To use DSS I have to go to safe mode

baka101 · 2008/07/19

Hi everybody

I am cleaning one of my friends computer which is riddled with spyware etc. I have removed alot with the use of malewarebytes anti-malware, avast, spyware doctor, spybot search and destroy, superantispyware, ad-aware.

I have a DSS log which you require, all the scanning from DSS was done in safe mode as normal windows xp accounts seems to pause up and I cant access anything.

Deckard's System Scanner v20071014.68
Run by lobbadmin on 2008-07-19 21:38:52
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.

-- Last 2 Restore Point(s) --
2: 2008-07-19 01:51:10 UTC - RP2 - Software Distribution Service 3.0
1: 2008-07-18 09:05:24 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-19 21:39:57
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pcoadmin\Desktop\New Folder\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Google Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Google
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Parliamentary Counsel Office
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Google Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = %s - Google Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Parliamentary Counsel Office
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.2.1.10:8080;https=10.2.1.10:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Parliamentary Counsel Office
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Google Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = Google Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Google Search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE.Filter - {8B2AE9C0-1555-4C92-905A-531532F15698} - C:\WINDOWS\system32\ie_f.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} () - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://intranet/ocx/nwdir.ocx
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} () - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38169.8386458333
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v42/paint/paint.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7517 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 a2free (a-squared Free Service) - c:\program files\a-squared free\a2service.exe <Not Verified; Emsi Software GmbH; a-squared>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-06-19 and 2008-07-19 -----------------------------

2008-07-19 16:56:56 0 d------c- C:\Program Files\Trend Micro
2008-07-19 14:57:23 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 14:45:18 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\Mozilla
2008-07-19 13:58:31 118784 --a----c- C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-07-19 13:58:29 0 d------c- C:\Program Files\SpywareBlaster
2008-07-19 13:51:42 0 d------c- C:\WINDOWS\system32\PreInstall
2008-07-19 13:51:35 0 d--h---c- C:\WINDOWS\$hf_mig$
2008-07-19 13:30:09 0 d------c- C:\WINDOWS\system32\SoftwareDistribution
2008-07-19 08:25:49 0 d------c- C:\WINDOWS\Provisioning
2008-07-19 02:38:57 8192 --a------ C:\ntuser.dat
2008-07-19 02:11:10 0 d------c- C:\Documents and Settings\mjlobb\Application Data\Malwarebytes
2008-07-19 00:10:22 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\URSoft
2008-07-19 00:09:46 0 d------c- C:\Program Files\Your Uninstaller 2008
2008-07-18 23:32:05 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\Adobe
2008-07-18 23:14:31 0 d------c- C:\Program Files\Alwil Software
2008-07-18 22:49:02 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\Malwarebytes
2008-07-18 22:48:10 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 22:48:08 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 22:25:07 0 d------c- C:\Program Files\Spyware Doctor
2008-07-18 22:25:07 0 d------c- C:\Documents and Settings\mjlobb\Application Data\PC Tools
2008-07-18 22:00:26 0 d------c- C:\Program Files\a-squared Free
2008-07-18 21:54:58 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 21:03:05 0 d------c- C:\WINDOWS\SoftwareDistribution
2008-07-18 21:02:28 0 d------c- C:\WINDOWS\Prefetch
2008-07-18 20:36:02 0 dr-h---c- C:\Documents and Settings\Default User\Local Settings
2008-07-14 11:42:12 20992 --a------ C:\WINDOWS\system32\ie_f.dll
2008-07-14 11:42:11 58887 --a----c- C:\Documents and Settings\mjlobb\scchost.exe
2008-07-12 21:00:31 0 d------c- C:\Documents and Settings\dmlobb\Application Data\Sun
2008-07-12 20:59:07 0 d---s--c- C:\Documents and Settings\dmlobb\UserData
2008-06-25 14:09:12 0 d------c- C:\Program Files\uTorrent
2008-06-25 14:09:08 0 d------c- C:\Documents and Settings\nalobb\Application Data\uTorrent

-- Find3M Report ---------------------------------------------------------------

2008-07-19 01:36:55 0 d------c- C:\Program Files\Common Files\Sandlot Shared
2008-07-19 00:50:55 0 d------c- C:\Program Files\Google
2008-07-19 00:50:19 0 d------c- C:\Program Files\Activision
2008-07-19 00:41:36 0 d------c- C:\Program Files\Ares Lite Edition
2008-07-18 21:54:58 0 d------c- C:\Program Files\Common Files
2008-07-18 20:49:41 0 d--h---c- C:\Program Files\WindowsUpdate
2008-07-18 20:49:06 0 d------c- C:\Program Files\Movie Maker
2008-07-18 20:47:04 22832 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-07-18 20:46:20 0 d------c- C:\Program Files\Messenger
2008-07-18 20:46:17 0 d------c- C:\Program Files\Windows NT
2008-06-30 14:43:03 0 d------c- C:\Program Files\GameHouse
2008-06-19 15:31:35 0 d------c- C:\Program Files\PokerStars

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B2AE9C0-1555-4C92-905A-531532F15698}]
14/07/2008 11:42 a.m. 20992 --a------ C:\WINDOWS\System32\ie_f.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch "= "CTHELPER.EXE" [02/07/2002 05:56 p.m. C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00 a.m.]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [29/11/2001 01:00 a.m.]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [24/03/2004 10:04 a.m.]
"Synchronization Manager "= "C:\WINDOWS\system32\mobsync.exe" [04/08/2004 01:07 p.m.]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [03/06/2004 10:05 p.m.]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/12/2007 02:00 a.m.]
"RegistryMechanic "=" " []
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [10/06/2008 09:22 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [1/10/2004 12:10:02 p.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff "=1 (0x1)
"Intellimenus "=1 (0x1)
"MemCheckBoxInRunDlg "=1 (0x1)
"NoTaskGrouping "=1 (0x1)
"NoAutoUpdate "=1 (0x1)
"NoSharedDocuments "=1 (0x1)
"NoAutoTrayNotify "=1 (0x1)
"NoDesktopCleanupWizard "=1 (0x1)
"ForceClassicControlPanel "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D} "= C:\WINDOWS\System32\NalExpEx.dll [18/10/2002 11:17 a.m. 131072]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

-- End of Deckard's System Scanner: finished at 2008-07-19 21:40:48 ------------

Any help would be much appreciated

Thanks

noahdfear · 2008/07/19

Hi baka101,

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new dss log in your next reply. (you might need to put them in separate posts)

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

baka101 · 2008/07/20

ComboFix 08-07-18.1 - lobbadmin 2008-07-20 21:36:16.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.264 [GMT 12:00]
Running from: C:\Documents and Settings\pcoadmin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-19 20:39 . 2008-07-19 20:39 <DIR> d----c--- C:\Deckard
2008-07-19 16:56 . 2008-07-19 16:56 <DIR> d----c--- C:\Program Files\Trend Micro
2008-07-19 14:57 . 2008-07-19 14:58 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-07-19 14:57 . 2008-07-19 19:40 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 13:58 . 2008-07-19 14:01 <DIR> d----c--- C:\Program Files\SpywareBlaster
2008-07-19 13:58 . 2005-08-25 19:18 118,784 --a--c--- C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-19 13:51 . 2008-07-19 14:06 <DIR> d--h-c--- C:\WINDOWS\$hf_mig$
2008-07-19 13:51 . 2005-02-25 15:35 22,752 --a--c--- C:\WINDOWS\system32\spupdsvc.exe
2008-07-19 08:25 . 2008-07-19 08:25 <DIR> d----c--- C:\WINDOWS\Provisioning
2008-07-19 02:38 . 2008-07-19 02:38 262,144 --a--c--- C:\ntuser.dat.rmbak
2008-07-19 02:38 . 2008-07-19 11:55 8,192 --a------ C:\ntuser.dat
2008-07-19 02:11 . 2008-07-19 02:11 <DIR> d----c--- C:\Documents and Settings\mjlobb\Application Data\Malwarebytes
2008-07-19 00:10 . 2008-07-19 00:10 <DIR> d----c--- C:\Documents and Settings\pcoadmin\Application Data\URSoft
2008-07-19 00:09 . 2008-07-19 00:40 <DIR> d----c--- C:\Program Files\Your Uninstaller 2008
2008-07-18 23:15 . 2003-03-19 08:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-18 23:15 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-07-18 23:14 . 2008-07-18 23:14 <DIR> d----c--- C:\Program Files\Alwil Software
2008-07-18 22:49 . 2008-07-18 22:49 <DIR> d----c--- C:\Documents and Settings\pcoadmin\Application Data\Malwarebytes
2008-07-18 22:48 . 2008-07-18 22:48 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 22:48 . 2008-07-18 22:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 22:48 . 2008-05-30 01:06 34,296 --a--c--- C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-18 22:48 . 2008-05-30 01:06 15,864 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 22:25 . 2008-07-19 14:08 <DIR> d----c--- C:\Program Files\Spyware Doctor
2008-07-18 22:25 . 2008-07-18 22:25 <DIR> d----c--- C:\Documents and Settings\mjlobb\Application Data\PC Tools
2008-07-18 22:25 . 2008-06-10 21:22 81,288 --a--c--- C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-18 22:25 . 2008-06-02 15:19 66,952 --a--c--- C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-18 22:25 . 2008-06-02 15:19 42,376 --a--c--- C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-18 22:25 . 2008-06-02 15:19 29,576 --a--c--- C:\WINDOWS\system32\drivers\kcom.sys
2008-07-18 22:00 . 2008-07-19 14:31 <DIR> d----c--- C:\Program Files\a-squared Free
2008-07-18 21:54 . 2008-07-18 23:30 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 21:01 . 2008-07-20 00:03 469,319,680 --a------ C:\WINDOWS\MEMORY.DMP
2008-07-18 20:57 . 2004-08-04 13:07 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-07-18 20:56 . 2004-08-04 13:07 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-07-18 20:55 . 2004-08-04 13:07 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-18 20:54 . 2004-08-04 13:07 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-07-18 20:53 . 2004-08-04 13:07 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-07-18 20:52 . 2008-07-18 20:52 316,640 --a--c--- C:\WINDOWS\WMSysPr9.prx
2008-07-18 20:52 . 2004-08-04 13:07 221,184 --a--c--- C:\WINDOWS\system32\wmpns.dll
2008-07-18 20:50 . 2008-07-18 20:50 488 -rah-c--- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-18 20:48 . 2004-08-04 13:07 124,800 --a--c--- C:\WINDOWS\system32\drivers\fltMgr.sys
2008-07-18 20:48 . 2004-08-04 13:07 124,800 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-18 20:48 . 2004-08-04 13:07 81,920 --a--c--- C:\WINDOWS\system32\dllcache\msado27.tlb
2008-07-18 20:48 . 2004-08-04 13:07 22,528 --a--c--- C:\WINDOWS\system32\fltMc.exe
2008-07-18 20:48 . 2004-08-04 13:07 22,528 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-07-18 20:48 . 2004-08-04 13:07 18,432 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe
2008-07-18 20:48 . 2004-08-04 13:07 16,896 --a--c--- C:\WINDOWS\system32\fltlib.dll
2008-07-18 20:48 . 2004-08-04 13:07 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-07-18 20:40 . 2001-08-17 12:19 111,872 --a--c--- C:\WINDOWS\system32\drivers\cwcspud.sys
2008-07-18 20:40 . 2001-08-17 12:19 111,872 --a--c--- C:\WINDOWS\system32\dllcache\cwcspud.sys
2008-07-18 20:35 . 2004-08-04 13:07 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-07-14 11:42 . 2008-07-14 11:42 58,887 --a--c--- C:\Documents and Settings\mjlobb\scchost.exe
2008-07-12 20:59 . 2008-07-12 20:59 <DIR> d---sc--- C:\Documents and Settings\dmlobb\UserData
2008-07-12 16:28 . 2008-07-12 16:28 0 --a--c--- C:\WINDOWS\system32\tmp3.tmp
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d----c--- C:\Program Files\uTorrent
2008-06-25 14:09 . 2008-06-25 14:25 <DIR> d----c--- C:\Documents and Settings\nalobb\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 09:26 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 13:36 --------- dc----w C:\Program Files\Common Files\Sandlot Shared
2008-07-18 12:50 --------- dc----w C:\Program Files\Google
2008-07-18 12:50 --------- dc----w C:\Program Files\Activision
2008-07-18 12:41 --------- dc----w C:\Program Files\Ares Lite Edition
2008-06-30 02:43 --------- dc----w C:\Program Files\GameHouse
2008-06-19 03:31 --------- dc----w C:\Program Files\PokerStars
2008-06-03 03:18 --------- dc----w C:\Documents and Settings\mjlobb\Application Data\GameHouse
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [2004-03-24 10:04 46080]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05 32881]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 02:00 79224]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]
"WINDVDPatch "= "CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"RegistryMechanic "=" " [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 13:07 15360]

