always blocked by my antivirus. When this happens, explorer.exe crashes a few minutes later. If I restart explorere.exe, everything seems ok for a few minutes but then again the unauthorised web access and everything repeats. Also, the disc seems to be more active than usual. I checked many posts in different forums but so far didn't find any sensible approach that would help here. I scanned my computer like three times with Trend Micro PC-Cillin but that one finds nothing. Then I also scanned using PREVX CSI and that one found MROFINU.EXE in two directories which I managed to delete and wvUmmMfc.dll in windows/system32 directory which I didn't manage to remove, it says it's being used by another software even in safe mode. I also scanned using Vundofix but that didn't help. Please help, below is my log from HijackThis. Thanks Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:37:33, on 14/04/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\lmgrd.exe C:\Program Files\Tanagra\Memeo\MemeoService.exe C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\OrCAD\license_manager\lmgrd.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\Program Files\PrevxCSI\PrevxCSI.exe C:\Program Files\OrCAD\license_manager\lmgrd.exe C:\Program Files\FolderSize\FolderSizeSvc.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe C:\Program Files\NetWaiting\netWaiting.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe C:\Program Files\RegistryBooster 2\RegistryBooster.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Agilent\IO Libraries Suite\bin\iprocsvr.exe C:\Program Files\Agilent\IO Libraries Suite\bin\iproc82357.exe C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe C:\WINDOWS\system32\drwtsn32.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Program Files\Agilent\IO Libraries Suite\bin\iproc488.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\regedit.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/default.as...;l=en&s=gen R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {B82F29E4-8368-4B14-9C00-5138C0D94034} - C:\WINDOWS\system32\wvUmmMfc.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257 O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe O4 - Startup: Folding@Home 5.03.lnk = ? O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: IO Control.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: wvUmmMfc - C:\WINDOWS\SYSTEM32\wvUmmMfc.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe O23 - Service: Ansys license - Macrovision Corporation - C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\lmgrd.exe O23 - Service: Memeo (BMUService) - Tanagra, Inc. - C:\Program Files\Tanagra\Memeo\MemeoService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cadence License Manager - Macrovision Corporation - C:\Program Files\OrCAD\license_manager\lmgrd.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MPICH Daemon © 2001 Argonne National Lab (mpich_mpd) - Unknown owner - c:\program files\ansys inc\MPICH\mpd\bin\mpd.exe (file missing) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe This post has been edited by m_superberg*: Apr 13 2008, 10:38 PM

Scotty View Member Profile	Apr 14 2008, 05:25 AM Post #2
Always Happy Group: Malware Team Posts: 3,653 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Hi If you already have Combofix, please delete that copy and download it again as it's being updated regularly. There is a tutorial on the basic use of Combofix here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please download Combofix from Bleeping Computer. If you can't download it from there, please try these 2 alternative sites: Forospyware Geeks to Go Save it to your Desktop. Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running. Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK. When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log. 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. In your next reply post: ComboFix.txt New HijackThis log taken after the above scan has run

