Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91866 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] PLESASE HELP!


  • This topic is locked This topic is locked
13 replies to this topic

#1 duc

duc

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 21 April 2008 - 01:14 AM

i accessed a website and it ask me to install a program to run the content of the page,
after installed it my computer just have some kind of pop up say that my system need anti-virus and it keep ask me to download some unknown anti-virus even though i already have one(nob32)
those warning and alert just keep popping up every minute.
i found that some weird process at window task bar like "scit.exe, sbsm.exe, scm.exe" but i can't end those process
please help me with this problem
thank!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:05 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\prog\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - (no file)
O2 - BHO: (no name) - {EAD9FD4E-D477-4946-B6C6-EC535A8CF1A3} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SecurDisc] "C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PC Auto Shutdown] C:\prog\PC Auto Shutdown\AutoShutdown.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{BB-B2-20-0B-DW}] C:\WINDOWS\system32\Rtmp\cegmgr76.exe DWram
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [3c0bb2a4] rundll32.exe "C:\WINDOWS\system32\mgcisljf.dll",b
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\Rtmp\cegmgr76.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: fccdeeCV - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PCAutoShutdown_Service - Unknown owner - C:\prog\PC Auto Shutdown\ShutdownService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7485 bytes

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 21 April 2008 - 04:11 AM

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in your next reply.



If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, then disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
Report.txt
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 duc

duc

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 21 April 2008 - 09:51 AM

hi!
thank for helping!
i don't have any of those problem again
this is the report


SDFix: Version 1.173
Run by Administrator on Tue 04/22/2008 at 12:29 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default IE HomePage

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url - Deleted
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\CPV\CPV7.dll - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\NetProject\sbmdl.dll - Deleted
C:\Program Files\NetProject\sbmntr.exe - Deleted
C:\Program Files\NetProject\sbsm.exe - Deleted
C:\Program Files\NetProject\scit.exe - Deleted
C:\Program Files\NetProject\scm.exe - Deleted
C:\Program Files\Temporary\InsiDERInst.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zfe2.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zfe5.exe - Deleted
C:\WINDOWS\17PHolmes1000106.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b153.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\Documents and Settings\Administrator\Favorites\Online Security Test.url - Deleted
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\regedit.com - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\tracert.com - Deleted
C:\WINDOWS\system32\WINLOGO.EXE - Deleted



Folder C:\Program Files\CPV - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\NetProject - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\1cb - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 00:40:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\mtd2002\\mtdserver.exe"="C:\\Program Files\\mtd2002\\mtdserver.exe:*:Enabled:mtdServer"
"C:\\games\\kag\\_AG.exe"="C:\\games\\kag\\_AG.exe:*:Enabled:_AG"
"C:\\prog\\lime\\LimeWire\\LimeWire.exe"="C:\\prog\\lime\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\prog\\Azureus\\Azureus.exe"="C:\\prog\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\real\\eREAD_Cookcase.exe"="C:\\Program Files\\real\\eREAD_Cookcase.exe:*:Disabled:eREAD 6.0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\sdfix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 568 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"
Tue 3 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Thu 27 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 1 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1a72abe4120e101373a4e6a8f3333cc4\download\BITE4.tmp"
Tue 1 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8c6a8157d1ed68b0b0f724babd8b17f\download\BIT102.tmp"

Finished!


ComboFix 08-04-20.5 - Administrator 2008-04-22 1:23:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.160 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outlook
C:\WINDOWS\BM3f388138.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AcbHNqru.ini
C:\WINDOWS\system32\AcbHNqru.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\fjlsicgm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msnav32.ax