C:\Documents and Settings\Admin.000\Start Menu\Programs\Startup\
OpenOffice.org 1.1.2.lnk - C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe [2004-05-05 01:10:00 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-10-01 12:10:02 106560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff "= 1 (0x1)
"Intellimenus "= 1 (0x1)
"MemCheckBoxInRunDlg "= 1 (0x1)
"NoTaskGrouping "= 1 (0x1)
"NoAutoUpdate "= 1 (0x1)
"NoAutoTrayNotify "= 1 (0x1)
"NoDesktopCleanupWizard "= 1 (0x1)
"ForceClassicControlPanel "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D} "= "C:\WINDOWS\System32\NalExpEx.dll" [2002-10-18 11:17 131072]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-30 01:06]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 21:38:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-20 21:39:52
ComboFix-quarantined-files.txt 2008-07-20 09:39:50
ComboFix2.txt 2008-07-20 09:21:55

Pre-Run: 9,919,623,168 bytes free
Post-Run: 9,903,759,360 bytes free

129 --- E O F --- 2008-07-19 01:52:03

baka101 · 2008/07/20

Deckard's System Scanner v20071014.68
Run by lobbadmin on 2008-07-20 21:49:53
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.

-- Last 2 Restore Point(s) --
2: 2008-07-19 01:51:10 UTC - RP2 - Software Distribution Service 3.0
1: 2008-07-18 09:05:24 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).

-- HijackThis (run as lobbadmin.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:46 p.m., on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pcoadmin\Desktop\New Folder\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\lobbadmin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Parliamentary Counsel Office
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Parliamentary Counsel Office
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.2.1.10:8080;https=10.2.1.10:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.2.1.*;pco*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pco.parliament.govt.nz
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://intranet/ocx/nwdir.ocx
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v42/paint/paint.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6721 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R4 catchme - c:\combofix\catchme.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 a2free (a-squared Free Service) - c:\program files\a-squared free\a2service.exe <Not Verified; Emsi Software GmbH; a-squared>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-20 21:14:32 68096 --a----c- C:\WINDOWS\zip.exe
2008-07-20 21:14:32 49152 --a----c- C:\WINDOWS\VFind.exe
2008-07-20 21:14:32 212480 --a----c- C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-20 21:14:32 136704 --a----c- C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-20 21:14:32 161792 --a----c- C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-20 21:14:32 98816 --a----c- C:\WINDOWS\sed.exe
2008-07-20 21:14:32 80412 --a----c- C:\WINDOWS\grep.exe
2008-07-20 21:14:32 89504 --a----c- C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-19 16:56:56 0 d------c- C:\Program Files\Trend Micro
2008-07-19 14:57:23 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 14:45:18 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\Mozilla
2008-07-19 13:58:31 118784 --a----c- C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-07-19 13:58:29 0 d------c- C:\Program Files\SpywareBlaster
2008-07-19 13:51:42 0 d------c- C:\WINDOWS\system32\PreInstall
2008-07-19 13:51:35 0 d--h---c- C:\WINDOWS\$hf_mig$
2008-07-19 13:30:09 0 d------c- C:\WINDOWS\system32\SoftwareDistribution
2008-07-19 08:25:49 0 d------c- C:\WINDOWS\Provisioning
2008-07-19 02:38:57 8192 --a------ C:\ntuser.dat
2008-07-19 02:11:10 0 d------c- C:\Documents and Settings\mjlobb\Application Data\Malwarebytes
2008-07-19 00:10:22 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\URSoft
2008-07-19 00:09:46 0 d------c- C:\Program Files\Your Uninstaller 2008
2008-07-18 23:32:05 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\Adobe
2008-07-18 23:14:31 0 d------c- C:\Program Files\Alwil Software
2008-07-18 22:49:02 0 d------c- C:\Documents and Settings\pcoadmin\Application Data\Malwarebytes
2008-07-18 22:48:10 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 22:48:08 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 22:25:07 0 d------c- C:\Program Files\Spyware Doctor
2008-07-18 22:25:07 0 d------c- C:\Documents and Settings\mjlobb\Application Data\PC Tools
2008-07-18 22:00:26 0 d------c- C:\Program Files\a-squared Free
2008-07-18 21:54:58 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 21:03:05 0 d------c- C:\WINDOWS\SoftwareDistribution
2008-07-18 21:02:28 0 d------c- C:\WINDOWS\Prefetch
2008-07-18 20:36:02 0 dr-h---c- C:\Documents and Settings\Default User\Local Settings
2008-07-14 11:42:11 58887 --a----c- C:\Documents and Settings\mjlobb\scchost.exe
2008-07-12 21:00:31 0 d------c- C:\Documents and Settings\dmlobb\Application Data\Sun
2008-07-12 20:59:07 0 d---s--c- C:\Documents and Settings\dmlobb\UserData
2008-06-25 14:09:12 0 d------c- C:\Program Files\uTorrent
2008-06-25 14:09:08 0 d------c- C:\Documents and Settings\nalobb\Application Data\uTorrent

-- Find3M Report ---------------------------------------------------------------

2008-07-19 01:36:55 0 d------c- C:\Program Files\Common Files\Sandlot Shared
2008-07-19 00:50:55 0 d------c- C:\Program Files\Google
2008-07-19 00:50:19 0 d------c- C:\Program Files\Activision
2008-07-19 00:41:36 0 d------c- C:\Program Files\Ares Lite Edition
2008-07-18 21:54:58 0 d------c- C:\Program Files\Common Files
2008-07-18 20:49:41 0 d--h---c- C:\Program Files\WindowsUpdate
2008-07-18 20:49:06 0 d------c- C:\Program Files\Movie Maker
2008-07-18 20:47:04 22832 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-07-18 20:46:20 0 d------c- C:\Program Files\Messenger
2008-07-18 20:46:17 0 d------c- C:\Program Files\Windows NT
2008-06-30 14:43:03 0 d------c- C:\Program Files\GameHouse
2008-06-19 15:31:35 0 d------c- C:\Program Files\PokerStars

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch "= "CTHELPER.EXE" [02/07/2002 05:56 p.m. C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00 a.m.]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [29/11/2001 01:00 a.m.]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [24/03/2004 10:04 a.m.]
"Synchronization Manager "= "C:\WINDOWS\system32\mobsync.exe" [04/08/2004 01:07 p.m.]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [03/06/2004 10:05 p.m.]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/12/2007 02:00 a.m.]
"RegistryMechanic "=" " []
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [10/06/2008 09:22 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [1/10/2004 12:10:02 p.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff "=1 (0x1)
"Intellimenus "=1 (0x1)
"MemCheckBoxInRunDlg "=1 (0x1)
"NoTaskGrouping "=1 (0x1)
"NoAutoUpdate "=1 (0x1)
"NoSharedDocuments "=1 (0x1)
"NoAutoTrayNotify "=1 (0x1)
"NoDesktopCleanupWizard "=1 (0x1)
"ForceClassicControlPanel "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D} "= C:\WINDOWS\System32\NalExpEx.dll [18/10/2002 11:17 a.m. 131072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

-- End of Deckard's System Scanner: finished at 2008-07-20 21:52:29 ------------

noahdfear · 2008/07/20

First, please post the contents of C:\Qoobox\ComboFix2.txt

Then, highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/removing-spyware-viruses/75261-use-dss-i-have-go-safe-mode.html#post406960

Collect::
C:\Documents and Settings\mjlobb\scchost.exe
File::
C:\WINDOWS\system32\tmp3.tmp
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

Is it still necessary to use safe mode to run dss to completion?