m_superberg View Member Profile	Apr 14 2008, 08:04 AM Post #3
New Member Group: New Member Posts: 5 Joined: 13-April 08 Member No.: 78,387 Operating System: Windows XP	Hi, I think, I managed to remove the malware in the mean time by using SUPERAntiSpyware which was suggested on some other forum. I ran that scan and it found 23 threats and it also managed to remove them. Since then, the access to the suspicious web didn't occur and the computer seems to work ok so I guess I got rid of it. Anyway, I ran Combofix as you suggested and here is the log file and further also the log file from HijackThis. Thanks a lot ComboFix 08-04-13.3 - Martin 2008-04-14 22:31:48.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1490 [GMT 9:00] Running from: C:\Documents and Settings\Martin\desktop\combofix.exe Command switches used :: /killall * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 ))))))))))))))))))))))))))))))) . 2008-04-14 19:34 . 2008-04-14 19:34 284,672 --a------ C:\WINDOWS\system32\gdi32.dll 2008-04-14 18:10 . 2008-02-12 14:59 1,306,624 --------- C:\WINDOWS\system32\dllcache\msxml6.dll 2008-04-14 18:10 . 2008-02-12 02:48 79,872 --------- C:\WINDOWS\system32\dllcache\msxml6r.dll 2008-04-14 18:10 . 2008-02-12 03:19 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys 2008-04-14 18:10 . 2008-02-12 03:10 9,728 --------- C:\WINDOWS\system32\comsdupd.exe 2008-04-14 18:06 . 2008-04-14 18:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles_backup 2008-04-14 18:01 . 2008-04-14 18:01 <DIR> d-------- C:\Program Files\Windows Update Remover 2008-04-14 18:01 . 2007-05-09 01:10 237,552 --a------ C:\WINDOWS\system32\tpuninst.exe 2008-04-14 18:00 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003274_.tmp 2008-04-14 15:04 . 2008-04-14 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-14 15:03 . 2008-04-14 15:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-04-14 15:03 . 2008-04-14 15:03 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\SUPERAntiSpyware.com 2008-04-14 11:39 . 2008-04-14 12:05 <DIR> d-------- C:\VundoFix Backups 2008-04-01 17:32 . 2008-04-01 17:32 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-04-01 17:32 . 2008-04-01 17:32 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\SystemRequirementsLab 2008-04-01 16:57 . 2008-04-01 17:04 <DIR> d-------- C:\Program Files\ChrisTV Lite 2008-04-01 12:12 . 2003-11-21 07:00 54,784 -r-hs---- C:\WINDOWS\system32\RLAPEDec.ax 2008-04-01 12:12 . 2004-04-27 07:00 37,888 -r-hs---- C:\WINDOWS\system32\RLMPCDec.ax 2008-04-01 12:12 . 2007-02-21 19:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll 2008-04-01 12:12 . 2007-12-17 21:43 27,648 ---hs---- C:\WINDOWS\system32\Smab0.dll 2008-04-01 12:11 . 2006-09-12 19:46 227,328 -r-hs---- C:\WINDOWS\system32\ac3DX.ax 2008-04-01 12:11 . 2006-05-03 18:06 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll 2008-04-01 12:11 . 2006-01-13 07:23 123,904 -r-hs---- C:\WINDOWS\system32\AVCDX.ax 2008-04-01 12:10 . 2008-04-10 15:30 <DIR> d-------- C:\Program Files\SUPER 2008-03-22 17:22 . 2008-03-22 17:22 4,128 --a------ C:\INFCACHE.1 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-14 08:58 --------- d-----w C:\Documents and Settings\Martin\Application Data\Skype 2008-04-14 08:10 --------- d-----w C:\Program Files\RegistryBooster 2 2008-04-14 08:10 --------- d-----w C:\Program Files\Java 2008-04-14 08:10 --------- d-----w C:\Program Files\GIMP-2.0 2008-04-14 05:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-14 04:52 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-14 04:52 --------- d-----w C:\Program Files\Roxio 2008-04-14 04:43 --------- d-----w C:\Program Files\Nikon 2008-04-14 04:43 --------- d-----w C:\Program Files\Common Files\Nikon 2008-04-14 04:42 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdy.DAT 2008-04-14 04:42 --------- d-----w C:\Program Files\Apple Software Update 2008-04-14 03:36 --------- d-----w C:\Program Files\Trend Micro 2008-04-09 03:54 --------- d-----w C:\Program Files\Folding@Home 2008-04-09 02:48 --------- d-----w C:\Documents and Settings\Martin\Application Data\uTorrent 2008-04-09 01:36 --------- d-----w C:\Documents and Settings\Martin\Application Data\AdobeUM 2008-04-08 07:16 --------- d-----w C:\Documents and Settings\Martin\Application Data\SolidWorks 2008-04-06 05:18 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT 2008-03-17 19:40 --------- d-----w C:\Documents and Settings\Martin\Application Data\dvdcss 2008-03-08 12:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-03-05 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\System Image Utility 2008-02-28 06:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ultima_T15 2008-02-28 06:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\EnterNHelp 2008-02-28 06:38 --------- d-----w C:\Program Files\Capture NX 2008-02-28 06:34 --------- d-----w C:\Documents and Settings\Martin\Application Data\Nikon 2008-02-12 06:00 283,648 ----a-w C:\WINDOWS\winhlp32.exe 2008-02-12 05:59 69,120 ----a-w C:\WINDOWS\notepad.exe 2008-02-12 05:59 50,688 ----a-w C:\WINDOWS\twain_32.dll 2008-02-12 05:59 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll 2008-02-12 05:59 33,280 ----a-w C:\WINDOWS\Help\sstub.dll 2008-02-12 05:59 32,866 ------w C:\WINDOWS\slrundll.exe 2008-02-12 05:59 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll 2008-02-12 05:59 146,432 ----a-w C:\WINDOWS\regedit.exe 2008-02-12 05:59 10,752 ----a-w C:\WINDOWS\hh.exe 2008-02-12 05:59 1,033,728 ----a-w C:\WINDOWS\explorer.exe 2008-02-12 05:58 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll 2008-02-12 05:58 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll 2008-02-12 05:58 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll 2008-02-12 05:58 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll 2008-02-12 05:58 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll 2008-02-12 05:58 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll 2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Back Me Up!] @= [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 14:59 15360] "OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-09-26 22:37 315392] "Uniblue RegistryBooster2"="C:\Program Files\RegistryBooster 2\RegistryBooster.