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-22 01:31 . 2008-04-22 01:31 49,155 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-04-22 00:22 . 2008-04-22 00:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-22 00:16 . 2008-04-22 00:16 <DIR> d-------- C:\sdfix
2008-04-20 13:34 . 2008-04-20 13:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-20 13:16 . 2008-04-20 13:16 <DIR> d-------- C:\Program Files\WinPcap
2008-04-19 13:36 . 2008-04-19 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-19 13:35 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\NCH Software
2008-04-19 13:22 . 2008-04-19 13:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-04-19 13:22 . 2008-04-19 13:22 26,112 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2008-04-19 13:13 . 2008-04-19 13:13 <DIR> d-------- C:\My Intranet
2008-04-18 01:50 . 2008-04-18 01:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-18 01:50 . 2008-04-21 03:13 1,481 --a------ C:\WINDOWS\mozver.dat
2008-04-15 00:39 . 2008-04-15 00:39 268 --ah----- C:\sqmdata04.sqm
2008-04-15 00:39 . 2008-04-15 00:39 244 --ah----- C:\sqmnoopt04.sqm
2008-04-10 18:55 . 2008-04-10 18:55 1,186 --ahs---- C:\WINDOWS\system32\cyohljcf.ini
2008-04-09 18:14 . 2008-04-10 18:49 1,126 --ahs---- C:\WINDOWS\system32\jixxiqyg.ini
2008-04-08 14:58 . 2008-04-08 14:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-04-08 14:52 . 2008-04-08 14:52 267 --a------ C:\Documents and Settings\Administrator\5262.bat
2008-04-08 14:51 . 2008-04-08 14:51 36,864 --a------ C:\Documents and Settings\Administrator\winlogo.exe
2008-04-08 13:30 . 2008-04-08 13:30 267 --a------ C:\WINDOWS\system32\8840.bat
2008-04-08 13:29 . 2008-04-08 13:30 <DIR> d-------- C:\WINDOWS\system32\spol3
2008-04-08 13:29 . 2008-04-08 13:29 <DIR> d-------- C:\WINDOWS\system32\Rtmp
2008-04-08 13:29 . 2008-04-08 18:34 <DIR> d-------- C:\WINDOWS\system32\MId2
2008-04-08 13:29 . 2008-04-08 13:29 <DIR> d-------- C:\WINDOWS\system32\HBL
2008-04-08 13:29 . 2008-04-08 18:26 <DIR> d-------- C:\WINDOWS\system32\bharebio07
2008-04-08 13:29 . 2008-04-08 13:30 <DIR> d-------- C:\Temp\wdlw14
2008-04-08 13:29 . 2008-04-22 00:40 <DIR> d-------- C:\Temp
2008-04-08 12:49 . 2008-04-09 18:05 594 --ahs---- C:\WINDOWS\system32\fxpnfwgs.ini
2008-04-07 18:26 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-04-07 18:26 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-04-07 17:17 . 2008-04-07 21:46 <DIR> d-------- C:\Program Files\real
2008-04-07 08:39 . 2008-04-07 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-05 21:41 . 2008-04-05 21:41 <DIR> d--hs---- C:\WINDOWS\system32\pas
2008-04-05 19:56 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-05 19:53 . 2008-04-05 19:53 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-05 19:44 . 2008-04-05 19:53 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 02:41 . 2008-04-08 15:09 <DIR> d-------- C:\Program Files\ESET
2008-04-05 02:41 . 2008-04-08 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-04 16:16 . 2008-04-04 16:16 6,144 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-04 16:15 . 2008-04-04 16:15 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-04-04 16:11 . 2007-11-29 20:00 843,690 --a------ C:\WINDOWS\another dream.scr
2008-04-04 16:11 . 2001-01-12 23:37 294,912 --a------ C:\WINDOWS\Helios.scr
2008-04-04 15:55 . 2008-04-04 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-03 02:42 . 2008-04-22 01:31 24 --a------ C:\WINDOWS\LogonStudio.ini
2008-04-03 02:39 . 2000-05-17 10:52 187,392 --a------ C:\WINDOWS\system32\JPGUtils.dll
2008-04-02 23:39 . 2008-04-02 23:39 <DIR> d-------- C:\Documents and Settings\Guest
2008-04-02 23:39 . 2008-04-22 01:30 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-04-02 22:06 . 2008-04-22 01:22 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-02 05:21 . 2008-04-02 05:21 <DIR> d-------- C:\WINDOWS\Sun
2008-04-02 03:51 . 2008-04-02 21:58 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-02 03:23 . 2008-04-02 03:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-02 03:22 . 2008-04-20 08:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-01 16:03 . 2008-04-01 16:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 16:03 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-01 13:54 . 2008-04-10 09:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-01 13:44 . 2008-04-01 13:44 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2008-04-01 13:43 . 2008-04-15 20:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-31 02:11 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-31 02:08 . 2008-03-31 02:11 <DIR> d-------- C:\Program Files\Java
2008-03-31 01:39 . 2008-03-31 01:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-31 01:39 . 2008-04-17 20:34 <DIR> d-------- C:\games
2008-03-30 12:49 . 2008-03-30 12:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-03-30 01:54 . 2008-03-30 01:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-03-30 01:54 . 2008-03-30 01:54 81,920 --a------ C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2008-03-30 01:54 . 2008-03-30 01:54 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 01:54 . 2008-03-30 01:54 47,360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-03-30 01:53 . 2004-05-26 22:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-30 01:53 . 2006-09-16 20:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-30 00:11 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-30 00:11 . 2004-08-04 01:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-30 00:11 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-30 00:11 . 2004-08-03 23:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-30 00:10 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-30 00:10 . 2004-08-04 00:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-29 20:35 . 2008-03-29 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\National Instruments
2008-03-29 19:52 . 2008-03-29 19:52 268 --ah----- C:\sqmdata03.sqm
2008-03-29 19:52 . 2008-03-29 19:52 244 --ah----- C:\sqmnoopt03.sqm
2008-03-29 19:50 . 2008-03-29 19:50 <DIR> d-------- C:\Program Files\HI-TECH Software
2008-03-29 19:23 . 2008-03-29 19:23 268 --ah----- C:\sqmdata02.sqm
2008-03-29 19:23 . 2008-03-29 19:23 244 --ah----- C:\sqmnoopt02.sqm
2008-03-29 19:11 . 2008-03-29 19:50 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-29 19:06 . 2008-03-29 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\National Instruments
2008-03-29 19:03 . 2008-03-29 19:03 <DIR> d-------- C:\WINDOWS\system32\cvirte
2008-03-29 19:00 . 2008-03-29 19:44 <DIR> d-------- C:\Program Files\National Instruments
2008-03-29 14:09 . 2008-04-20 20:09 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-29 03:51 . 2008-03-29 03:51 268 --ah----- C:\sqmdata01.sqm
2008-03-29 03:51 . 2008-03-29 03:51 244 --ah----- C:\sqmnoopt01.sqm
2008-03-29 02:10 . 2008-03-29 02:10 120 --a------ C:\WINDOWS\d4s.hst
2008-03-29 01:56 . 2008-03-29 01:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-03-28 17:07 . 2008-03-28 17:07 268 --ah----- C:\sqmdata00.sqm
2008-03-28 17:07 . 2008-03-28 17:07 244 --ah----- C:\sqmnoopt00.sqm
2008-03-28 16:23 . 2008-03-28 16:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Program Files\Ringz Studio
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-28 09:56 . 2008-03-29 23:49 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-03-28 09:55 . 2008-04-05 19:46 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-28 06:05 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-28 06:05 . 2007-07-30 20:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-28 06:05 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-28 02:10 . 2008-04-05 19:56 <DIR> d-------- C:\Program Files\Windows Live
2008-03-28 02:10 . 2008-04-10 09:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-28 02:09 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-28 02:09 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-28 02:09 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-28 02:09 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-28 02:09 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-28 01:59 . 2008-03-28 01:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-28 01:58 . 2008-04-06 09:04 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-28 01:49 . 2003-06-18 18:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-28 01:49 . 2008-03-28 01:49 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-28 01:48 . 2008-03-28 01:48 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-28 01:47 . 2008-03-28 01:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-28 01:46 . 2008-04-04 16:15 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-28 01:40 . 2008-03-28 01:40 <DIR> dr-h----- C:\MSOCache
2008-03-28 01:27 . 2008-03-28 01:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-28 01:26 . 2008-03-28 01:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-28 01:17 . 2008-03-28 01:17 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-28 01:03 . 2004-02-09 13:06 15,360 --a------ C:\WINDOWS\system32\drivers\NetMotCM.sys
2008-03-28 01:02 . 2008-03-30 00:15 <DIR> d-------- C:\USB driver
2008-03-27 23:55 . 2008-03-27 23:55 72 --a------ C:\WINDOWS\WB.ini
2008-03-27 23:38 . 2005-01-22 19:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2008-03-27 22:55 . 2008-03-27 23:58 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-27 22:43 . 2008-03-27 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-27 22:39 . 2008-03-27 22:39 <DIR> d-------- C:\Program Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 04:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-12 02:54 4,687,872 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-07 01:14 16,858,112 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-01 11:56 71,176 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-03-01 11:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-03-01 11:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-03-01 11:53 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-03-01 11:52 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2005-10-12 23:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 18:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