baka101 · 2008/07/21

ComboFix 08-07-18.1 - lobbadmin 2008-07-20 21:18:14.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.272 [GMT 12:00]
Running from: C:\Documents and Settings\pcoadmin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ie_f.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-19 20:39 . 2008-07-19 20:39 <DIR> d----c--- C:\Deckard
2008-07-19 16:56 . 2008-07-19 16:56 <DIR> d----c--- C:\Program Files\Trend Micro
2008-07-19 14:57 . 2008-07-19 14:58 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-07-19 14:57 . 2008-07-19 19:40 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 13:58 . 2008-07-19 14:01 <DIR> d----c--- C:\Program Files\SpywareBlaster
2008-07-19 13:58 . 2005-08-25 19:18 118,784 --a--c--- C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-19 13:51 . 2008-07-19 14:06 <DIR> d--h-c--- C:\WINDOWS\$hf_mig$
2008-07-19 13:51 . 2005-02-25 15:35 22,752 --a--c--- C:\WINDOWS\system32\spupdsvc.exe
2008-07-19 08:25 . 2008-07-19 08:25 <DIR> d----c--- C:\WINDOWS\Provisioning
2008-07-19 02:38 . 2008-07-19 02:38 262,144 --a--c--- C:\ntuser.dat.rmbak
2008-07-19 02:38 . 2008-07-19 11:55 8,192 --a------ C:\ntuser.dat
2008-07-19 02:11 . 2008-07-19 02:11 <DIR> d----c--- C:\Documents and Settings\mjlobb\Application Data\Malwarebytes
2008-07-19 00:10 . 2008-07-19 00:10 <DIR> d----c--- C:\Documents and Settings\pcoadmin\Application Data\URSoft
2008-07-19 00:09 . 2008-07-19 00:40 <DIR> d----c--- C:\Program Files\Your Uninstaller 2008
2008-07-18 23:15 . 2003-03-19 08:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-18 23:15 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-07-18 23:14 . 2008-07-18 23:14 <DIR> d----c--- C:\Program Files\Alwil Software
2008-07-18 22:49 . 2008-07-18 22:49 <DIR> d----c--- C:\Documents and Settings\pcoadmin\Application Data\Malwarebytes
2008-07-18 22:48 . 2008-07-18 22:48 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 22:48 . 2008-07-18 22:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 22:48 . 2008-05-30 01:06 34,296 --a--c--- C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-18 22:48 . 2008-05-30 01:06 15,864 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 22:25 . 2008-07-19 14:08 <DIR> d----c--- C:\Program Files\Spyware Doctor
2008-07-18 22:25 . 2008-07-18 22:25 <DIR> d----c--- C:\Documents and Settings\mjlobb\Application Data\PC Tools
2008-07-18 22:25 . 2008-06-10 21:22 81,288 --a--c--- C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-18 22:25 . 2008-06-02 15:19 66,952 --a--c--- C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-18 22:25 . 2008-06-02 15:19 42,376 --a--c--- C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-18 22:25 . 2008-06-02 15:19 29,576 --a--c--- C:\WINDOWS\system32\drivers\kcom.sys
2008-07-18 22:00 . 2008-07-19 14:31 <DIR> d----c--- C:\Program Files\a-squared Free
2008-07-18 21:54 . 2008-07-18 23:30 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 21:01 . 2008-07-20 00:03 469,319,680 --a------ C:\WINDOWS\MEMORY.DMP
2008-07-18 20:57 . 2004-08-04 13:07 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-07-18 20:56 . 2004-08-04 13:07 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-07-18 20:55 . 2004-08-04 13:07 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-18 20:54 . 2004-08-04 13:07 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-07-18 20:53 . 2004-08-04 13:07 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-07-18 20:52 . 2008-07-18 20:52 316,640 --a--c--- C:\WINDOWS\WMSysPr9.prx
2008-07-18 20:52 . 2004-08-04 13:07 221,184 --a--c--- C:\WINDOWS\system32\wmpns.dll
2008-07-18 20:50 . 2008-07-18 20:50 488 -rah-c--- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-18 20:48 . 2004-08-04 13:07 124,800 --a--c--- C:\WINDOWS\system32\drivers\fltMgr.sys
2008-07-18 20:48 . 2004-08-04 13:07 124,800 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-18 20:48 . 2004-08-04 13:07 81,920 --a--c--- C:\WINDOWS\system32\dllcache\msado27.tlb
2008-07-18 20:48 . 2004-08-04 13:07 22,528 --a--c--- C:\WINDOWS\system32\fltMc.exe
2008-07-18 20:48 . 2004-08-04 13:07 22,528 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-07-18 20:48 . 2004-08-04 13:07 18,432 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe
2008-07-18 20:48 . 2004-08-04 13:07 16,896 --a--c--- C:\WINDOWS\system32\fltlib.dll
2008-07-18 20:48 . 2004-08-04 13:07 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-07-18 20:40 . 2001-08-17 12:19 111,872 --a--c--- C:\WINDOWS\system32\drivers\cwcspud.sys
2008-07-18 20:40 . 2001-08-17 12:19 111,872 --a--c--- C:\WINDOWS\system32\dllcache\cwcspud.sys
2008-07-18 20:35 . 2004-08-04 13:07 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-07-14 11:42 . 2008-07-14 11:42 58,887 --a--c--- C:\Documents and Settings\mjlobb\scchost.exe
2008-07-12 20:59 . 2008-07-12 20:59 <DIR> d---sc--- C:\Documents and Settings\dmlobb\UserData
2008-07-12 16:28 . 2008-07-12 16:28 0 --a--c--- C:\WINDOWS\system32\tmp3.tmp
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d----c--- C:\Program Files\uTorrent
2008-06-25 14:09 . 2008-06-25 14:25 <DIR> d----c--- C:\Documents and Settings\nalobb\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 09:02 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 13:36 --------- dc----w C:\Program Files\Common Files\Sandlot Shared
2008-07-18 12:50 --------- dc----w C:\Program Files\Google
2008-07-18 12:50 --------- dc----w C:\Program Files\Activision
2008-07-18 12:41 --------- dc----w C:\Program Files\Ares Lite Edition
2008-06-30 02:43 --------- dc----w C:\Program Files\GameHouse
2008-06-19 03:31 --------- dc----w C:\Program Files\PokerStars
2008-06-03 03:18 --------- dc----w C:\Documents and Settings\mjlobb\Application Data\GameHouse
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [2004-03-24 10:04 46080]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05 32881]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 02:00 79224]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]
"WINDVDPatch "= "CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 13:07 15360]

C:\Documents and Settings\Admin.000\Start Menu\Programs\Startup\
OpenOffice.org 1.1.2.lnk - C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe [2004-05-05 01:10:00 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-10-01 12:10:02 106560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff "= 1 (0x1)
"Intellimenus "= 1 (0x1)
"MemCheckBoxInRunDlg "= 1 (0x1)
"NoTaskGrouping "= 1 (0x1)
"NoAutoUpdate "= 1 (0x1)
"NoAutoTrayNotify "= 1 (0x1)
"NoDesktopCleanupWizard "= 1 (0x1)
"ForceClassicControlPanel "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D} "= "C:\WINDOWS\System32\NalExpEx.dll" [2002-10-18 11:17 131072]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-30 01:06]

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 21:20:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-20 21:21:54
ComboFix-quarantined-files.txt 2008-07-20 09:21:49

Pre-Run: 9,815,724,032 bytes free
Post-Run: 9,882,705,920 bytes free

134 --- E O F --- 2008-07-19 01:52:03

baka101 · 2008/07/21

Theres a problem with that remember when I said in normal windows mode that the computer pauses up, I have to go to safe mode to do anything even when I run safe mode with networking the net won't work on friends computer. Is there anyway I can just copy the file you need from friends computer to be analyzed and zip it up put it on my thumb drive and upload it to you somehow.

Anyway here is the latest combofix log.

thanks

ComboFix 08-07-18.1 - otaku 2008-07-21 19:33:05.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.286 [GMT 12:00]
Running from: C:\Documents and Settings\otaku\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\otaku\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\tmp3.tmp
.

((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-21 19:13 . 2008-07-21 19:13 <DIR> d----c--- C:\Documents and Settings\otaku
2008-07-19 20:39 . 2008-07-19 20:39 <DIR> d----c--- C:\Deckard
2008-07-19 16:56 . 2008-07-19 16:56 <DIR> d----c--- C:\Program Files\Trend Micro
2008-07-19 14:57 . 2008-07-19 14:58 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-07-19 14:57 . 2008-07-19 19:40 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 13:58 . 2008-07-19 14:01 <DIR> d----c--- C:\Program Files\SpywareBlaster
2008-07-19 13:58 . 2005-08-25 19:18 118,784 --a--c--- C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-19 13:51 . 2008-07-21 19:05 <DIR> d--h-c--- C:\WINDOWS\$hf_mig$
2008-07-19 13:51 . 2005-02-25 15:35 22,752 --a--c--- C:\WINDOWS\system32\spupdsvc.exe
2008-07-19 08:25 . 2008-07-19 08:25 <DIR> d----c--- C:\WINDOWS\Provisioning
2008-07-19 02:38 . 2008-07-19 02:38 262,144 --a--c--- C:\ntuser.dat.rmbak
2008-07-19 02:38 . 2008-07-19 11:55 8,192 --a------ C:\ntuser.dat
2008-07-19 02:11 . 2008-07-19 02:11 <DIR> d----c--- C:\Documents and Settings\mjlobb\Application Data\Malwarebytes
2008-07-19 00:10 . 2008-07-19 00:10 <DIR> d----c--- C:\Documents and Settings\pcoadmin\Application Data\URSoft
2008-07-19 00:09 . 2008-07-19 00:40 <DIR> d----c--- C:\Program Files\Your Uninstaller 2008
2008-07-18 23:15 . 2003-03-19 08:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-07-18 23:15 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-07-18 23:14 . 2008-07-18 23:14 <DIR> d----c--- C:\Program Files\Alwil Software
2008-07-18 22:49 . 2008-07-18 22:49 <DIR> d----c--- C:\Documents and Settings\pcoadmin\Application Data\Malwarebytes
2008-07-18 22:48 . 2008-07-18 22:48 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 22:48 . 2008-07-18 22:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 22:48 . 2008-05-30 01:06 34,296 --a--c--- C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-18 22:48 . 2008-05-30 01:06 15,864 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 22:25 . 2008-07-19 14:08 <DIR> d----c--- C:\Program Files\Spyware Doctor
2008-07-18 22:25 . 2008-07-18 22:25 <DIR> d----c--- C:\Documents and Settings\mjlobb\Application Data\PC Tools
2008-07-18 22:25 . 2008-06-10 21:22 81,288 --a--c--- C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-18 22:25 . 2008-06-02 15:19 66,952 --a--c--- C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-18 22:25 . 2008-06-02 15:19 42,376 --a--c--- C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-18 22:25 . 2008-06-02 15:19 29,576 --a--c--- C:\WINDOWS\system32\drivers\kcom.sys
2008-07-18 22:00 . 2008-07-19 14:31 <DIR> d----c--- C:\Program Files\a-squared Free
2008-07-18 21:54 . 2008-07-18 23:30 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-18 21:01 . 2008-07-20 00:03 469,319,680 --a------ C:\WINDOWS\MEMORY.DMP
2008-07-18 20:57 . 2004-08-04 13:07 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-07-18 20:56 . 2004-08-04 13:07 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-07-18 20:55 . 2004-08-04 13:07 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-18 20:54 . 2004-08-04 13:07 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-07-18 20:53 . 2004-08-04 13:07 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-07-18 20:52 . 2008-07-18 20:52 316,640 --a--c--- C:\WINDOWS\WMSysPr9.prx
2008-07-18 20:52 . 2004-08-04 13:07 221,184 --a--c--- C:\WINDOWS\system32\wmpns.dll
2008-07-18 20:50 . 2008-07-18 20:50 488 -rah-c--- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-18 20:48 . 2004-08-04 13:07 124,800 --a--c--- C:\WINDOWS\system32\drivers\fltMgr.sys
2008-07-18 20:48 . 2004-08-04 13:07 124,800 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-07-18 20:48 . 2004-08-04 13:07 81,920 --a--c--- C:\WINDOWS\system32\dllcache\msado27.tlb
2008-07-18 20:48 . 2004-08-04 13:07 22,528 --a--c--- C:\WINDOWS\system32\fltMc.exe
2008-07-18 20:48 . 2004-08-04 13:07 22,528 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-07-18 20:48 . 2004-08-04 13:07 18,432 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe
2008-07-18 20:48 . 2004-08-04 13:07 16,896 --a--c--- C:\WINDOWS\system32\fltlib.dll
2008-07-18 20:48 . 2004-08-04 13:07 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-07-18 20:40 . 2001-08-17 12:19 111,872 --a--c--- C:\WINDOWS\system32\drivers\cwcspud.sys
2008-07-18 20:40 . 2001-08-17 12:19 111,872 --a--c--- C:\WINDOWS\system32\dllcache\cwcspud.sys
2008-07-18 20:35 . 2004-08-04 13:07 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-07-12 20:59 . 2008-07-12 20:59 <DIR> d---sc--- C:\Documents and Settings\dmlobb\UserData
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d----c--- C:\Program Files\uTorrent
2008-06-25 14:09 . 2008-06-25 14:25 <DIR> d----c--- C:\Documents and Settings\nalobb\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 07:32 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 13:36 --------- dc----w C:\Program Files\Common Files\Sandlot Shared
2008-07-18 12:50 --------- dc----w C:\Program Files\Google
2008-07-18 12:50 --------- dc----w C:\Program Files\Activision
2008-07-18 12:41 --------- dc----w C:\Program Files\Ares Lite Edition
2008-06-30 02:43 --------- dc----w C:\Program Files\GameHouse
2008-06-19 03:31 --------- dc----w C:\Program Files\PokerStars
2008-06-03 03:18 --------- dc----w C:\Documents and Settings\mjlobb\Application Data\GameHouse
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 13:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NvMediaCenter "= "C:\WINDOWS\System32\NvMcTray.dll" [2004-03-24 10:04 46080]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05 32881]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 02:00 79224]
"WINDVDPatch "= "CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"RegistryMechanic "=" " [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 13:07 15360]