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 19:03 7557120] "nwiz"="nwiz.exe" [2006-03-21 19:03 1519616 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2006-03-21 19:03 73728 C:\WINDOWS\system32\nvhotkey.dll] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-11-06 17:27 200704] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-09-29 21:02 3112960] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 18:04 802816] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 17:58 696320] "UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12 341488] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940] "Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-11-05 05:32 61440] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-02-12 14:59 15360] C:\Documents and Settings\Martin\Start Menu\Programs\Accessories\Startup\ BUFFALO NAS Navigator.lnk - C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe [1/20/2007 12:56:30 PM 585728] Folding@Home 5.03.lnk - C:\Program Files\Folding@Home\winFAH.exe [3/19/2007 11:54:59 AM 323584] PowerReg SchedulerV2.exe [12/7/2006 6:13:21 PM 256000] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Documents and Settings\\Zabava\\Desktop\\utorrent.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\ANSYS.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\ans_admin.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\mpitest.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\mpitestmpich.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\sxpost.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\tclsh.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\wish.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"= "C:\\Program Files\\Ansys Inc\\v90\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"= "C:\\Program Files\\Ansys Inc\\v90\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"= "C:\\Program Files\\Ansys Inc\\v90\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"= "C:\\Program Files\\Ansys Inc\\Shared Files\\Licensing\\intel\\ansyslmd.exe"= "C:\\Program Files\\Ansys Inc\\Shared Files\\Licensing\\intel\\lmgrd.exe"= "C:\\Program Files\\OrCAD\\updates.exe"= "C:\\Program Files\\OrCAD\\license_manager\\cdslmd.exe"= "C:\\Program Files\\OrCAD\\license_manager\\CKOUT.exe"= "C:\\Program Files\\OrCAD\\license_manager\\installs.exe"= "C:\\Program Files\\OrCAD\\license_manager\\lmCheckExpiration.exe"= "C:\\Program Files\\OrCAD\\license_manager\\lmgrd.exe"= "C:\\Program Files\\OrCAD\\license_manager\\lmtools.exe"= "C:\\Program Files\\OrCAD\\license_manager\\lmutil.exe"= "C:\\Program Files\\OrCAD\\license_manager\\nettest.exe"= "C:\\Program Files\\OrCAD\\license_manager\\flexid\\FLEXidCleanupUtility.exe"= "C:\\Program Files\\OrCAD\\license_manager\\flexid\\FLEXidInstaller.exe"= "C:\\Program Files\\OrCAD\\license_manager\\flexid\\lmhostid.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsdoc.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsinfo.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsmps.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsMsgServer.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsNameServer.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsOaPathUtil.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsRemshClient.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsRunHidden.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsUnzip.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdswhich.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cdsZip.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\cds_root.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\clsAdminTool.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\clsbd.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\clu.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\dregprint.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\emsMkError.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\mpsinfo.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\msgHelp.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\nmp.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\nmppath.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\obServer.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\switchversion.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\van.exe"= "C:\\Program Files\\OrCAD\\tools\\bin\\versionviewer.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\capture.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\comp16.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\pcadi.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\pspiceexplorersrvr.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\pstswp.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\regsvr32.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\sch2cap.exe"= "C:\\Program Files\\OrCAD\\tools\\capture\\SETBROWS.EXE"= "C:\\Program Files\\OrCAD\\tools\\capture\\tutorial\\CAPTUTOR.EXE"= "C:\\Program Files\\OrCAD\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"= "C:\\Program Files\\OrCAD\\tools\\cdsdoc\\bin\\obServer.exe"= "C:\\Program Files\\OrCAD\\tools\\fet\\bin\\mkdefcfg.exe"= "C:\\Program Files\\OrCAD\\tools\\fet\\bin\\versiontool.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\java.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\javaw.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\jpicpl32.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\jucheck.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\jusched.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\keytool.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\kinit.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\klist.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\ktab.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\orbd.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\policytool.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\rmid.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\rmiregistry.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\servertool.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\bin\\tnameserv.exe"= "C:\\Program Files\\OrCAD\\tools\\jre\\javaws\\javaws.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\appmgr.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\IndiceFileGeneration.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\lxcwin.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\Magneticdesigner.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\modeled.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\MrkSrvr.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\msgview.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\PDesign.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\psched.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\pspice.