------- Sigcheck -------

2004-08-03 18:07 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-03 18:07 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2004-08-03 18:07 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-03 18:07 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2007-01-04 06:37 658944 8c393df5234cbcbff1ee31902d6b40ae C:\WINDOWS\SoftwareDistribution\Download\a6e4f77e54d6ccd253ced65e20a57cd2\sp2gdr\wininet.dll
2007-01-04 07:05 665088 3ffa1573fc274e5aa7467d03941c45ee C:\WINDOWS\SoftwareDistribution\Download\a6e4f77e54d6ccd253ced65e20a57cd2\sp2qfe\wininet.dll
2004-08-03 18:07 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\wininet.dll
2004-08-03 18:07 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-03 18:07 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-03 18:07 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-03 18:07 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-03 18:07 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 18:07 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 18:07 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-03 18:07 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-03 18:07 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-03 18:07 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 14:05 544768]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49 4670968]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51 118784]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 17:14 86016 C:\WINDOWS\SoundMan.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 16:55 1628208]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 16:55 1057328]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 11:30 97357]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"LogonStudio"="C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" [2002-09-03 19:38 987187]
"PC Auto Shutdown"="C:\prog\PC Auto Shutdown\AutoShutdown.exe" [2006-11-24 10:11 359679]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"{BB-B2-20-0B-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-22 01:31 49155]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-01 04:54 1443072]
"3c0bb2a4"="C:\WINDOWS\system32\mgcisljf.dll" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-22 01:31:10 49155]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-04-19 21:55:37 3581680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdeeCV]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-09-23 11:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\mtd2002\\mtdserver.exe"=
"C:\\games\\kag\\_AG.exe"=
"C:\\prog\\lime\\LimeWire\\LimeWire.exe"=
"C:\\prog\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 11:00]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2006-07-15 20:47]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2006-07-25 18:36]
R2 PCAutoShutdown_Service;PCAutoShutdown_Service;C:\prog\PC Auto Shutdown\ShutdownService.exe [2006-11-06 16:31]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-03 18:07]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 10:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96d4a4c2-029b-11dd-a634-000f9fc9d761}]
\Shell\AutoRun\command - E:\RavMon.exe
\Shell\explore\Command - E:\RavMon.exe -e
\Shell\open\Command - E:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3f3761d-01c3-11dd-a632-b06c6f5da3d8}]
\Shell\1\Command - .\readme.txt.exe
\Shell\2\Command - .\readme.txt.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\readme.txt.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 01:31:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-22 1:37:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 08:37:05

Pre-Run: 93,386,022,912 bytes free
Post-Run: 93,311,909,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

277 --- E O F --- 2008-04-10 16:35:07


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:20 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\prog\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\prog\PC Auto Shutdown\AutoShutdown.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
c:\windows\system32\rwwnw64d.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.859\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SecurDisc] "C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PC Auto Shutdown] C:\prog\PC Auto Shutdown\AutoShutdown.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{BB-B2-20-0B-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [3c0bb2a4] rundll32.exe "C:\WINDOWS\system32\mgcisljf.dll",b
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: fccdeeCV - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PCAutoShutdown_Service - Unknown owner - C:\prog\PC Auto Shutdown\ShutdownService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6728 bytes

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 21 April 2008 - 10:39 AM

Hi

We still have work to do, so stick with it.


Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\d4s.hst
Click Submit.
Please post the results of this scan to this thread.


Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.



Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do. Also, disable your anti-virus and any real-time anti-spyware.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
C:\WINDOWS\system32\rwwnw64d.exe
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\system32\cyohljcf.ini
C:\WINDOWS\system32\jixxiqyg.ini
C:\Documents and Settings\Administrator\5262.bat
C:\Documents and Settings\Administrator\winlogo.exe
C:\WINDOWS\system32\8840.bat
C:\WINDOWS\system32\fxpnfwgs.ini
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
E:\RavMon.exe

Folder::
C:\sdfix
C:\WINDOWS\system32\spol3
C:\WINDOWS\system32\Rtmp
C:\WINDOWS\system32\MId2
C:\WINDOWS\system32\HBL
C:\WINDOWS\system32\bharebio07
C:\Temp\wdlw14

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{BB-B2-20-0B-DW}"=-
"3c0bb2a4"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96d4a4c2-029b-11dd-a634-000f9fc9d761}
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3f3761d-01c3-11dd-a632-b06c6f5da3d8}]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
Jotti reults
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 duc

duc

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 21 April 2008 - 10:54 PM

it complicated, hehe
this is the new report:
Scanner results
Scan taken on 22 Apr 2008 03:39:35 (GMT) A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


ComboFix 08-04-20.5 - Administrator 2008-04-22 13:56:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.264 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Administrator\5262.bat
C:\Documents and Settings\Administrator\winlogo.exe
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\system32\8840.bat
C:\WINDOWS\system32\cyohljcf.ini
C:\WINDOWS\system32\fxpnfwgs.ini
C:\WINDOWS\system32\jixxiqyg.ini
C:\WINDOWS\system32\rwwnw64d.exe
E:\RavMon.exe
.
/wow section - STAGE 41
pv: No matching processes found
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\5262.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Administrator\winlogo.exe
C:\sdfix
C:\sdfix\SDFix\apps\assosfix.reg
C:\sdfix\SDFix\apps\cliptext.exe
C:\sdfix\SDFix\apps\download.exe
C:\sdfix\SDFix\apps\dummy.sys
C:\sdfix\SDFix\apps\Enable_Command_Prompt.reg
C:\sdfix\SDFix\apps\ERDNT.E_E
C:\sdfix\SDFix\apps\ERDNTDOS.LOC
C:\sdfix\SDFix\apps\ERDNTWIN.LOC
C:\sdfix\SDFix\apps\ERUNT.EXE
C:\sdfix\SDFix\apps\ERUNT.LOC
C:\sdfix\SDFix\apps\fix.reg
C:\sdfix\SDFix\apps\FixBH.reg
C:\sdfix\SDFix\apps\FixComponents.reg
C:\sdfix\SDFix\apps\FIXCU.reg
C:\sdfix\SDFix\apps\FIXLM.reg
C:\sdfix\SDFix\apps\FixPath.exe
C:\sdfix\SDFix\apps\FixRedir.reg
C:\sdfix\SDFix\apps\FixSchedule.reg
C:\sdfix\SDFix\apps\FixWebCheck.reg
C:\sdfix\SDFix\apps\fixXP.reg
C:\sdfix\SDFix\apps\FixXPsp2.reg
C:\sdfix\SDFix\apps\grep.exe
C:\sdfix\SDFix\apps\HPFix.reg
C:\sdfix\SDFix\apps\HPFix2.reg
C:\sdfix\SDFix\apps\HPFix3.reg
C:\sdfix\SDFix\apps\HPFix4.reg
C:\sdfix\SDFix\apps\HPFix5.reg
C:\sdfix\SDFix\apps\HPFix6.reg
C:\sdfix\SDFix\apps\HPFix7.reg
C:\sdfix\SDFix\apps\isadmin.exe
C:\sdfix\SDFix\apps\leg2.txt
C:\sdfix\SDFix\apps\legacy.txt
C:\sdfix\SDFix\apps\legacybk.txt
C:\sdfix\SDFix\apps\locate.com
C:\sdfix\SDFix\apps\LS.exe
C:\sdfix\SDFix\apps\MD5File.exe
C:\sdfix\SDFix\apps\MyGcpvFix.reg
C:\sdfix\SDFix\apps\MyGkFix2.reg
C:\sdfix\SDFix\apps\Process.exe
C:\sdfix\SDFix\apps\procs.exe
C:\sdfix\SDFix\apps\psservice.exe
C:\sdfix\SDFix\apps\Rem.txt
C:\sdfix\SDFix\apps\Rem2.txt
C:\sdfix\SDFix\apps\Replace\regedit.exe
C:\sdfix\SDFix\apps\Replace\W2K.exe
C:\sdfix\SDFix\apps\Replace\w2k\beep.sys
C:\sdfix\SDFix\apps\Replace\w2k\null.sys
C:\sdfix\SDFix\apps\Replace\XP.exe
C:\sdfix\SDFix\apps\Replace\xp\beep.sys
C:\sdfix\SDFix\apps\Replace\xp\null.sys
C:\sdfix\SDFix\apps\Reset_AppInit_DLLs.reg
C:\sdfix\SDFix\apps\RestartIt!.exe
C:\sdfix\SDFix\apps\Restore_SecurityCenter.reg
C:\sdfix\SDFix\apps\Restore_SharedAccess.reg
C:\sdfix\SDFix\apps\sc.exe
C:\sdfix\SDFix\apps\sed.exe
C:\sdfix\SDFix\apps\SF.exe
C:\sdfix\SDFix\apps\shutdown.exe
C:\sdfix\SDFix\apps\srv2.txt
C:\sdfix\SDFix\apps\srv2bk.txt
C:\sdfix\SDFix\apps\svc.txt
C:\sdfix\SDFix\apps\svcbk.txt
C:\sdfix\SDFix\apps\swreg.exe
C:\sdfix\SDFix\apps\swsc.exe
C:\sdfix\SDFix\apps\unzip.exe
C:\sdfix\SDFix\apps\vfind.exe
C:\sdfix\SDFix\apps\WINMSG.EXE
C:\sdfix\SDFix\apps\winsec.reg
C:\sdfix\SDFix\apps\zip.exe
C:\sdfix\SDFix\backups\backupreg.zip
C:\sdfix\SDFix\backups\backups.zip
C:\sdfix\SDFix\backups\catchme.log
C:\sdfix\SDFix\backups\HOSTS
C:\sdfix\SDFix\catchme.exe
C:\sdfix\SDFix\dummy.sys
C:\sdfix\SDFix\Report.txt
C:\sdfix\SDFix\RunThis.bat
C:\sdfix\SDFix\SDFIX_ReadMe_Online.url
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\Temp\wdlw14
C:\Temp\wdlw14\maxN1bo.log
C:\WINDOWS\system32\8840.bat
C:\WINDOWS\system32\bharebio07
C:\WINDOWS\system32\cyohljcf.ini
C:\WINDOWS\system32\fxpnfwgs.ini
C:\WINDOWS\system32\HBL
C:\WINDOWS\system32\HBL\HTgn1dll.exe
C:\WINDOWS\system32\jixxiqyg.ini
C:\WINDOWS\system32\MId2
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\Rtmp
C:\WINDOWS\system32\Rtmp\cegmgr76.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\spol3