C:\Documents and Settings\Admin.000\Start Menu\Programs\Startup\
OpenOffice.org 1.1.2.lnk - C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe [2004-05-05 01:10:00 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-10-01 12:10:02 106560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff "= 1 (0x1)
"Intellimenus "= 1 (0x1)
"MemCheckBoxInRunDlg "= 1 (0x1)
"NoTaskGrouping "= 1 (0x1)
"NoAutoUpdate "= 1 (0x1)
"NoAutoTrayNotify "= 1 (0x1)
"NoDesktopCleanupWizard "= 1 (0x1)
"ForceClassicControlPanel "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D} "= "C:\WINDOWS\System32\NalExpEx.dll" [2002-10-18 11:17 131072]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-30 01:06]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 19:35:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-21 19:36:02
ComboFix-quarantined-files.txt 2008-07-21 07:36:00

Pre-Run: 9,855,283,200 bytes free
Post-Run: 9,833,865,216 bytes free

133 --- E O F --- 2008-07-19 01:52:03

noahdfear · 2008/07/21

So there's been no change in the behavior since doing the above routines? Computer still locks up in normal mode?

baka101 · 2008/07/21

My friend opted to format his computer and start a new, but in the process before that when I was transferring the logs and things need for you to know what was wrong with his computer my computer got infected i believe by Trogan-gen thats what avast reports here is my dss log

Deckard's System Scanner v20071014.68
Run by baka on 2008-07-22 13:36:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as baka.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:36:54, on 22/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ASUS\AASP\1.00.59\aaCenter.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
E:\SOFTWARE\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\baka.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe "
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe "
O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe "
O4 - HKLM\..\Run: [ASUS Energy Saving] "C:\Program Files\ASUS\AI Suite\EnergySaving\PwSave.exe "
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe "
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: VersionTrackerPro.lnk = C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: VersionTrackerPro.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: UseFlashGet - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: UseFlashGetDownloadAllLink - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206663584687
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9813 bytes

-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 01:17:49 0 d------c- C:\Documents and Settings\baka\Application Data\Orbit
2008-07-22 01:17:47 0 d------c- C:\Program Files\Orbitdownloader
2008-07-22 01:10:43 0 d------c- C:\Program Files\Flash Favorite
2008-07-21 17:58:42 68096 --a----c- C:\WINDOWS\zip.exe
2008-07-21 17:58:42 49152 --a----c- C:\WINDOWS\VFind.exe
2008-07-21 17:58:42 212480 --a----c- C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-21 17:58:42 136704 --a----c- C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-21 17:58:42 161792 --a----c- C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-21 17:58:42 98816 --a----c- C:\WINDOWS\sed.exe
2008-07-21 17:58:42 80412 --a----c- C:\WINDOWS\grep.exe
2008-07-21 17:58:42 89504 --a----c- C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-20 22:04:08 0 d------c- C:\Program Files\TechTracker
2008-07-20 18:35:28 0 d------c- C:\Documents and Settings\baka\Application Data\VersionTracker Pro
2008-07-20 16:29:14 0 d------c- C:\WINDOWS\Performance
2008-07-20 16:28:52 0 d------c- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-07-20 16:28:30 0 d------c- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-07-20 15:56:52 0 d------c- C:\Program Files\ClonySoft
2008-07-20 15:56:03 0 d------c- C:\Documents and Settings\baka\Application Data\ClonySoft
2008-07-19 19:57:35 0 d------c- C:\Program Files\Elcomsoft
2008-07-16 22:03:33 14336 --a----c- C:\WINDOWS\system32\drivers\PN31Snoop.sys <Not Verified; Casimir666 Incorporated; PN31Snoop Application>
2008-07-15 18:12:33 0 d------c- C:\WINDOWS\NV672412128.TMP
2008-07-15 09:55:57 0 d------c- C:\Program Files\Lavasoft
2008-07-14 22:12:37 260288 -ra------ C:\$LDR$
2008-07-14 22:12:26 0 d------c- C:\$WIN_NT$.~BT
2008-07-09 18:26:12 0 d------c- C:\Program Files\MSBuild
2008-07-09 18:05:30 0 d------c- C:\WINDOWS\system32\XPSViewer
2008-07-09 18:01:59 0 d------c- C:\Program Files\Reference Assemblies
2008-07-09 15:17:12 0 d------c- C:\Program Files\Moleskinsoft Directory Size 1.9.1
2008-07-09 13:35:26 0 d------c- C:\WINDOWS\setup.pss
2008-07-09 12:31:07 0 d------c- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 01:41:54 0 d------c- C:\Documents and Settings\baka\Application Data\SiteAdvisor
2008-07-09 01:41:54 0 d------c- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-09 01:41:54 0 d------c- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-08 21:49:50 0 d------c- C:\Program Files\WhatsRunning
2008-07-08 19:44:17 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 19:31:00 0 d------c- C:\Program Files\BillP Studios
2008-07-08 15:04:35 0 d------c- C:\WINDOWS\Logs
2008-07-08 11:16:48 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-08 11:16:30 0 d------c- C:\WINDOWS\system32\Kaspersky Lab
2008-07-07 21:11:48 0 d------c- C:\WINDOWS\pss
2008-07-05 20:59:08 0 d------c- C:\Program Files\Allok Video Joiner
2008-07-05 17:55:41 0 d------c- C:\Program Files\Trend Micro
2008-07-03 20:06:16 0 d------c- C:\Documents and Settings\All Users\Application Data\Brother
2008-07-03 19:08:32 0 d------c- C:\Program Files\AVG
2008-07-02 19:30:08 0 d------c- C:\Program Files\SpywareBlaster
2008-07-02 19:27:40 0 d------c- C:\Program Files\SpywareGuard
2008-07-02 16:50:10 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2008-07-02 16:50:10 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2008-07-02 16:50:10 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2008-07-02 16:50:10 0 d--h---c- C:\Documents and Settings\Administrator\Recent
2008-07-02 16:50:10 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2008-07-02 16:50:10 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-02 16:50:10 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2008-07-02 16:50:10 0 d------c- C:\Documents and Settings\Administrator\My Documents
2008-07-02 16:50:10 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2008-07-02 16:50:10 0 d------c- C:\Documents and Settings\Administrator\Favorites
2008-07-02 16:50:10 0 d------c- C:\Documents and Settings\Administrator\Desktop
2008-07-02 16:50:10 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2008-07-02 16:50:10 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2008-07-02 16:50:10 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-02 16:29:20 0 d------c- C:\Documents and Settings\baka\Application Data\HouseCall 6.6
2008-07-02 16:15:46 0 d------c- C:\Documents and Settings\baka\Application Data\WinPatrol
2008-07-02 16:15:33 164 --a----c- C:\install.dat
2008-07-02 15:28:05 0 d------c- C:\Program Files\Enigma Software Group
2008-07-02 15:13:56 0 d------c- C:\Program Files\Panda Security
2008-07-02 14:41:54 0 d------c- C:\BFU
2008-07-01 23:59:45 0 d------c- C:\Program Files\Microsoft IntelliType Pro
2008-07-01 23:57:41 0 d------c- C:\Program Files\Microsoft IntelliType Pro 5.5
2008-07-01 23:54:58 0 d------c- C:\Program Files\Microsoft IntelliPoint
2008-07-01 18:13:50 53248 --a----c- C:\WINDOWS\system32\CSVer.dll <Not Verified; Windows XP Bundled build C-Centric Single User; Windows XP Bundled build C-Centric Single User CSVer>
2008-07-01 15:49:55 0 d------c- C:\Program Files\Square Soft, Inc
2008-07-01 15:48:34 314880 --a----c- C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-07-01 15:31:21 0 d------c- C:\Documents and Settings\baka\Application Data\AptEdit
2008-07-01 15:30:49 0 d------c- C:\Program Files\Brother Technology
2008-07-01 15:20:53 0 d------c- C:\Program Files\Driver-Soft
2008-06-29 22:10:37 0 d------c- C:\Program Files\Torrent Harvester
2008-06-28 15:26:52 0 -ra----c- C:\logwmemory.bin
2008-06-28 11:40:05 24 --a----c- C:\WINDOWS\system32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000002-80271102}.dat
2008-06-28 11:40:05 24 --a----c- C:\WINDOWS\system32\DVCState-{00000004-00000000-00000001-00001102-00000002-80271102}.dat
2008-06-26 17:06:57 0 d--hs--c- C:\Diskeeper
2008-06-26 16:02:44 0 d------c- C:\Program Files\TubeSucker
2008-06-26 15:13:01 0 d------c- C:\Program Files\PerformanceTest
2008-06-26 14:57:18 0 d------c- C:\Program Files\Ashampoo
2008-06-26 13:53:44 0 d------c- C:\Documents and Settings\baka\Shared
2008-06-26 13:53:42 0 d------c- C:\Documents and Settings\baka\Incomplete
2008-06-26 13:53:35 0 d------c- C:\Documents and Settings\baka\Application Data\FrostWire
2008-06-26 13:53:10 0 d------c- C:\Program Files\FrostWire
2008-06-26 13:15:57 0 d------c- C:\Program Files\Your Uninstaller 2008
2008-06-26 11:58:41 0 d--h---c- C:\WINDOWS\PIF
2008-06-24 19:07:08 0 d------c- C:\WINDOWS\NV23562784.TMP