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\PSpiceEnc.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\pspiceexplorersrvr.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\psp_cmd.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\regsvr32.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\simmgr.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\simsrvr.exe"= "C:\\Program Files\\OrCAD\\tools\\pspice\\stmed.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\bin\\cdsdocIndexer.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\bin\\merge.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\bin\\mkvdk.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\bin\\search.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\bin\\setup.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\bin\\v_uninst.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\callback.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\filter.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\htmlini.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\htmserv.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\index.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\jstree.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\jvtree.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\kvoop.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\regsvr32.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\summary.exe"= "C:\\Program Files\\OrCAD\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"= "C:\\Program Files\\sdc203(2)\\StrongDC.exe"= "C:\\Documents and Settings\\Zabava\\Desktop\\Install\\Buffalo Linkstation\\ls-gl110_051\\LSUpdater.exe"= "C:\\Program Files\\Altera Quartus II 6.1\\quartus\\bin\\quartus.exe"= "C:\\Program Files\\Altera Quartus II 6.1\\quartus\\bin\\jtagserver.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Documents and Settings\\Martin\\Desktop\\sdc212\\StrongDC.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"= R2 Ansys license;Ansys license;C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\lmgrd.exe [2003-07-08 16:20] R2 Cadence License Manager;Cadence License Manager;C:\Program Files\OrCAD\license_manager\lmgrd.exe [2006-03-24 17:34] R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 13:56] S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2003-07-08 16:20] S2 mpich_mpd;MPICH Daemon © 2001 Argonne National Lab;c:\program files\ansys inc\MPICH\mpd\bin\mpd.exe [] S3 agBootB;Agilent Technologies 82357B firmware download service;C:\WINDOWS\system32\DRIVERS\agt82357.sys [2007-04-05 19:16] S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;C:\WINDOWS\system32\drivers\ftdibus.sys [2006-05-18 08:48] S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2008-02-12 03:20] S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2008-02-12 03:20] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1387ea69-dcd9-11db-8f00-0015c55b3298}] \Shell\AutoRun\command - G:\MobileLaunch.exe . Contents of the 'Scheduled Tasks' folder "2008-04-06 03:19:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2007-08-20 03:19:07 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe . ************************************************************************ catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-14 22:36:52 Windows 5.1.2600 Service Pack 3, v.3311 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\system32\scardsvr.exe C:\Program Files\Tanagra\Memeo\MemeoService.exe C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\Program Files\FolderSize\FolderSizeSvc.exe C:\Program Files\Dell\QuickSet\NicConfigSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-04-14 22:44:36 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-14 13:44:33 Pre-Run: 4,242,186,240 bytes free Post-Run: 4,224,176,128 bytes free . 2008-04-12 04:54:02 --- E O F --- HIJACKTHIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:01, on 2008-04-14 Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\lmgrd.exe C:\Program Files\Tanagra\Memeo\MemeoService.exe C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\OrCAD\license_manager\lmgrd.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\Program Files\OrCAD\license_manager\lmgrd.exe C:\Program Files\FolderSize\FolderSizeSvc.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe C:\Program Files\NetWaiting\netWaiting.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/default.as...;l=en&s=gen R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\RegistryBooster 2\RegistryBooster.exe /S O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe O4 - Startup: Folding@Home 5.03.lnk = ? O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe O23 - Service: Ansys license - Macrovision Corporation - C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\lmgrd.exe O23 - Service: Memeo (BMUService) - Tanagra, Inc. - C:\Program Files\Tanagra\Memeo\MemeoService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cadence License Manager - Macrovision Corporation - C:\Program Files\OrCAD\license_manager\lmgrd.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MPICH Daemon © 2001 Argonne National Lab (mpich_mpd) - Unknown owner - c:\program files\ansys inc\MPICH\mpd\bin\mpd.exe (file missing) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 11369 bytes

Scotty View Member Profile	Apr 14 2008, 08:17 AM Post #4
Always Happy Group: Malware Team Posts: 3,653 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Yep, you got it. Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

m_superberg View Member Profile	Apr 14 2008, 08:49 AM Post #5
New Member Group: New Member Posts: 5 Joined: 13-April 08 Member No.: 78,387 Operating System: Windows XP	Thanks a lot, I'm happy I got rid of it.

Scotty View Member Profile	Apr 14 2008, 09:01 AM Post #6
Always Happy Group: Malware Team Posts: 3,653 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Just make sure, run this quickly Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform full scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt Post that log back here.

m_superberg

Apr 14 2008, 05:59 PM

Post #7

New Member

Group: New Member
Posts: 5
Joined: 13-April 08
Member No.: 78,387
Operating System: Windows XP

Ok, I ran the full scan by Malwarebytes and it found 0 threats

so I guess I'm clean, here is the log file.

Thanks again

Malwarebytes' Anti-Malware 1.11
Database version: 629

Scan type: Full Scan (C:\|)
Objects scanned: 250999
Time elapsed: 1 hour(s), 32 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Mo