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-22 03:58 . 2008-04-22 03:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-22 00:22 . 2008-04-22 00:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-20 13:34 . 2008-04-20 13:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-20 13:16 . 2008-04-20 13:16 <DIR> d-------- C:\Program Files\WinPcap
2008-04-19 13:36 . 2008-04-19 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-19 13:35 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\NCH Software
2008-04-19 13:22 . 2008-04-19 13:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-04-19 13:22 . 2008-04-19 13:22 26,112 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2008-04-19 13:13 . 2008-04-19 13:13 <DIR> d-------- C:\My Intranet
2008-04-18 01:50 . 2008-04-18 01:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-18 01:50 . 2008-04-21 03:13 1,481 --a------ C:\WINDOWS\mozver.dat
2008-04-08 14:58 . 2008-04-08 14:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-04-08 13:29 . 2008-04-22 13:58 <DIR> d-------- C:\Temp
2008-04-07 18:26 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-04-07 18:26 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-04-07 17:17 . 2008-04-07 21:46 <DIR> d-------- C:\Program Files\real
2008-04-07 08:39 . 2008-04-07 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-05 21:41 . 2008-04-05 21:41 <DIR> d--hs---- C:\WINDOWS\system32\pas
2008-04-05 19:56 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-05 19:53 . 2008-04-05 19:53 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-05 19:44 . 2008-04-05 19:53 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 02:41 . 2008-04-08 15:09 <DIR> d-------- C:\Program Files\ESET
2008-04-05 02:41 . 2008-04-08 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-04 16:16 . 2008-04-04 16:16 6,144 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-04 16:15 . 2008-04-04 16:15 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-04-04 16:11 . 2007-11-29 20:00 843,690 --a------ C:\WINDOWS\another dream.scr
2008-04-04 16:11 . 2001-01-12 23:37 294,912 --a------ C:\WINDOWS\Helios.scr
2008-04-04 15:55 . 2008-04-04 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-03 02:42 . 2008-04-22 14:26 24 --a------ C:\WINDOWS\LogonStudio.ini
2008-04-03 02:39 . 2000-05-17 10:52 187,392 --a------ C:\WINDOWS\system32\JPGUtils.dll
2008-04-02 23:39 . 2008-04-02 23:39 <DIR> d-------- C:\Documents and Settings\Guest
2008-04-02 23:39 . 2008-04-22 14:25 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-04-02 22:06 . 2008-04-22 01:22 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-02 05:21 . 2008-04-02 05:21 <DIR> d-------- C:\WINDOWS\Sun
2008-04-02 03:51 . 2008-04-02 21:58 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-02 03:23 . 2008-04-02 03:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-02 03:22 . 2008-04-20 08:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-01 16:03 . 2008-04-01 16:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 16:03 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-01 13:54 . 2008-04-22 08:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-01 13:44 . 2008-04-01 13:44 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2008-04-01 13:43 . 2008-04-15 20:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-31 02:11 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-31 02:08 . 2008-03-31 02:11 <DIR> d-------- C:\Program Files\Java
2008-03-31 01:39 . 2008-03-31 01:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-31 01:39 . 2008-04-17 20:34 <DIR> d-------- C:\games
2008-03-30 12:49 . 2008-03-30 12:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-03-30 01:54 . 2008-03-30 01:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-03-30 01:54 . 2008-03-30 01:54 81,920 --a------ C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2008-03-30 01:54 . 2008-03-30 01:54 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 01:54 . 2008-03-30 01:54 47,360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-03-30 01:53 . 2004-05-26 22:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-30 01:53 . 2006-09-16 20:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-30 00:11 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-30 00:11 . 2004-08-04 01:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-30 00:11 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-30 00:11 . 2004-08-03 23:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-30 00:10 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-30 00:10 . 2004-08-04 00:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-29 20:35 . 2008-03-29 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\National Instruments
2008-03-29 19:50 . 2008-03-29 19:50 <DIR> d-------- C:\Program Files\HI-TECH Software
2008-03-29 19:11 . 2008-03-29 19:50 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-29 19:06 . 2008-03-29 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\National Instruments
2008-03-29 19:03 . 2008-03-29 19:03 <DIR> d-------- C:\WINDOWS\system32\cvirte
2008-03-29 19:00 . 2008-03-29 19:44 <DIR> d-------- C:\Program Files\National Instruments
2008-03-29 14:09 . 2008-04-22 02:43 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-29 02:10 . 2008-03-29 02:10 120 --a------ C:\WINDOWS\d4s.hst
2008-03-29 01:56 . 2008-03-29 01:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-03-28 16:23 . 2008-03-28 16:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Program Files\Ringz Studio
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-28 09:56 . 2008-03-29 23:49 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-03-28 09:55 . 2008-04-05 19:46 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-28 06:05 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-28 06:05 . 2007-07-30 20:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-28 06:05 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-28 02:10 . 2008-04-05 19:56 <DIR> d-------- C:\Program Files\Windows Live
2008-03-28 02:10 . 2008-04-10 09:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-28 02:09 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-28 02:09 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-28 02:09 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-28 02:09 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-28 02:09 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-28 01:59 . 2008-03-28 01:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-28 01:58 . 2008-04-06 09:04 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-28 01:49 . 2003-06-18 18:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-28 01:49 . 2008-03-28 01:49 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-28 01:48 . 2008-03-28 01:48 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-28 01:47 . 2008-03-28 01:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-28 01:46 . 2008-04-04 16:15 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-28 01:40 . 2008-03-28 01:40 <DIR> dr-h----- C:\MSOCache
2008-03-28 01:27 . 2008-03-28 01:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-28 01:26 . 2008-03-28 01:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-28 01:17 . 2008-03-28 01:17 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-28 01:03 . 2004-02-09 13:06 15,360 --a------ C:\WINDOWS\system32\drivers\NetMotCM.sys
2008-03-28 01:02 . 2008-03-30 00:15 <DIR> d-------- C:\USB driver
2008-03-27 23:55 . 2008-03-27 23:55 72 --a------ C:\WINDOWS\WB.ini
2008-03-27 23:38 . 2005-01-22 19:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2008-03-27 22:55 . 2008-03-27 23:58 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-27 22:43 . 2008-03-27 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-27 22:39 . 2008-03-27 22:39 <DIR> d-------- C:\Program Files\Nero
2008-03-27 22:39 . 2008-03-27 22:43 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-27 22:39 . 2008-03-27 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-27 22:23 . 2008-03-27 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-27 22:22 . 2008-03-27 22:22 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-27 22:18 . 2008-03-27 22:18 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-27 22:16 . 2008-03-27 22:16 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-27 22:16 . 2008-03-27 22:17 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-27 21:53 . 2006-09-05 10:58 61,536 -ra------ C:\WINDOWS\system32\drivers\se58bus.sys
2008-03-27 21:53 . 2006-09-05 10:58 5,872 -ra------ C:\WINDOWS\system32\drivers\se58whnt.sys
2008-03-27 21:53 . 2006-09-05 10:58 5,872 -ra------ C:\WINDOWS\system32\drivers\se58wh.sys
2008-03-27 21:13 . 2008-03-27 21:13 <DIR> d-------- C:\WINDOWS\speech
2008-03-27 21:13 . 2008-04-19 23:34 <DIR> d-------- C:\Program Files\mtd2002
2008-03-27 20:53 . 2008-04-06 21:35 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-27 20:51 . 2008-04-19 21:55 <DIR> d-------- C:\Program Files\Stardock
2008-03-27 20:51 . 2007-07-11 16:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-03-27 20:49 . 2008-04-20 13:13 <DIR> d-------- C:\prog
2008-03-27 20:41 . 2008-03-27 20:41 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-03-27 20:38 . 2008-03-27 20:38 <DIR> d-------- C:\Program Files\Realtek
2008-03-27 20:38 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-27 20:37 . 2008-03-05 19:07 520,192 --a------ C:\WINDOWS\RtlExUpd.dll
2008-03-27 20:37 . 2008-03-27 20:37 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-03-27 20:27 . 2002-11-21 16:07 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-03-27 20:27 . 2003-10-09 19:52 475,788 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 23:03 5,512,704 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-03-27 04:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 02:54 4,687,872 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-07 01:14 16,858,112 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-01 11:56 71,176 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-03-01 11:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-03-01 11:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-03-01 11:53 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-03-01 11:52 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2005-10-12 23:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 18:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