-- Find3M Report ---------------------------------------------------------------

2008-07-22 13:36:12 0 d------c- C:\Documents and Settings\baka\Application Data\Free Download Manager
2008-07-22 13:28:57 0 d------c- C:\Documents and Settings\baka\Application Data\uTorrent
2008-07-22 13:27:08 8405015 --a----c- C:\WINDOWS\TempFile
2008-07-22 12:36:23 0 d------c- C:\Program Files\ewido anti-spyware 4.0
2008-07-22 01:37:13 0 d------c- C:\Documents and Settings\baka\Application Data\DMCache
2008-07-22 01:30:33 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 20:26:38 0 d------c- C:\Program Files\Mozilla Thunderbird
2008-07-21 19:48:34 0 d------c- C:\Program Files\Pcsx2_0.9.4
2008-07-21 07:14:23 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-07-20 18:36:22 0 d------c- C:\Program Files\ImgBurn
2008-07-20 13:32:01 0 d------c- C:\Program Files\a-squared Free
2008-07-19 12:32:13 0 d------c- C:\Program Files\DivX
2008-07-15 16:14:27 0 d------c- C:\Program Files\Java
2008-07-15 12:15:02 0 d------c- C:\Program Files\Common Files\DVDVideoSoft
2008-07-15 09:55:12 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 20:28:57 0 d------c- C:\Documents and Settings\baka\Application Data\dvdcss
2008-07-09 15:22:06 0 d------c- C:\Program Files\Sierra
2008-07-08 16:07:01 0 d------c- C:\Program Files\Internet Download Manager
2008-07-07 20:59:42 0 d------c- C:\Program Files\Common Files
2008-07-06 18:38:51 0 d------c- C:\Program Files\Oni
2008-07-06 16:58:22 0 d------c- C:\Program Files\ASUS
2008-07-06 16:14:37 0 d------c- C:\Program Files\Konami
2008-07-02 17:45:12 0 d------c- C:\Program Files\KWMUSIC
2008-07-02 12:42:08 0 d------c- C:\Program Files\SUPERAntiSpyware
2008-07-01 17:51:05 0 d------c- C:\Program Files\Xnet Usage Monitor
2008-07-01 16:18:25 0 d------c- C:\Documents and Settings\baka\Application Data\BITS
2008-06-28 11:44:26 590 --a----c- C:\WINDOWS\system32\admshare.dat
2008-06-26 15:03:49 0 d------c- C:\Documents and Settings\baka\Application Data\LimeWire
2008-06-26 13:53:15 0 d------c- C:\Program Files\LimeWire
2008-06-26 13:18:41 0 d------c- C:\Program Files\Your Uninstaller 2006
2008-06-26 13:16:02 0 d------c- C:\Documents and Settings\baka\Application Data\URSoft
2008-06-22 19:37:31 0 d------c- C:\Documents and Settings\baka\Application Data\ppstream
2008-06-22 19:32:30 0 d------c- C:\Program Files\Common Files\Autodesk Shared
2008-06-22 19:32:30 0 d------c- C:\Program Files\Autodesk
2008-06-19 16:05:56 0 d------c- C:\Documents and Settings\baka\Application Data\IDM
2008-06-18 18:06:39 0 d------c- C:\Documents and Settings\baka\Application Data\Autodesk
2008-06-16 19:07:01 0 d------c- C:\Documents and Settings\baka\Application Data\StudyMinder
2008-06-16 19:01:26 0 d------c- C:\Program Files\StudyMinder_LITE
2008-06-11 17:46:16 0 d------c- C:\Program Files\StepMania
2008-06-11 12:07:20 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 12:03:26 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-11 12:03:26 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-11 12:03:20 802816 --a----c- C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-11 12:03:20 823296 --a----c- C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-11 12:03:20 815104 --a----c- C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-11 12:03:20 823296 --a----c- C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-11 12:03:18 683520 --a----c- C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-10 13:30:10 0 d------c- C:\Documents and Settings\baka\Application Data\DSVE-GUI
2008-06-07 12:43:33 0 d------c- C:\Documents and Settings\baka\Application Data\Sun
2008-06-03 19:07:37 0 d------c- C:\Program Files\AviSynth 2.5
2008-06-03 18:31:58 0 d------c- C:\Program Files\eRightSoft
2008-06-03 17:50:57 0 d------c- C:\Program Files\Witcobber
2008-06-03 17:17:40 0 d------c- C:\Program Files\Allok MPEG4 Converter
2008-06-03 17:16:53 0 d------c- C:\Program Files\Common Files\Download Manager
2008-06-03 16:07:42 0 d------c- C:\Program Files\DVDVideoSoft
2008-06-03 15:59:51 0 d------c- C:\Program Files\YouTube Downloader
2008-06-01 16:22:26 664 --a----c- C:\WINDOWS\system32\d3d9caps.dat
2008-06-01 15:26:36 0 d------c- C:\Program Files\RogueRemover FREE
2008-06-01 14:47:54 3750 --a----c- C:\WINDOWS\system32\tmp.reg
2008-06-01 13:38:08 0 d------c- C:\Program Files\OpenAL
2008-06-01 04:12:24 0 d------c- C:\Program Files\Common Files\Java
2008-05-29 09:35:36 86528 --a----c- C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-27 15:41:32 0 d------c- C:\Program Files\Common Files\DirectX
2008-05-27 14:36:36 0 d------c- C:\Program Files\WinPcap
2008-05-24 15:37:33 0 d------c- C:\Program Files\Microsoft Silverlight
2008-05-23 10:18:54 12288 --a----c- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-18 21:40:35 82944 --a----c- C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-18 21:40:35 82944 --a----c- C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-16 14:01:00 1630208 --a----c- C:\WINDOWS\system32\nwiz.exe
2008-05-16 14:01:00 1019904 --a----c- C:\WINDOWS\system32\nvwimg.dll
2008-05-16 14:01:00 1703936 --a----c- C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-16 14:01:00 466944 --a----c- C:\WINDOWS\system32\nvshell.dll
2008-05-16 14:01:00 1486848 --a----c- C:\WINDOWS\system32\nview.dll
2008-05-16 14:01:00 1339392 --a----c- C:\WINDOWS\system32\nvdspsch.exe
2008-05-16 14:01:00 442368 --a----c- C:\WINDOWS\system32\nvappbar.exe
2008-05-16 14:01:00 425984 --a----c- C:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 13:07]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 13:07]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 13:07]
"RTHDCPL "= "RTHDCPL.EXE" [11/04/2007 03:28 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [05/04/2007 05:22 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [16/05/2008 14:01]
"nwiz "= "nwiz.exe" [16/05/2008 14:01 C:\WINDOWS\system32\nwiz.exe]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [16/01/2008 10:54]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [30/03/2008 07:37]
"WINDVDPatch "= "CTHELPER.EXE" [02/07/2002 17:56 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [29/11/2001 01:00]
"ezShieldProtector for Px "= "C:\WINDOWS\system32\ezSP_Px.exe" [20/08/2002 10:29]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"IntelliPoint "= "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [31/08/2007 12:01]
"itype "= "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [04/12/2005 16:38]
"Ai Nap "= "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe" [28/01/2008 12:55]
"CPU Power Monitor "= "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [09/01/2008 10:17]
"Cpu Level Up help "= "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe" [30/11/2007 20:03]
"ASUS Energy Saving "= "C:\Program Files\ASUS\AI Suite\EnergySaving\PwSave.exe" [28/01/2008 10:42]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [05/07/2008 04:58]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [16/05/2008 14:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:07]
"uTorrent "= "C:\Program Files\uTorrent\utorrent.exe" [29/03/2008 15:48]

C:\Documents and Settings\baka\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 7:05:35 p.m.]
VersionTrackerPro.lnk - C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe [6/05/2008 8:06:26 p.m.]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [22/07/2008 1:17:47 a.m.]
VersionTrackerPro.lnk - C:\WINDOWS\Installer\{64A32253-A906-4AEB-B6A7-A90512B68D87}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe [20/07/2008 10:04:11 p.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^baka^Start Menu^Programs^Startup^Xnet Usage Monitor.lnk]
backup=C:\WINDOWS\pss\Xnet Usage Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
"C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe "

-- End of Deckard's System Scanner: finished at 2008-07-22 13:37:12 ------------

noahdfear · 2008/07/21

Appears you ran ComboFix. Please post the C:\ComboFix.txt log

Please upload the following file to my submission channel for analysis. Leave a link back to this topic.

C:\$LDR$

Thanks!

baka101 · 2008/07/21

This may help I did a scan with Malwarebytes' Anti-Malware here is my log

Malwarebytes' Anti-Malware 1.22
Database version: 973
Windows 5.1.2600 Service Pack 2

2:03:51 p.m. 22/07/2008
mbam-log-7-22-2008 (14-03-51).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 120862
Time elapsed: 23 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{8E9D9BA8-4D4C-4A55-95C8-41CE5D71C9CE}\RP8\A0000555.ico (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8E9D9BA8-4D4C-4A55-95C8-41CE5D71C9CE}\RP8\A0000572.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

noahdfear · 2008/07/21

Did you see my post above?

baka101 · 2008/07/21

ComboFix 08-07-18.1 - baka 2008-07-22 16:39:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1294 [GMT 12:00]
Running from: C:\Documents and Settings\baka\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-22 16:20 . 2008-07-22 16:20 <DIR> d----c--- C:\Documents and Settings\baka\dwhelper
2008-07-22 16:12 . 2008-07-22 16:12 <DIR> d----c--- C:\Program Files\PowerQuest
2008-07-22 13:36 . 2008-07-22 13:36 <DIR> d----c--- C:\Deckard
2008-07-22 01:17 . 2008-07-22 01:17 <DIR> d----c--- C:\Program Files\Orbitdownloader
2008-07-22 01:17 . 2008-07-22 13:36 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\Orbit
2008-07-22 01:10 . 2008-07-22 14:17 <DIR> d----c--- C:\Program Files\Flash Favorite
2008-07-20 22:04 . 2008-07-20 22:04 <DIR> d----c--- C:\Program Files\TechTracker
2008-07-20 18:35 . 2008-07-20 23:28 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\VersionTracker Pro
2008-07-20 16:29 . 2008-07-20 16:29 <DIR> d----c--- C:\WINDOWS\Performance
2008-07-20 16:28 . 2008-07-20 16:28 <DIR> d----c--- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-07-20 16:28 . 2008-07-20 16:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-07-20 15:56 . 2008-07-20 15:56 <DIR> d----c--- C:\Program Files\ClonySoft
2008-07-20 15:56 . 2008-07-20 15:56 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\ClonySoft
2008-07-20 03:01 . 2008-07-20 20:21 38,472 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 19:57 . 2008-07-20 13:32 <DIR> d----c--- C:\Program Files\Elcomsoft
2008-07-19 19:57 . 2008-07-19 20:01 1,602 --a--c--- C:\WINDOWS\aopr.ini
2008-07-16 22:03 . 2008-07-16 22:03 14,336 --a--c--- C:\WINDOWS\system32\drivers\PN31Snoop.sys
2008-07-16 12:03 . 2008-07-22 13:27 3,373,917 --a--c--- C:\WINDOWS\{00000004-00000000-00000001-00001102-00000002-80271102}.BAK
2008-07-15 18:12 . 2008-07-16 12:02 <DIR> d----c--- C:\WINDOWS\NV672412128.TMP
2008-07-15 09:55 . 2008-07-15 09:55 <DIR> d----c--- C:\Program Files\Lavasoft
2008-07-14 22:12 . 2008-07-14 22:13 <DIR> d----c--- C:\$WIN_NT$.~BT
2008-07-14 22:12 . 2008-05-06 11:15 454,055 -ra--c--- C:\txtsetup.sif
2008-07-14 22:12 . 2008-04-14 09:02 260,288 -ra------ C:\$LDR$
2008-07-09 18:26 . 2008-07-09 18:26 <DIR> d----c--- C:\Program Files\MSBuild
2008-07-09 18:05 . 2008-07-09 18:05 <DIR> d----c--- C:\WINDOWS\system32\XPSViewer
2008-07-09 18:01 . 2008-07-09 18:01 <DIR> d----c--- C:\Program Files\Reference Assemblies
2008-07-09 18:00 . 2006-06-29 13:07 14,048 -----c--- C:\WINDOWS\system32\spmsg2.dll
2008-07-09 12:31 . 2008-07-09 12:33 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 01:41 . 2008-07-22 16:19 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\SiteAdvisor
2008-07-09 01:41 . 2008-07-09 01:41 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-09 01:41 . 2008-07-09 01:41 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-08 21:49 . 2008-07-08 21:56 <DIR> d----c--- C:\Program Files\WhatsRunning
2008-07-08 19:44 . 2008-07-08 19:44 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-07-08 19:44 . 2008-07-08 20:33 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 19:31 . 2008-07-08 19:31 <DIR> d----c--- C:\Program Files\BillP Studios
2008-07-08 15:08 . 2008-05-30 14:11 3,850,760 --a--c--- C:\WINDOWS\system32\D3DX9_38.dll
2008-07-08 15:08 . 2008-05-30 14:11 1,491,992 --a--c--- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-08 15:08 . 2008-05-30 14:19 507,400 --a--c--- C:\WINDOWS\system32\XAudio2_1.dll
2008-07-08 15:08 . 2008-05-30 14:11 467,984 --a--c--- C:\WINDOWS\system32\d3dx10_38.dll
2008-07-08 15:08 . 2008-05-30 14:18 238,088 --a--c--- C:\WINDOWS\system32\xactengine3_1.dll
2008-07-08 15:08 . 2008-05-30 14:17 65,032 --a--c--- C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-08 15:08 . 2008-05-30 14:17 25,608 --a--c--- C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-08 15:04 . 2008-07-08 15:04 <DIR> d----c--- C:\WINDOWS\Logs
2008-07-08 11:16 . 2008-07-08 11:16 <DIR> d----c--- C:\WINDOWS\system32\Kaspersky Lab
2008-07-08 11:16 . 2008-07-08 11:16 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-05 20:59 . 2008-07-05 21:27 <DIR> d----c--- C:\Program Files\Allok Video Joiner
2008-07-05 17:55 . 2008-07-05 17:55 <DIR> d----c--- C:\Program Files\Trend Micro
2008-07-03 20:06 . 2008-07-03 20:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Brother
2008-07-03 20:04 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-03 20:04 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-03 19:08 . 2008-07-04 20:49 <DIR> d----c--- C:\Program Files\AVG
2008-07-02 19:30 . 2008-07-22 14:34 <DIR> d----c--- C:\Program Files\SpywareBlaster
2008-07-02 19:27 . 2008-07-20 13:43 <DIR> d----c--- C:\Program Files\SpywareGuard
2008-07-02 16:50 . 2008-07-02 16:50 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-07-02 16:30 . 2007-12-24 17:37 138,384 --a--c--- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-02 16:29 . 2008-07-02 16:37 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\HouseCall 6.6
2008-07-02 16:17 . 2008-01-04 20:56 1,526,640 --a--c--- C:\WINDOWS\WRSetup.dll
2008-07-02 16:15 . 2008-07-02 16:15 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\WinPatrol
2008-07-02 16:15 . 2008-07-02 16:15 164 --a--c--- C:\install.dat
2008-07-02 15:28 . 2008-07-04 20:54 <DIR> d----c--- C:\Program Files\Enigma Software Group
2008-07-02 15:13 . 2008-07-02 15:14 <DIR> d----c--- C:\Program Files\Panda Security
2008-07-02 14:41 . 2008-07-02 14:54 <DIR> d----c--- C:\BFU
2008-07-01 23:59 . 2008-07-01 23:59 <DIR> d----c--- C:\Program Files\Microsoft IntelliType Pro
2008-07-01 23:57 . 2008-07-01 23:57 <DIR> d----c--- C:\Program Files\Microsoft IntelliType Pro 5.5
2008-07-01 23:55 . 2007-08-21 01:13 21,760 --a--c--- C:\WINDOWS\system32\drivers\point32.sys
2008-07-01 23:54 . 2008-07-01 23:55 <DIR> d----c--- C:\Program Files\Microsoft IntelliPoint
2008-07-01 18:13 . 2008-05-01 16:35 53,248 --a--c--- C:\WINDOWS\system32\CSVer.dll
2008-07-01 15:49 . 2008-07-01 15:49 <DIR> d----c--- C:\Program Files\Square Soft, Inc
2008-07-01 15:48 . 1997-06-02 12:32 314,880 --a--c--- C:\WINDOWS\IsUninst.exe
2008-07-01 15:31 . 2008-07-01 15:31 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\AptEdit
2008-07-01 15:30 . 2008-07-01 15:30 <DIR> d----c--- C:\Program Files\Brother Technology
2008-07-01 15:20 . 2008-07-01 15:20 <DIR> d----c--- C:\Program Files\Driver-Soft
2008-06-29 22:10 . 2008-06-29 22:10 <DIR> d----c--- C:\Program Files\Torrent Harvester
2008-06-29 17:26 . 2008-06-29 17:26 360,064 --a--c--- C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-06-28 15:26 . 2008-06-28 15:26 0 -ra--c--- C:\logwmemory.bin
2008-06-28 11:40 . 2008-07-19 19:31 24,264 --a--c--- C:\WINDOWS\system32\BMXCtrlState-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 24,264 --a--c--- C:\WINDOWS\system32\BMXBkpCtrlState-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 16,324 --a--c--- C:\WINDOWS\system32\BMXStateBkp-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 16,324 --a--c--- C:\WINDOWS\system32\BMXState-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 24 --a--c--- C:\WINDOWS\system32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000002-80271102}.dat
2008-06-28 11:40 . 2008-07-19 19:31 24 --a--c--- C:\WINDOWS\system32\DVCState-{00000004-00000000-00000001-00001102-00000002-80271102}.dat
2008-06-26 17:06 . 2008-06-27 01:17 <DIR> d--hsc--- C:\Diskeeper
2008-06-26 16:02 . 2008-06-28 10:40 <DIR> d----c--- C:\Program Files\TubeSucker
2008-06-26 15:13 . 2008-06-26 15:13 <DIR> d----c--- C:\Program Files\PerformanceTest
2008-06-26 14:57 . 2008-06-26 14:57 <DIR> d----c--- C:\Program Files\Ashampoo
2008-06-26 13:53 . 2008-06-26 13:53 <DIR> d----c--- C:\Program Files\FrostWire
2008-06-26 13:53 . 2008-06-26 13:54 <DIR> d----c--- C:\Documents and Settings\baka\Shared
2008-06-26 13:53 . 2008-06-26 15:03 <DIR> d----c--- C:\Documents and Settings\baka\Incomplete
2008-06-26 13:53 . 2008-06-26 14:19 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\FrostWire
2008-06-26 13:15 . 2008-06-26 13:20 <DIR> d----c--- C:\Program Files\Your Uninstaller 2008
2008-06-26 11:58 . 2008-06-26 11:58 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-06-24 19:07 . 2008-06-25 00:06 <DIR> d----c--- C:\WINDOWS\NV23562784.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 04:41 --------- dc----w C:\Documents and Settings\baka\Application Data\Free Download Manager
2008-07-22 04:40 --------- dc----w C:\Documents and Settings\baka\Application Data\uTorrent
2008-07-22 04:38 --------- dc----w C:\Documents and Settings\baka\Application Data\DMCache
2008-07-22 04:12 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-07-22 03:39 --------- dc----w C:\Program Files\Mozilla Thunderbird
2008-07-22 02:34 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-22 00:36 --------- dc----w C:\Program Files\ewido anti-spyware 4.0
2008-07-21 13:30 --------- dc----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 07:48 --------- dc----w C:\Program Files\Pcsx2_0.9.4
2008-07-20 08:21 17,144 -c--a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-20 06:36 --------- dc----w C:\Program Files\ImgBurn
2008-07-20 01:32 --------- dc----w C:\Program Files\a-squared Free
2008-07-19 00:32 --------- dc----w C:\Program Files\DivX
2008-07-15 04:14 --------- dc----w C:\Program Files\Java
2008-07-15 00:15 --------- dc----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-14 21:55 --------- dc----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 08:28 --------- dc----w C:\Documents and Settings\baka\Application Data\dvdcss
2008-07-09 03:22 --------- dc----w C:\Program Files\Sierra
2008-07-08 04:07 --------- dc----w C:\Program Files\Internet Download Manager
2008-07-06 06:38 --------- dc----w C:\Program Files\Oni
2008-07-06 04:58 --------- dc----w C:\Program Files\ASUS
2008-07-06 04:14 --------- dc----w C:\Program Files\Konami
2008-07-02 05:45 --------- dc----w C:\Program Files\KWMUSIC
2008-07-02 00:42 --------- dc----w C:\Program Files\SUPERAntiSpyware
2008-07-01 05:51 --------- dc----w C:\Program Files\Xnet Usage Monitor
2008-07-01 04:18 --------- dc----w C:\Documents and Settings\baka\Application Data\BITS
2008-06-26 03:03 --------- dc----w C:\Documents and Settings\baka\Application Data\LimeWire
2008-06-26 01:53 --------- dc----w C:\Program Files\LimeWire
2008-06-26 01:18 --------- dc----w C:\Program Files\Your Uninstaller 2006
2008-06-26 01:16 --------- dc----w C:\Documents and Settings\baka\Application Data\URSoft
2008-06-22 07:37 --------- dc----w C:\Documents and Settings\baka\Application Data\ppstream
2008-06-22 07:34 --------- dc----w C:\Documents and Settings\All Users\Application Data\Codemasters
2008-06-22 07:32 --------- dc----w C:\Program Files\Common Files\Autodesk Shared
2008-06-22 07:32 --------- dc----w C:\Program Files\Autodesk
2008-06-20 17:41 245,248 -c--a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 04:05 --------- dc----w C:\Documents and Settings\baka\Application Data\IDM
2008-06-18 17:52 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-18 06:06 --------- dc----w C:\Documents and Settings\baka\Application Data\Autodesk
2008-06-16 07:07 --------- dc----w C:\Documents and Settings\baka\Application Data\StudyMinder
2008-06-16 07:01 --------- dc----w C:\Program Files\StudyMinder_LITE
2008-06-13 13:10 272,128 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:46 --------- dc----w C:\Program Files\StepMania
2008-06-11 00:07 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-06-10 01:30 --------- dc----w C:\Documents and Settings\baka\Application Data\DSVE-GUI
2008-06-03 07:07 --------- dc----w C:\Program Files\AviSynth 2.5
2008-06-03 06:31 --------- dc----w C:\Program Files\eRightSoft
2008-06-03 05:50 --------- dc----w C:\Program Files\Witcobber
2008-06-03 05:17 --------- dc----w C:\Program Files\Allok MPEG4 Converter
2008-06-03 05:16 --------- dc----w C:\Program Files\Common Files\Download Manager
2008-06-03 04:07 --------- dc----w C:\Program Files\DVDVideoSoft
2008-06-03 03:59 --------- dc----w C:\Program Files\YouTube Downloader
2008-06-01 04:55 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-01 03:26 --------- dc----w C:\Program Files\RogueRemover FREE
2008-06-01 02:47 3,750 -c--a-w C:\WINDOWS\system32\tmp.reg
2008-06-01 01:38 444,952 -c--a-w C:\WINDOWS\system32\wrap_oal.dll
2008-06-01 01:38 --------- dc----w C:\Program Files\OpenAL
2008-05-31 16:12 --------- dc----w C:\Program Files\Common Files\Java
2008-05-31 05:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-05-28 21:35 86,528 -c--a-w C:\WINDOWS\system32\VACFix.exe
2008-05-27 03:41 --------- dc----w C:\Program Files\Common Files\DirectX
2008-05-27 02:36 --------- dc----w C:\Program Files\WinPcap
2008-05-24 03:37 --------- dc----w C:\Program Files\Microsoft Silverlight
2008-05-22 22:18 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-18 09:40 82,944 -c--a-w C:\WINDOWS\system32\IEDFix.exe
2008-05-18 09:40 82,944 -c--a-w C:\WINDOWS\system32\404Fix.exe
2008-05-15 23:58 12,632 -c--a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 23:48 446,464 -c--a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 14:16 59,488 -c--a-w C:\WINDOWS\system32\GenSvcInst.exe
2008-04-22 14:16 145,504 -c--a-w C:\WINDOWS\system32\bgsvcgen.exe
2006-05-03 09:06 163,328 -csha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 -csha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 -csha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_18.00.13.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-22 04:12:12 22,486 -c--a-r C:\WINDOWS\Installer\{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}\ARPPRODUCTICON.exe
+ 2002-09-16 05:14:32 4,228 -c--a-w C:\WINDOWS\system32\drivers\PQNTDRV.sys
+ 2002-09-16 05:16:48 1,357,032 -c--a-w C:\WINDOWS\system32\XMNT2002.exe
+ 2008-07-22 01:27:12 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_4fc.dat
+ 2008-07-22 02:35:03 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_5b8.dat
+ 2008-07-22 01:27:00 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:07 15360]
"uTorrent "= "C:\Program Files\uTorrent\utorrent.exe" [2008-03-29 15:48 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 13:07 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 13:07 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 13:07 455168]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2008-01-16 10:54 37376]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-30 07:37 79224]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"ezShieldProtector for Px "= "C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IntelliPoint "= "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"itype "= "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 16:38 437008]
"Ai Nap "= "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-01-28 12:55 1413120]
"CPU Power Monitor "= "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2008-01-09 10:17 627200]
"Cpu Level Up help "= "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-11-30 20:03 881152]
"ASUS Energy Saving "= "C:\Program Files\ASUS\AI Suite\EnergySaving\PwSave.exe" [2008-01-28 10:42 1352704]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-05 04:58 333120]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"RTHDCPL "= "RTHDCPL.EXE" [2007-04-11 03:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2007-04-05 05:22 1822720 C:\WINDOWS\SkyTel.exe]
"nwiz "= "nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch "= "CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:07 15360]