------- Sigcheck -------

2004-08-03 18:07 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-03 18:07 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2004-08-03 18:07 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-03 18:07 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-08-03 18:07 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-03 18:07 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-03 18:07 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-03 18:07 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 18:07 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 18:07 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-03 18:07 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-03 18:07 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-03 18:07 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-22_ 1.36.34.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-23 15:34:19 1,022,976 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\browseui.dll
+ 2006-10-23 15:34:19 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\cdfview.dll
+ 2006-10-23 15:34:20 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\danim.dll
+ 2006-10-23 15:34:20 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\dxtmsft.dll
+ 2006-10-23 15:34:20 205,312 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\dxtrans.dll
+ 2006-10-23 15:34:20 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\extmgr.dll
+ 2006-10-23 11:02:37 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\iedw.exe
+ 2006-10-23 15:34:20 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\iepeers.dll
+ 2006-10-23 15:34:20 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\inseng.dll
+ 2006-10-23 15:34:20 15,872 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\jsproxy.dll
+ 2006-10-23 15:34:22 3,061,248 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\mshtml.dll
+ 2006-10-23 15:34:21 448,512 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\mshtmled.dll
+ 2006-10-23 15:34:21 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\msrating.dll
+ 2006-10-23 15:34:21 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\mstime.dll
+ 2006-10-23 15:34:21 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\pngfilt.dll
+ 2006-10-23 15:34:22 1,497,600 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\shdocvw.dll
+ 2006-10-23 15:34:22 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\shlwapi.dll
+ 2006-10-23 15:34:22 615,936 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\urlmon.dll
+ 2006-10-23 15:34:22 664,576 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\wininet.dll
+ 2006-10-23 11:01:24 248,320 ----a-w C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\xpsp3res.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB925454\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB925454\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB925454\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925454\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB925454\update\updspapi.dll
- 2008-04-22 08:30:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 21:25:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 01:07:00 1,016,832 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2006-10-23 15:17:51 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2004-08-04 01:07:00 150,528 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2006-10-23 15:17:51 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2004-08-04 01:07:00 1,053,696 ----a-w C:\WINDOWS\system32\danim.dll
+ 2006-10-23 15:17:51 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2004-08-04 01:07:00 1,016,832 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2006-10-23 15:17:51 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2004-08-04 01:07:00 150,528 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2006-10-23 15:17:51 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2004-08-04 01:07:00 1,053,696 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2006-10-23 15:17:51 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2004-08-04 01:07:00 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2006-10-23 15:17:52 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2004-08-04 01:07:00 201,728 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2006-10-23 15:17:52 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2004-08-04 01:07:00 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2006-10-23 15:17:52 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2004-08-04 01:07:00 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2006-10-23 11:00:41 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2004-08-04 01:07:00 249,344 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2006-10-23 15:17:52 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2004-08-04 01:07:00 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2006-10-23 15:17:52 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2004-08-04 01:07:00 15,872 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2006-10-23 15:17:52 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 01:07:00 3,003,392 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2006-10-23 15:17:52 3,055,104 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2004-08-04 01:07:00 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2006-10-23 15:17:52 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2004-08-04 01:07:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2006-10-23 15:17:52 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2004-08-04 01:07:00 530,432 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2006-10-23 15:17:52 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-04 01:07:00 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2006-10-23 15:17:52 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2006-10-23 15:17:53 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2005-09-02 23:52:06 473,600 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2006-10-23 15:17:53 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2004-08-04 01:07:00 601,088 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2006-10-23 15:17:53 613,888 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 01:07:00 656,384 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2006-10-23 15:17:53 658,944 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2004-08-04 01:07:00 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2006-10-23 15:17:52 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2004-08-04 01:07:00 201,728 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2006-10-23 15:17:52 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2004-08-04 01:07:00 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2006-10-23 15:17:52 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2004-08-04 01:07:00 249,344 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2006-10-23 15:17:52 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2004-08-04 01:07:00 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2006-10-23 15:17:52 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2004-08-04 01:07:00 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2006-10-23 15:17:52 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 01:07:00 3,003,392 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2006-10-23 15:17:52 3,055,104 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2004-08-04 01:07:00 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2006-10-23 15:17:52 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-04 01:07:00 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2006-10-23 15:17:52 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2004-08-04 01:07:00 530,432 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-10-23 15:17:52 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2004-08-04 01:07:00 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2006-10-23 15:17:52 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2006-10-23 15:17:53 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2005-09-02 23:52:06 473,600 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2006-10-23 15:17:53 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2004-08-04 01:07:00 601,088 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2006-10-23 15:17:53 613,888 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 01:07:00 656,384 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-10-23 15:17:53 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 14:05 544768]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49 4670968]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51 118784]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 17:14 86016 C:\WINDOWS\SoundMan.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 16:55 1628208]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 16:55 1057328]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 11:30 97357]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"LogonStudio"="C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" [2002-09-03 19:38 987187]
"PC Auto Shutdown"="C:\prog\PC Auto Shutdown\AutoShutdown.exe" [2006-11-24 10:11 359679]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-01 04:54 1443072]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-04-19 21:55:37 3581680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdeeCV]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-09-23 11:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\mtd2002\\mtdserver.exe"=
"C:\\games\\kag\\_AG.exe"=
"C:\\prog\\lime\\LimeWire\\LimeWire.exe"=
"C:\\prog\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 11:00]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2006-07-15 20:47]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2006-07-25 18:36]
R2 PCAutoShutdown_Service;PCAutoShutdown_Service;C:\prog\PC Auto Shutdown\ShutdownService.exe [2006-11-06 16:31]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-03 18:07]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 10:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96d4a4c2-029b-11dd-a634-000f9fc9d761}]
\Shell\AutoRun\command - E:\RavMon.exe
\Shell\explore\Command - E:\RavMon.exe -e
\Shell\open\Command - E:\RavMon.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 14:26:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-22 14:32:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 21:32:45
ComboFix2.txt 2008-04-22 08:37:11

Pre-Run: 93,059,457,024 bytes free
Post-Run: 93,061,652,480 bytes free

496 --- E O F --- 2008-04-22 17:52:41




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:06 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\prog\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\prog\PC Auto Shutdown\AutoShutdown.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.094\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SecurDisc] "C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PC Auto Shutdown] C:\prog\PC Auto Shutdown\AutoShutdown.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: fccdeeCV - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PCAutoShutdown_Service - Unknown owner - C:\prog\PC Auto Shutdown\ShutdownService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6386 bytes

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 22 April 2008 - 02:34 AM

Did you run the Flash Disinfector?

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.

http://www.bleepingc...opic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
E:\RavMon.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdeeCV]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96d4a4c2-029b-11dd-a634-000f9fc9d761}]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


BLACKLIGHT
  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic together with a new HijackThis log.

In your next reply post:
ComboFix.txt
Blacklight log
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 duc

duc

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 22 April 2008 - 09:17 AM

yes i did!
this is the report:

ComboFix 08-04-20.5 - Administrator 2008-04-23 0:29:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.278 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
E:\RavMon.exe
.
/wow section - STAGE 41
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-22 03:58 . 2008-04-22 03:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-22 00:22 . 2008-04-22 00:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-20 13:34 . 2008-04-20 13:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-19 13:36 . 2008-04-19 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-19 13:35 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\NCH Software
2008-04-19 13:22 . 2008-04-19 13:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-04-19 13:22 . 2008-04-19 13:22 26,112 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2008-04-19 13:13 . 2008-04-19 13:13 <DIR> d-------- C:\My Intranet
2008-04-18 01:50 . 2008-04-18 01:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-18 01:50 . 2008-04-21 03:13 1,481 --a------ C:\WINDOWS\mozver.dat
2008-04-08 14:58 . 2008-04-08 14:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ESET
2008-04-08 13:29 . 2008-04-22 13:58 <DIR> d-------- C:\Temp
2008-04-07 18:26 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-04-07 18:26 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-04-07 17:17 . 2008-04-07 21:46 <DIR> d-------- C:\Program Files\real
2008-04-07 08:39 . 2008-04-07 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-05 21:41 . 2008-04-05 21:41 <DIR> d--hs---- C:\WINDOWS\system32\pas
2008-04-05 19:56 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-05 19:53 . 2008-04-05 19:53 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-05 19:44 . 2008-04-05 19:53 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 02:41 . 2008-04-08 15:09 <DIR> d-------- C:\Program Files\ESET
2008-04-05 02:41 . 2008-04-08 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-04 16:16 . 2008-04-04 16:16 6,144 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-04 16:15 . 2008-04-04 16:15 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-04-04 16:11 . 2007-11-29 20:00 843,690 --a------ C:\WINDOWS\another dream.scr
2008-04-04 16:11 . 2001-01-12 23:37 294,912 --a------ C:\WINDOWS\Helios.scr
2008-04-04 15:55 . 2008-04-04 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-03 02:42 . 2008-04-23 00:49 24 --a------ C:\WINDOWS\LogonStudio.ini
2008-04-03 02:39 . 2000-05-17 10:52 187,392 --a------ C:\WINDOWS\system32\JPGUtils.dll
2008-04-02 23:39 . 2008-04-02 23:39 <DIR> d-------- C:\Documents and Settings\Guest
2008-04-02 23:39 . 2008-04-23 00:47 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-04-02 22:06 . 2008-04-22 01:22 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-02 05:21 . 2008-04-02 05:21 <DIR> d-------- C:\WINDOWS\Sun
2008-04-02 03:51 . 2008-04-02 21:58 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-02 03:23 . 2008-04-02 03:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-02 03:22 . 2008-04-20 08:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-01 16:03 . 2008-04-01 16:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 16:03 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-01 13:54 . 2008-04-22 08:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-01 13:44 . 2008-04-01 13:44 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2008-04-01 13:43 . 2008-04-15 20:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-31 02:11 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-31 02:08 . 2008-03-31 02:11 <DIR> d-------- C:\Program Files\Java
2008-03-31 01:39 . 2008-03-31 01:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-31 01:39 . 2008-04-17 20:34 <DIR> d-------- C:\games
2008-03-30 12:49 . 2008-03-30 12:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-03-30 01:54 . 2008-03-30 01:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-03-30 01:54 . 2008-03-30 01:54 81,920 --a------ C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2008-03-30 01:54 . 2008-03-30 01:54 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 01:54 . 2008-03-30 01:54 47,360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2008-03-30 01:53 . 2004-05-26 22:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-30 01:53 . 2006-09-16 20:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-30 00:11 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-30 00:11 . 2004-08-04 01:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-30 00:11 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-30 00:11 . 2004-08-03 23:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-30 00:10 . 2004-08-04 00:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-30 00:10 . 2004-08-04 00:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-29 20:35 . 2008-03-29 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\National Instruments
2008-03-29 19:50 . 2008-03-29 19:50 <DIR> d-------- C:\Program Files\HI-TECH Software
2008-03-29 19:11 . 2008-03-29 19:50 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-29 19:06 . 2008-03-29 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\National Instruments
2008-03-29 19:03 . 2008-03-29 19:03 <DIR> d-------- C:\WINDOWS\system32\cvirte
2008-03-29 19:00 . 2008-03-29 19:44 <DIR> d-------- C:\Program Files\National Instruments
2008-03-29 14:09 . 2008-04-22 02:43 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-29 02:10 . 2008-03-29 02:10 120 --a------ C:\WINDOWS\d4s.hst
2008-03-29 01:56 . 2008-03-29 01:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-03-28 16:23 . 2008-03-28 16:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Program Files\Ringz Studio
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-28 16:21 . 2008-03-28 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-28 09:56 . 2008-03-29 23:49 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-03-28 09:55 . 2008-04-05 19:46 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-28 06:05 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-28 06:05 . 2007-07-30 20:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-28 06:05 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-28 02:10 . 2008-04-05 19:56 <DIR> d-------- C:\Program Files\Windows Live
2008-03-28 02:10 . 2008-04-10 09:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-28 02:09 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-28 02:09 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-28 02:09 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-28 02:09 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-28 02:09 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-28 01:59 . 2008-03-28 01:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-28 01:58 . 2008-04-06 09:04 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-28 01:49 . 2003-06-18 18:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-28 01:49 . 2008-03-28 01:49 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-28 01:48 . 2008-03-28 01:48 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-28 01:47 . 2008-03-28 01:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-28 01:46 . 2008-04-04 16:15 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-28 01:40 . 2008-03-28 01:40 <DIR> dr-h----- C:\MSOCache
2008-03-28 01:27 . 2008-03-28 01:27 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-28 01:26 . 2008-03-28 01:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-28 01:17 . 2008-03-28 01:17 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-28 01:03 . 2004-02-09 13:06 15,360 --a------ C:\WINDOWS\system32\drivers\NetMotCM.sys
2008-03-28 01:02 . 2008-03-30 00:15 <DIR> d-------- C:\USB driver
2008-03-27 23:55 . 2008-03-27 23:55 72 --a------ C:\WINDOWS\WB.ini
2008-03-27 23:38 . 2005-01-22 19:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2008-03-27 22:55 . 2008-03-27 23:58 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-03-27 22:43 . 2008-03-27 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-27 22:39 . 2008-03-27 22:39 <DIR> d-------- C:\Program Files\Nero
2008-03-27 22:39 . 2008-03-27 22:43 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-27 22:39 . 2008-03-27 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-27 22:23 . 2008-03-27 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-27 22:22 . 2008-03-27 22:22 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-27 22:18 . 2008-03-27 22:18 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-27 22:16 . 2008-03-27 22:16 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-27 22:16 . 2008-03-27 22:17 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-27 21:53 . 2006-09-05 10:58 61,536 -ra------ C:\WINDOWS\system32\drivers\se58bus.sys
2008-03-27 21:53 . 2006-09-05 10:58 5,872 -ra------ C:\WINDOWS\system32\drivers\se58whnt.sys
2008-03-27 21:53 . 2006-09-05 10:58 5,872 -ra------ C:\WINDOWS\system32\drivers\se58wh.sys
2008-03-27 21:13 . 2008-03-27 21:13 <DIR> d-------- C:\WINDOWS\speech
2008-03-27 21:13 . 2008-04-22 23:23 <DIR> d-------- C:\Program Files\mtd2002
2008-03-27 20:53 . 2008-04-06 21:35 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-27 20:51 . 2008-04-19 21:55 <DIR> d-------- C:\Program Files\Stardock
2008-03-27 20:51 . 2007-07-11 16:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-03-27 20:49 . 2008-04-22 15:01 <DIR> d-------- C:\prog
2008-03-27 20:41 . 2008-03-27 20:41 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-03-27 20:38 . 2008-03-27 20:38 <DIR> d-------- C:\Program Files\Realtek
2008-03-27 20:38 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-27 20:37 . 2008-03-05 19:07 520,192 --a------ C:\WINDOWS\RtlExUpd.dll
2008-03-27 20:37 . 2008-03-27 20:37 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-03-27 20:27 . 2002-11-21 16:07 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-03-27 20:27 . 2003-10-09 19:52 475,788 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-03-27 20:27 . 2003-10-04 13:25 401,152 --a------ C:\WINDOWS\system32\drivers\ALCXSENS.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 23:03 5,512,704 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-03-27 04:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 02:54 4,687,872 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-07 01:14 16,858,112 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-01 11:56 71,176 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-03-01 11:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-03-01 11:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-03-01 11:53 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-03-01 11:52 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2005-10-12 23:04 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 18:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