C:\Documents and Settings\baka\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]
VersionTrackerPro.lnk - C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe [2008-05-06 20:06:26 2162688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2008-07-22 01:17:47 1690824]
VersionTrackerPro.lnk - C:\WINDOWS\Installer\{64A32253-A906-4AEB-B6A7-A90512B68D87}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe [2008-07-20 22:04:11 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"vidc.asv2 "= asusasv2.dll

[HKLM\~\startupfolder\C:^Documents and Settings^baka^Start Menu^Programs^Startup^Xnet Usage Monitor.lnk]
backup=C:\WINDOWS\pss\Xnet Usage Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
--a--c--- 2007-07-18 15:20 1114112 C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a--c--- 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a--c--- 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\uTorrent\\utorrent.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe "=
"C:\\Program Files\\KWMUSIC\\KwMV.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe "=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe "=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 07:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 07:35]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 17:12]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-12-20 12:53]
S2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-20 20:21]
S3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 10:03]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\DOCUME~1\baka\LOCALS~1\Temp\RarSFX0\kerneld.wnt []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-07 08:22]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 16:41:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath "= "\??\C:\DOCUME~1\baka\LOCALS~1\Temp\RarSFX0\kerneld.wnt "
.
Completion time: 2008-07-22 16:41:49
ComboFix-quarantined-files.txt 2008-07-22 04:41:43
ComboFix2.txt 2008-07-21 06:00:26
ComboFix3.txt 2008-07-07 12:37:30

Pre-Run: 99,623,604,224 bytes free
Post-Run: 99,622,768,640 bytes free

296 --- E O F --- 2008-07-14 07:25:46

baka101 · 2008/07/21

avast reports Win32:Crypt-COW [Trj] also and yeh I just saw your post about combofix thanks

noahdfear · 2008/07/22

Please post the C:\Qoobox\ComboFix2.txt log file as well.

Did Avast give you any filename(s) and/or location(s)?