------- Sigcheck -------

2004-08-03 18:07 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-03 18:07 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2004-08-03 18:07 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-03 18:07 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-08-03 18:07 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-03 18:07 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-03 18:07 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-03 18:07 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 18:07 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 18:07 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-03 18:07 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-03 18:07 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-03 18:07 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot_2008-04-22_14.32.15.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 21:25:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 07:47:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2002-01-05 23:37:00 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
+ 2004-11-04 20:31:22 835,584 ----a-w C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
+ 2005-03-29 14:57:22 2,084,864 ----a-w C:\WINDOWS\system32\NCTAudioDesign2.dll
+ 2005-03-28 22:56:36 417,792 ----a-w C:\WINDOWS\system32\NCTAudioDisplay2.dll
+ 2005-04-15 19:08:02 880,640 ----a-w C:\WINDOWS\system32\NCTAudioEditor2.dll
+ 2005-05-17 19:37:44 1,986,560 ----a-w C:\WINDOWS\system32\NCTAudioFile2.dll
+ 2005-05-18 18:52:40 1,212,416 ----a-w C:\WINDOWS\system32\NCTAudioInformation2.dll
+ 2005-04-25 20:01:12 458,752 ----a-w C:\WINDOWS\system32\NCTAudioPlayer2.dll
+ 2005-04-25 20:01:38 458,752 ----a-w C:\WINDOWS\system32\NCTAudioRecord2.dll
+ 2005-04-05 00:21:32 602,112 ----a-w C:\WINDOWS\system32\NCTAudioTransform2.dll
+ 2005-03-28 22:54:42 479,232 ----a-w C:\WINDOWS\system32\NCTAudioVisualization2.dll
+ 2005-03-28 22:54:02 475,136 ----a-w C:\WINDOWS\system32\NCTAudioVisualizationEx2.dll
+ 2005-03-28 22:52:12 417,792 ----a-w C:\WINDOWS\system32\NCTTextToAudio2.dll
+ 2005-02-24 18:51:38 348,160 ----a-w C:\WINDOWS\system32\NCTWMAFile2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mtd2002Svr"="C:\Program Files\mtd2002\mtdserver.exe" [2002-10-05 14:05 544768]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49 4670968]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51 118784]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 17:14 86016 C:\WINDOWS\SoundMan.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 16:55 1628208]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 16:55 1057328]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 11:30 97357]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"LogonStudio"="C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" [2002-09-03 19:38 987187]
"PC Auto Shutdown"="C:\prog\PC Auto Shutdown\AutoShutdown.exe" [2006-11-24 10:11 359679]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-01 04:54 1443072]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-04-19 21:55:37 3581680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-09-23 11:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\mtd2002\\mtdserver.exe"=
"C:\\games\\kag\\_AG.exe"=
"C:\\prog\\lime\\LimeWire\\LimeWire.exe"=
"C:\\prog\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 11:00]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2006-07-15 20:47]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2006-07-25 18:36]
R2 PCAutoShutdown_Service;PCAutoShutdown_Service;C:\prog\PC Auto Shutdown\ShutdownService.exe [2006-11-06 16:31]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-03 18:07]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 00:49:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-23 0:55:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 07:55:29
ComboFix2.txt 2008-04-22 21:32:53
ComboFix3.txt 2008-04-22 08:37:11

Pre-Run: 93,043,261,440 bytes free
Post-Run: 93,036,666,880 bytes free

277 --- E O F --- 2008-04-22 17:52:41



04/23/08 01:00:20 [Info]: BlackLight Engine 1.0.70 initialized
04/23/08 01:00:20 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/23/08 01:00:20 [Note]: 7019 4
04/23/08 01:00:20 [Note]: 7005 0
04/23/08 01:00:25 [Note]: 7006 0
04/23/08 01:00:25 [Note]: 7011 3420
04/23/08 01:00:25 [Note]: 7035 0
04/23/08 01:00:25 [Note]: 7026 0
04/23/08 01:00:26 [Note]: 7026 0
04/23/08 01:00:29 [Note]: FSRAW library version 1.7.1024
04/23/08 01:00:29 [Note]: 2000 1012
04/23/08 01:04:57 [Note]: 2000 1012
04/23/08 01:04:57 [Note]: 2000 1012
04/23/08 01:04:57 [Note]: 2000 1012
04/23/08 01:05:09 [Note]: 7007 0




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:31 AM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\prog\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\prog\PC Auto Shutdown\AutoShutdown.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.156\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SecurDisc] "C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PC Auto Shutdown] C:\prog\PC Auto Shutdown\AutoShutdown.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PCAutoShutdown_Service - Unknown owner - C:\prog\PC Auto Shutdown\ShutdownService.exe

--
End of file - 6176 bytes

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 22 April 2008 - 09:58 AM

Okay dokey, it's vanished now. let's move onwards. :yeah:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here with a new HijackThis log.

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 duc

duc

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 23 April 2008 - 12:51 AM

that cool!
the malwarebytes' anti-malware has fuond trojan, adware ad malware
should i clean it up?
this is the report:

Malwarebytes' Anti-Malware 1.11
Database version: 670

Scan type: Quick Scan
Objects scanned: 33406
Time elapsed: 21 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:58 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\prog\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\prog\PC Auto Shutdown\AutoShutdown.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.375\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SecurDisc] "C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PC Auto Shutdown] C:\prog\PC Auto Shutdown\AutoShutdown.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PCAutoShutdown_Service - Unknown owner - C:\prog\PC Auto Shutdown\ShutdownService.exe

--
End of file - 6366 bytes

#10 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 23 April 2008 - 02:38 AM

Hi

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    Here
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.


Please do this:
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop
REGEDIT4 

[-HKEY_CURRENT_USER\Software\MediaHoldings]

[-HKEY_CURRENT_USER\Software\Microsoft\affri]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e}]

Make sure there are NO blank lines before REGEDIT4

Then double-click on the fix.reg file, and when it prompts to merge say yes.

Reboot the computer, then post back with a new HijackThis log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#11 duc

duc

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 23 April 2008 - 08:41 AM

hi!
this is the new report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:00 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\prog\PC Auto Shutdown\ShutdownService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\prog\PC Auto Shutdown\AutoShutdown.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.609\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SecurDisc] "C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PC Auto Shutdown] C:\prog\PC Auto Shutdown\AutoShutdown.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PCAutoShutdown_Service - Unknown owner - C:\prog\PC Auto Shutdown\ShutdownService.exe

--
End of file - 6276 bytes

#12 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 23 April 2008 - 12:55 PM

Hi

Congratulations, you appear to be malware free.


Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.
  • Close any programmes you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment (JRE) (5th one down the list), which is JRE6u6, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.


Malwarebytes Anti-Malware is a good program to keep. If you wish to keep it, use it to do a quick scan once a week and keep it updated.
Remember, only the paid for version offers real-time protection

Here is another free program I recommend.

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Here is some great information from experts in this field that will help you stay clean and safe online.
http://forum.malware...wtopic.php?t=14

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Edited by Scotty, 23 April 2008 - 12:56 PM.

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#13 duc

duc

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 23 April 2008 - 09:01 PM

that great! :woot: thank you so much for helping! :thumbup:

#14 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 24 April 2008 - 02:02 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users