baka101 · 2008/07/23

ComboFix 08-07-18.1 - baka 2008-07-21 17:59:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279 [GMT 12:00]
Running from: C:\Downloads\Software\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 22:04 . 2008-07-20 22:04 <DIR> d----c--- C:\Program Files\TechTracker
2008-07-20 18:35 . 2008-07-20 23:28 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\VersionTracker Pro
2008-07-20 16:29 . 2008-07-20 16:29 <DIR> d----c--- C:\WINDOWS\Performance
2008-07-20 16:28 . 2008-07-20 16:28 <DIR> d----c--- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-07-20 16:28 . 2008-07-20 16:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-07-20 15:56 . 2008-07-20 15:56 <DIR> d----c--- C:\Program Files\ClonySoft
2008-07-20 15:56 . 2008-07-20 15:56 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\ClonySoft
2008-07-20 03:01 . 2008-07-18 19:15 36,472 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 19:57 . 2008-07-20 13:32 <DIR> d----c--- C:\Program Files\Elcomsoft
2008-07-19 19:57 . 2008-07-19 20:01 1,602 --a--c--- C:\WINDOWS\aopr.ini
2008-07-16 22:03 . 2008-07-16 22:03 14,336 --a--c--- C:\WINDOWS\system32\drivers\PN31Snoop.sys
2008-07-16 12:03 . 2008-07-19 19:33 3,373,917 --a--c--- C:\WINDOWS\{00000004-00000000-00000001-00001102-00000002-80271102}.BAK
2008-07-15 18:12 . 2008-07-16 12:02 <DIR> d----c--- C:\WINDOWS\NV672412128.TMP
2008-07-15 09:55 . 2008-07-15 09:55 <DIR> d----c--- C:\Program Files\Lavasoft
2008-07-14 22:12 . 2008-07-14 22:13 <DIR> d----c--- C:\$WIN_NT$.~BT
2008-07-14 22:12 . 2008-05-06 11:15 454,055 -ra--c--- C:\txtsetup.sif
2008-07-14 22:12 . 2008-04-14 09:02 260,288 -ra------ C:\$LDR$
2008-07-09 18:26 . 2008-07-09 18:26 <DIR> d----c--- C:\Program Files\MSBuild
2008-07-09 18:05 . 2008-07-09 18:05 <DIR> d----c--- C:\WINDOWS\system32\XPSViewer
2008-07-09 18:01 . 2008-07-09 18:01 <DIR> d----c--- C:\Program Files\Reference Assemblies
2008-07-09 18:00 . 2006-06-29 13:07 14,048 -----c--- C:\WINDOWS\system32\spmsg2.dll
2008-07-09 15:17 . 2008-07-09 15:17 <DIR> d----c--- C:\Program Files\Moleskinsoft Directory Size 1.9.1
2008-07-09 12:31 . 2008-07-09 12:33 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 01:41 . 2008-07-21 17:58 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\SiteAdvisor
2008-07-09 01:41 . 2008-07-09 01:41 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-09 01:41 . 2008-07-09 01:41 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-08 21:49 . 2008-07-08 21:56 <DIR> d----c--- C:\Program Files\WhatsRunning
2008-07-08 19:44 . 2008-07-08 19:44 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-07-08 19:44 . 2008-07-08 20:33 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 19:31 . 2008-07-08 19:31 <DIR> d----c--- C:\Program Files\BillP Studios
2008-07-08 15:08 . 2008-05-30 14:11 3,850,760 --a--c--- C:\WINDOWS\system32\D3DX9_38.dll
2008-07-08 15:08 . 2008-05-30 14:11 1,491,992 --a--c--- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-08 15:08 . 2008-05-30 14:19 507,400 --a--c--- C:\WINDOWS\system32\XAudio2_1.dll
2008-07-08 15:08 . 2008-05-30 14:11 467,984 --a--c--- C:\WINDOWS\system32\d3dx10_38.dll
2008-07-08 15:08 . 2008-05-30 14:18 238,088 --a--c--- C:\WINDOWS\system32\xactengine3_1.dll
2008-07-08 15:08 . 2008-05-30 14:17 65,032 --a--c--- C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-08 15:08 . 2008-05-30 14:17 25,608 --a--c--- C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-08 15:04 . 2008-07-08 15:04 <DIR> d----c--- C:\WINDOWS\Logs
2008-07-08 11:16 . 2008-07-08 11:16 <DIR> d----c--- C:\WINDOWS\system32\Kaspersky Lab
2008-07-08 11:16 . 2008-07-08 11:16 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-05 20:59 . 2008-07-05 21:27 <DIR> d----c--- C:\Program Files\Allok Video Joiner
2008-07-05 17:55 . 2008-07-05 17:55 <DIR> d----c--- C:\Program Files\Trend Micro
2008-07-03 20:06 . 2008-07-03 20:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Brother
2008-07-03 20:04 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-03 20:04 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-03 19:08 . 2008-07-04 20:49 <DIR> d----c--- C:\Program Files\AVG
2008-07-02 19:30 . 2008-07-20 13:47 <DIR> d----c--- C:\Program Files\SpywareBlaster
2008-07-02 19:27 . 2008-07-20 13:43 <DIR> d----c--- C:\Program Files\SpywareGuard
2008-07-02 16:50 . 2008-07-02 16:50 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-07-02 16:30 . 2007-12-24 17:37 138,384 --a--c--- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-02 16:29 . 2008-07-02 16:37 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\HouseCall 6.6
2008-07-02 16:17 . 2008-01-04 20:56 1,526,640 --a--c--- C:\WINDOWS\WRSetup.dll
2008-07-02 16:15 . 2008-07-02 16:15 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\WinPatrol
2008-07-02 16:15 . 2008-07-02 16:15 164 --a--c--- C:\install.dat
2008-07-02 15:28 . 2008-07-04 20:54 <DIR> d----c--- C:\Program Files\Enigma Software Group
2008-07-02 15:13 . 2008-07-02 15:14 <DIR> d----c--- C:\Program Files\Panda Security
2008-07-02 14:41 . 2008-07-02 14:54 <DIR> d----c--- C:\BFU
2008-07-01 23:59 . 2008-07-01 23:59 <DIR> d----c--- C:\Program Files\Microsoft IntelliType Pro
2008-07-01 23:57 . 2008-07-01 23:57 <DIR> d----c--- C:\Program Files\Microsoft IntelliType Pro 5.5
2008-07-01 23:55 . 2007-08-21 01:13 21,760 --a--c--- C:\WINDOWS\system32\drivers\point32.sys
2008-07-01 23:54 . 2008-07-01 23:55 <DIR> d----c--- C:\Program Files\Microsoft IntelliPoint
2008-07-01 18:13 . 2008-05-01 16:35 53,248 --a--c--- C:\WINDOWS\system32\CSVer.dll
2008-07-01 15:49 . 2008-07-01 15:49 <DIR> d----c--- C:\Program Files\Square Soft, Inc
2008-07-01 15:48 . 1997-06-02 12:32 314,880 --a--c--- C:\WINDOWS\IsUninst.exe
2008-07-01 15:31 . 2008-07-01 15:31 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\AptEdit
2008-07-01 15:30 . 2008-07-01 15:30 <DIR> d----c--- C:\Program Files\Brother Technology
2008-07-01 15:20 . 2008-07-01 15:20 <DIR> d----c--- C:\Program Files\Driver-Soft
2008-06-29 22:10 . 2008-06-29 22:10 <DIR> d----c--- C:\Program Files\Torrent Harvester
2008-06-29 17:26 . 2008-06-29 17:26 360,064 --a--c--- C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-06-28 15:26 . 2008-06-28 15:26 0 -ra--c--- C:\logwmemory.bin
2008-06-28 11:40 . 2008-07-19 19:31 24,264 --a--c--- C:\WINDOWS\system32\BMXCtrlState-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 24,264 --a--c--- C:\WINDOWS\system32\BMXBkpCtrlState-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 16,324 --a--c--- C:\WINDOWS\system32\BMXStateBkp-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 16,324 --a--c--- C:\WINDOWS\system32\BMXState-{00000004-00000000-00000001-00001102-00000002-80271102}.rfx
2008-06-28 11:40 . 2008-07-19 19:31 24 --a--c--- C:\WINDOWS\system32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000002-80271102}.dat
2008-06-28 11:40 . 2008-07-19 19:31 24 --a--c--- C:\WINDOWS\system32\DVCState-{00000004-00000000-00000001-00001102-00000002-80271102}.dat
2008-06-26 17:06 . 2008-06-27 01:17 <DIR> d--hsc--- C:\Diskeeper
2008-06-26 16:02 . 2008-06-28 10:40 <DIR> d----c--- C:\Program Files\TubeSucker
2008-06-26 15:13 . 2008-06-26 15:13 <DIR> d----c--- C:\Program Files\PerformanceTest
2008-06-26 14:57 . 2008-06-26 14:57 <DIR> d----c--- C:\Program Files\Ashampoo
2008-06-26 13:53 . 2008-06-26 13:53 <DIR> d----c--- C:\Program Files\FrostWire
2008-06-26 13:53 . 2008-06-26 13:54 <DIR> d----c--- C:\Documents and Settings\baka\Shared
2008-06-26 13:53 . 2008-06-26 15:03 <DIR> d----c--- C:\Documents and Settings\baka\Incomplete
2008-06-26 13:53 . 2008-06-26 14:19 <DIR> d----c--- C:\Documents and Settings\baka\Application Data\FrostWire
2008-06-26 13:15 . 2008-06-26 13:20 <DIR> d----c--- C:\Program Files\Your Uninstaller 2008
2008-06-26 11:58 . 2008-06-26 11:58 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-06-24 19:07 . 2008-06-25 00:06 <DIR> d----c--- C:\WINDOWS\NV23562784.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 05:59 --------- dc----w C:\Documents and Settings\baka\Application Data\Free Download Manager
2008-07-21 05:37 --------- dc----w C:\Documents and Settings\baka\Application Data\DMCache
2008-07-21 05:14 --------- dc----w C:\Documents and Settings\baka\Application Data\uTorrent
2008-07-20 19:14 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-07-20 13:57 --------- dc----w C:\Program Files\ewido anti-spyware 4.0
2008-07-20 11:12 --------- dc----w C:\Program Files\Mozilla Thunderbird
2008-07-20 10:00 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 06:36 --------- dc----w C:\Program Files\ImgBurn
2008-07-20 01:32 --------- dc----w C:\Program Files\a-squared Free
2008-07-19 15:01 --------- dc----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-19 00:32 --------- dc----w C:\Program Files\DivX
2008-07-18 07:15 17,144 -c--a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 04:14 --------- dc----w C:\Program Files\Java
2008-07-15 00:15 --------- dc----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-14 21:55 --------- dc----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 08:28 --------- dc----w C:\Documents and Settings\baka\Application Data\dvdcss
2008-07-09 03:22 --------- dc----w C:\Program Files\Sierra
2008-07-08 04:07 --------- dc----w C:\Program Files\Internet Download Manager
2008-07-06 06:38 --------- dc----w C:\Program Files\Oni
2008-07-06 04:58 --------- dc----w C:\Program Files\ASUS
2008-07-06 04:14 --------- dc----w C:\Program Files\Konami
2008-07-02 05:45 --------- dc----w C:\Program Files\KWMUSIC
2008-07-02 00:42 --------- dc----w C:\Program Files\SUPERAntiSpyware
2008-07-01 05:51 --------- dc----w C:\Program Files\Xnet Usage Monitor
2008-07-01 04:18 --------- dc----w C:\Documents and Settings\baka\Application Data\BITS
2008-06-26 03:03 --------- dc----w C:\Documents and Settings\baka\Application Data\LimeWire
2008-06-26 01:53 --------- dc----w C:\Program Files\LimeWire
2008-06-26 01:18 --------- dc----w C:\Program Files\Your Uninstaller 2006
2008-06-26 01:16 --------- dc----w C:\Documents and Settings\baka\Application Data\URSoft
2008-06-22 07:37 --------- dc----w C:\Documents and Settings\baka\Application Data\ppstream
2008-06-22 07:34 --------- dc----w C:\Documents and Settings\All Users\Application Data\Codemasters
2008-06-22 07:32 --------- dc----w C:\Program Files\Common Files\Autodesk Shared
2008-06-22 07:32 --------- dc----w C:\Program Files\Autodesk
2008-06-20 17:41 245,248 -c--a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 04:05 --------- dc----w C:\Documents and Settings\baka\Application Data\IDM
2008-06-18 17:52 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-18 06:06 --------- dc----w C:\Documents and Settings\baka\Application Data\Autodesk
2008-06-16 07:07 --------- dc----w C:\Documents and Settings\baka\Application Data\StudyMinder
2008-06-16 07:01 --------- dc----w C:\Program Files\StudyMinder_LITE
2008-06-13 13:10 272,128 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:46 --------- dc----w C:\Program Files\StepMania
2008-06-11 00:07 524,288 -c--a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-06-10 01:30 --------- dc----w C:\Documents and Settings\baka\Application Data\DSVE-GUI
2008-06-03 07:07 --------- dc----w C:\Program Files\AviSynth 2.5
2008-06-03 06:31 --------- dc----w C:\Program Files\eRightSoft
2008-06-03 05:50 --------- dc----w C:\Program Files\Witcobber
2008-06-03 05:17 --------- dc----w C:\Program Files\Allok MPEG4 Converter
2008-06-03 05:16 --------- dc----w C:\Program Files\Common Files\Download Manager
2008-06-03 04:07 --------- dc----w C:\Program Files\DVDVideoSoft
2008-06-03 03:59 --------- dc----w C:\Program Files\YouTube Downloader
2008-06-01 04:55 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-01 03:26 --------- dc----w C:\Program Files\RogueRemover FREE
2008-06-01 02:47 3,750 -c--a-w C:\WINDOWS\system32\tmp.reg
2008-06-01 01:38 444,952 -c--a-w C:\WINDOWS\system32\wrap_oal.dll
2008-06-01 01:38 --------- dc----w C:\Program Files\OpenAL
2008-05-31 16:12 --------- dc----w C:\Program Files\Common Files\Java
2008-05-31 05:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-05-28 21:35 86,528 -c--a-w C:\WINDOWS\system32\VACFix.exe
2008-05-27 03:41 --------- dc----w C:\Program Files\Common Files\DirectX
2008-05-27 02:36 --------- dc----w C:\Program Files\WinPcap
2008-05-24 03:37 --------- dc----w C:\Program Files\Microsoft Silverlight
2008-05-22 22:18 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-18 09:40 82,944 -c--a-w C:\WINDOWS\system32\IEDFix.exe
2008-05-18 09:40 82,944 -c--a-w C:\WINDOWS\system32\404Fix.exe
2008-05-15 23:58 12,632 -c--a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 23:48 446,464 -c--a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 14:16 59,488 -c--a-w C:\WINDOWS\system32\GenSvcInst.exe
2008-04-22 14:16 145,504 -c--a-w C:\WINDOWS\system32\bgsvcgen.exe
2006-05-03 09:06 163,328 -csha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 -csha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 -csha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:07 15360]
"uTorrent "= "C:\Program Files\uTorrent\utorrent.exe" [2008-03-29 15:48 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 13:07 208952]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 13:07 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 13:07 455168]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2008-01-16 10:54 37376]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-30 07:37 79224]
"UpdReg "= "C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection "= "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"ezShieldProtector for Px "= "C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IntelliPoint "= "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"itype "= "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 16:38 437008]
"Ai Nap "= "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-01-28 12:55 1413120]
"CPU Power Monitor "= "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2008-01-09 10:17 627200]
"Cpu Level Up help "= "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-11-30 20:03 881152]
"ASUS Energy Saving "= "C:\Program Files\ASUS\AI Suite\EnergySaving\PwSave.exe" [2008-01-28 10:42 1352704]
"WinPatrol "= "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-05 04:58 333120]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"RTHDCPL "= "RTHDCPL.EXE" [2007-04-11 03:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel "= "SkyTel.EXE" [2007-04-05 05:22 1822720 C:\WINDOWS\SkyTel.exe]
"nwiz "= "nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch "= "CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:07 15360]

C:\Documents and Settings\baka\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]
VersionTrackerPro.lnk - C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe [2008-05-06 20:06:26 2162688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VersionTrackerPro.lnk - C:\WINDOWS\Installer\{64A32253-A906-4AEB-B6A7-A90512B68D87}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe [2008-07-20 22:04:11 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"vidc.asv2 "= asusasv2.dll

[HKLM\~\startupfolder\C:^Documents and Settings^baka^Start Menu^Programs^Startup^Xnet Usage Monitor.lnk]
backup=C:\WINDOWS\pss\Xnet Usage Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
--a--c--- 2007-07-18 15:20 1114112 C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a--c--- 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a--c--- 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\uTorrent\\utorrent.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe "=
"C:\\Program Files\\KWMUSIC\\KwMV.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 07:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 07:35]
R2 MBAMDrvService;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-07-18 19:15]
R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-18 19:15]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 17:12]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-12-20 12:53]
S3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 10:03]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\DOCUME~1\baka\LOCALS~1\Temp\RarSFX0\kerneld.wnt []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-07 08:22]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 17:59:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]
"ImagePath "= "\??\C:\DOCUME~1\baka\LOCALS~1\Temp\RarSFX0\kerneld.wnt "
.
Completion time: 2008-07-21 18:00:25
ComboFix-quarantined-files.txt 2008-07-21 06:00:18
ComboFix2.txt 2008-07-07 12:37:30

Pre-Run: 100,428,341,248 bytes free
Post-Run: 100,449,980,416 bytes free

279 --- E O F --- 2008-07-14 07:25:46

baka101 · 2008/07/23

22/07/2008 16:37:56 SYSTEM 1620 Sign of "Win32:Crypt-COW [Trj]" has been found in "E:\SYSTEM VOLUME INFORMATION\_RESTORE{8E9D9BA8-4D4C-4A55-95C8-41CE5D71C9CE}\RP10\A0002230.EXE" file.
22/07/2008 16:35:06 SYSTEM 1620 Sign of "Win32:Crypt-COW [Trj]" has been found in "E:\SOFTWARE\FGCN_553.EXE" file.

noahdfear · 2008/07/23

Ahh yes. The System Restore points were not cleared on all drives. Lets remedy that.

Right click My Computer and select Properties
Select the System Restore tab
Select a drive (other than your operating system drive, usually C: ) in the list that is shown as Monitoring then click Settings
Select the box in the popup to Turn off System Restore on this drive and click OK
Repeat for all drives listed
Once you've turned them off, you can go back and clear the box to turn it back on, if desired
This will clear the infected System Restore points on those drives as well.

baka101 · 2008/07/25

I did that and yes win32 Trojan-gen disappeared, in future if Trojan-gen appears in the system volume information directory must I turn off system restore then back on again to clear it.

Thanks very much for you ongoing help

noahdfear · 2008/07/25

"baka101 said: ↑

in future if Trojan-gen appears in the system volume information directory must I turn off system restore then back on again to clear it.
Click to expand...

Yes. That is the only way to clear those infected restore points.

Everything else as it should be now?

Log in or Sign up

To use DSS I have to go to safe mode

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

To use DSS I have to go to safe mode

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

baka101 Inactive Thread Starter

noahdfear Inactive

baka101 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches