Inactive [InActive] W32.ircbot.gen

Herd72 · 2008/10/30

Hope I did this right?!?
Jim

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\LimeWire
C:\Program Files\LimeWire\lib\aopalliance.jar
C:\Program Files\LimeWire\lib\clink.jar
C:\Program Files\LimeWire\lib\commons-codec-1.3.jar
C:\Program Files\LimeWire\lib\commons-logging.jar
C:\Program Files\LimeWire\lib\commons-net.jar
C:\Program Files\LimeWire\lib\commons-pool.jar
C:\Program Files\LimeWire\lib\daap.jar
C:\Program Files\LimeWire\lib\forms.jar
C:\Program Files\LimeWire\lib\foxtrot.jar
C:\Program Files\LimeWire\lib\gettext-commons.jar
C:\Program Files\LimeWire\lib\guice-1.0.jar
C:\Program Files\LimeWire\lib\httpclient-4.0-alpha2-HTTPCLIENT-730.jar
C:\Program Files\LimeWire\lib\httpcore-4.0-alpha6.jar
C:\Program Files\LimeWire\lib\httpcore-nio-4.0-alpha6.jar
C:\Program Files\LimeWire\lib\httpcore-niossl-4.0-alpha6.jar
C:\Program Files\LimeWire\lib\icu4j.jar
C:\Program Files\LimeWire\lib\jaudiotagger.jar
C:\Program Files\LimeWire\lib\jcraft.jar
C:\Program Files\LimeWire\lib\jdic.dll
C:\Program Files\LimeWire\lib\jdic.jar
C:\Program Files\LimeWire\lib\jdic_stub.jar
C:\Program Files\LimeWire\lib\jflac.jar
C:\Program Files\LimeWire\lib\jl.jar
C:\Program Files\LimeWire\lib\jmdns.jar
C:\Program Files\LimeWire\lib\jogg.jar
C:\Program Files\LimeWire\lib\jorbis.jar
C:\Program Files\LimeWire\lib\LimeWire.jar
C:\Program Files\LimeWire\lib\log4j.jar
C:\Program Files\LimeWire\lib\looks.jar
C:\Program Files\LimeWire\lib\messages.jar
C:\Program Files\LimeWire\lib\mp3spi.jar
C:\Program Files\LimeWire\lib\onion-common.jar
C:\Program Files\LimeWire\lib\onion-fec.jar
C:\Program Files\LimeWire\lib\ProgressTabs.jar
C:\Program Files\LimeWire\lib\swt.jar
C:\Program Files\LimeWire\lib\SystemUtilities.dll
C:\Program Files\LimeWire\lib\themes.jar
C:\Program Files\LimeWire\lib\tray.dll
C:\Program Files\LimeWire\lib\tritonus.jar
C:\Program Files\LimeWire\lib\vorbisspi.jar
C:\Program Files\LimeWire\LimeWire.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-30 11:36 . 2008-10-30 11:37 299,040,038 --a------ C:\Windows\MEMORY.DMP
2008-10-28 19:52 . 2008-08-11 23:29 441,856 --a------ C:\Windows\System32\win32spl.dll
2008-10-28 19:52 . 2008-08-11 23:29 37,376 --a------ C:\Windows\System32\printcom.dll
2008-10-21 23:22 . 2008-10-21 23:22 <DIR> d-------- C:\rsit
2008-10-21 23:22 . 2008-10-27 09:33 <DIR> d-------- C:\Program Files\trend micro
2008-10-21 23:08 . 2008-10-21 23:08 <DIR> d-------- C:\Users\Jim LeMaster\AppData\Roaming\Malwarebytes
2008-10-21 23:08 . 2008-10-21 23:08 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-10-21 23:08 . 2008-10-21 23:08 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-10-21 23:08 . 2008-10-21 23:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 23:08 . 2008-10-16 20:25 38,496 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-10-21 23:08 . 2008-10-16 20:25 15,504 --a------ C:\Windows\System32\drivers\mbam.sys
2008-10-21 14:24 . 2008-10-21 14:24 <DIR> d-------- C:\Users\All Users\HipSoft
2008-10-21 14:24 . 2008-10-21 14:24 <DIR> d-------- C:\ProgramData\HipSoft
2008-10-17 15:19 . 2008-10-17 15:19 118 --a------ C:\Windows\System32\MRT.INI
2008-10-17 15:11 . 2008-09-17 22:03 2,027,520 --a------ C:\Windows\System32\win32k.sys
2008-10-17 15:11 . 2008-08-05 23:27 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-10-17 15:11 . 2008-08-05 23:27 428,032 --a------ C:\Windows\System32\EncDec.dll
2008-10-17 15:11 . 2008-08-05 23:27 292,352 --a------ C:\Windows\System32\psisdecd.dll
2008-10-17 15:11 . 2008-08-25 21:12 290,304 --a------ C:\Windows\System32\drivers\srv.sys
2008-10-17 15:11 . 2008-08-05 23:26 217,088 --a------ C:\Windows\System32\psisrndr.ax
2008-10-17 15:11 . 2008-08-05 23:26 177,152 --a------ C:\Windows\System32\mpg2splt.ax
2008-10-17 15:11 . 2008-08-05 23:26 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-10-17 15:11 . 2008-08-05 23:26 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-10-17 15:11 . 2008-08-05 23:26 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-10-17 15:09 . 2008-09-18 00:35 3,505,208 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-10-17 15:09 . 2008-09-18 00:35 3,470,904 --a------ C:\Windows\System32\ntoskrnl.exe
2008-10-16 19:51 . 2008-10-16 20:17 <DIR> d-------- C:\Dad's Photos
2008-10-11 22:34 . 2008-10-11 22:57 <DIR> d-------- C:\M&M Wedding
2008-09-30 19:29 . 2008-09-30 19:29 <DIR> d-------- C:\Users\Jim LeMaster\AppData\Roaming\EleFun Games
2008-09-20 20:43 . 2008-09-20 20:43 348,728 --a------ C:\rules09.wpd
2008-09-20 20:37 . 2008-09-25 21:49 5,717,013 --a------ C:\News09pt1.wpd
2008-09-20 13:02 . 2008-09-20 13:03 7,837 --a------ C:\PARENT LETTER 09.wpd
2008-09-20 12:46 . 2008-09-20 12:50 395,977 --a------ C:\2009 First Meeting.wpd
2008-09-20 11:58 . 2008-09-20 11:58 <DIR> d-------- C:\Users\Jim LeMaster\AppData\Roaming\.starphone
2008-09-17 14:40 . 2008-09-18 22:37 <DIR> d-------- C:\Program Files\Common Files\Pointstone
2008-09-17 13:11 . 2008-09-17 13:52 <DIR> d-------- C:\Users\Jim LeMaster\AppData\Roaming\FrostWire
2008-09-17 13:11 . 2008-09-17 14:09 <DIR> d-------- C:\Program Files\FrostWire
2008-09-16 21:39 . 2008-09-16 21:40 5,418 --a------ C:\possible lineup.wpd
2008-09-16 13:25 . 2008-09-16 21:32 <DIR> d-------- C:\Wrestle 09
2008-09-13 15:50 . 2008-07-30 19:47 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-13 15:50 . 2008-07-30 23:34 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-09-13 15:50 . 2008-07-30 23:34 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-13 15:49 . 2008-06-25 23:22 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 19:49 . 2008-09-09 19:49 <DIR> d-------- C:\Program Files\The Price Is Right
2008-09-09 19:46 . 2008-09-09 19:46 88 --a------ C:\Windows\Ejigman2.ini
2008-09-09 19:44 . 2008-09-09 19:44 <DIR> d-------- C:\Program Files\Nodtronics
2008-09-09 19:09 . 2008-09-09 19:09 <DIR> d-------- C:\Windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 17:55 --------- d---a-w C:\ProgramData\TEMP
2008-10-22 00:22 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-10-17 19:58 --------- d-----w C:\Program Files\Windows Mail
2008-10-17 19:21 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-14 00:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-09 14:31 --------- d-----w C:\Users\Jim LeMaster\AppData\Roaming\Vso
2008-10-02 03:49 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-09-29 21:30 --------- d-----w C:\Program Files\Frame Maker Pro
2008-09-09 23:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll
2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll
2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll
2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll
2008-07-19 02:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll
2008-07-19 00:44 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-07-09 07:10 174 --sha-w C:\Program Files\desktop.ini
2008-01-12 01:34 47,360 ----a-w C:\Users\Jim LeMaster\AppData\Roaming\pcouffin.sys
2007-11-04 20:14 16,607,023 ----a-w C:\Program Files\Monopoly_Classic_v1.0.406_Thinstalled.rar
2006-12-01 00:41 262,144 ----a-w C:\ProgramData\ntuser.dat
2007-09-19 20:46 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-19 20:46 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-19 20:46 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-21_13.28.13.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-21 17:20:57 6,584,856 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-10-30 15:22:57 6,584,856 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-10-30 15:37:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-30 15:37:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-10-21 17:22:54 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-10-30 15:38:57 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-10-30 15:38:57 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-10-21 17:22:54 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-10-30 15:38:57 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-10-30 15:38:57 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-10-21 17:10:06 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-10-28 23:54:15 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-21 17:10:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-28 23:54:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-21 17:10:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-28 23:54:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-21 17:16:36 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-10-30 15:31:45 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2006-11-02 09:46:11 425,472 ----a-w C:\Windows\System32\netapi32.dll
+ 2008-10-16 04:40:36 425,472 ----a-w C:\Windows\System32\netapi32.dll
+ 2008-10-22 13:36:35 2,456 ----a-w C:\Windows\System32\networklist\icons\{0FD74EE1-2248-4573-B14F-1F0A22B28210}_24.bin
+ 2008-10-22 13:36:35 4,280 ----a-w C:\Windows\System32\networklist\icons\{0FD74EE1-2248-4573-B14F-1F0A22B28210}_32.bin
+ 2008-10-22 13:36:35 9,560 ----a-w C:\Windows\System32\networklist\icons\{0FD74EE1-2248-4573-B14F-1F0A22B28210}_48.bin
+ 2008-10-22 13:36:26 2,456 ----a-w C:\Windows\System32\networklist\icons\{DBF0AE38-04C0-4D25-BC4C-6C97710CA457}_24.bin
+ 2008-10-22 13:36:26 4,280 ----a-w C:\Windows\System32\networklist\icons\{DBF0AE38-04C0-4D25-BC4C-6C97710CA457}_32.bin
+ 2008-10-22 13:36:26 9,560 ----a-w C:\Windows\System32\networklist\icons\{DBF0AE38-04C0-4D25-BC4C-6C97710CA457}_48.bin
- 2008-10-21 17:16:20 104,868 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-10-30 15:30:42 104,868 ----a-w C:\Windows\System32\perfc009.dat
- 2008-10-21 17:16:21 621,552 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-10-30 15:30:42 621,552 ----a-w C:\Windows\System32\perfh009.dat
- 2008-10-17 20:04:20 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
+ 2008-10-28 23:58:48 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
- 2008-10-21 17:25:36 15,662 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2945078278-320699333-1265183931-1000_UserData.bin
+ 2008-10-30 15:40:06 16,000 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2945078278-320699333-1265183931-1000_UserData.bin
- 2008-10-21 17:25:35 69,684 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-30 15:40:06 69,772 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-10-21 17:12:22 70,082 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-10-30 15:26:24 70,712 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-10-17 19:21:01 134,759,437 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-10-28 23:52:52 134,967,998 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-10-16 04:40:36 425,472 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_8b10fff30496576a\netapi32.dll
+ 2008-10-16 04:22:27 425,984 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_8bbe0f461d98ec8d\netapi32.dll
+ 2008-10-16 04:47:33 466,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\netapi32.dll
+ 2008-10-16 04:38:26 466,944 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563\netapi32.dll
+ 2008-08-12 03:29:17 37,376 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.16728_none_377f607173cc72c2\printcom.dll
+ 2008-08-12 03:29:18 441,856 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.16728_none_377f607173cc72c2\win32spl.dll
+ 2008-08-12 03:17:47 37,376 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.20893_none_37b84c568d275770\printcom.dll
+ 2008-08-12 03:18:17 444,928 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.20893_none_37b84c568d275770\win32spl.dll
+ 2008-01-19 07:36:07 37,888 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\printcom.dll
+ 2008-08-12 03:39:08 443,392 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\win32spl.dll
+ 2008-08-12 03:25:35 37,888 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.22241_none_39d29a048a2729fe\printcom.dll
+ 2008-08-12 03:25:37 443,392 ----a-w C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.22241_none_39d29a048a2729fe\win32spl.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@= "{F2F31467-B1AC-4df0-AE79-FD5FA085E22B} "
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 15:46 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@= "{A3E208F7-0E3A-4182-A7A6-B169D5D691AA} "
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 15:46 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"PINGER "= "C:\TOSHIBA\IVP\ISM\pinger.exe" [2006-07-20 151552]
"TPwrMain "= "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-11-22 409264]
"HSON "= "C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-11-28 52912]
"SmoothView "= "C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2006-11-20 446128]
"00TCrdMain "= "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-11-29 523952]
"TOSHIBA Volume Indicator "= "C:\Program Files\Toshiba\Utilities\VolControl.exe" [2006-10-30 94208]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"IgfxTray "= "C:\Windows\system32\igfxtray.exe" [2007-08-24 141848]
"HotKeysCmds "= "C:\Windows\system32\hkcmd.exe" [2007-08-24 154136]
"Persistence "= "C:\Windows\system32\igfxpers.exe" [2007-08-24 129560]
"GrooveMonitor "= "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NDSTray.exe "= "NDSTray.exe" [BU]

C:\Users\Jim LeMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disableCAD "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 15:34 52224 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm "= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32 "= divxa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2945078278-320699333-1265183931-1000]
"EnableNotificationsRef "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{535A5CEB-1BB9-4A8A-93F2-2352D959AA4A} "= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B01F51DB-8620-4F20-9ED7-D2987E8BE7BE} "= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{C0811495-00E0-49DD-A7F5-8300FFFDC7EA} "= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{0F896869-9B5E-4814-BBEA-4C98D86616FA} "= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{0C59AC63-5722-4A29-A859-886E6263729A} "= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{A1E1563D-F338-477C-95C0-30A619F988F8} "= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A78C4FF9-B948-4505-9399-9271587046E1} "= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{28F99DCF-E79F-4A8A-93BC-27334C5FDA71} "= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C3A0C0FE-0E47-4A6E-A8F3-10771C67CECC} "= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E0A63230-877C-4091-AECB-EE5938BF78EC} "= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{79226944-8113-4AAB-BFB3-E18B1F6990A9} "= UDP:C:\Program Files\FrostWire\FrostWire.exe:FrostWire
"{6284E5B1-A60E-4E72-ACD4-59C378C0F66B} "= TCP:C:\Program Files\FrostWire\FrostWire.exe:FrostWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1 "= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe "= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe "= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\Windows\system32\drivers\BoiHwSetup.sys [2006-10-12 7680]
R3 qkbfiltr;Keyboard Filter Driver;C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-11-20 33792]
S3 wrssweep;Webroots Volume Access Driver;C:\Program Files\Webroot\Washer\wrssweep.sys [2007-11-26 21832]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 11:39:55
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WerFault.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2008-10-30 11:47:27 - machine was rebooted [Jim LeMaster]
ComboFix-quarantined-files.txt 2008-10-30 15:47:18
ComboFix2.txt 2008-10-21 17:29:19

Pre-Run: 149,083,516,928 bytes free
Post-Run: 148,808,298,496 bytes free

314 --- E O F --- 2008-10-28 23:54:29

noahdfear · 2008/10/30

Looks good Jim. The only thing I see remaining is the ability to use Ctrl+Alt+Del to access the task manager is disabled. If you want to remedy that, proceed as follows.

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)
Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
 "disableCAD "=-
Right click fix.reg and select 'Run as Administrator', then allow it to merge with the registry. Now delete fix.reg

I'd say we're done except for cleaning up the tools we've used. If you'd care to do another online scan with Kaspersky to verify, I'd recommend doing so. If you're comfortable as is, just say so and I'll post instructions for wrapping things up.

Herd72 · 2008/10/31

Fixed the registry - updating database in Kaspersky now and then will run scan and post. Thanks so much for all your help , you have been most patient and understanding with my somewhat bumbling attempts. I will post up the scan when it finishes running.
Jim

Herd72 · 2008/11/01

Here is the Kaspersky Log. Looks like there may be more work to be done. Sigh :>(
Jim Saturday, November 1, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 01, 2008 12:58:17
Records in database: 1366055
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 135763
Threat name 5
Infected objects 10
Suspicious objects 0
Duration of the scan 04:08:39

File name Threat name Threats count
C:\000 Downloads Summer 000\April -May 08\July 08\Delicious_Winter_Edition_Deluxe.rar Infected: Backdoor.Win32.Agent.tpi 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980028.VBN Infected: Trojan.Win32.Delf.bps 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C98002D.VBN Infected: not-a-virus:FraudTool.Win32.SpyKill.b 2
C:\Qoobox\Quarantine\C\Windows\tskmgr.exe.vir Infected: Trojan-Dropper.Win32.Delf.byv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980028.VBN Infected: Trojan.Win32.Delf.bps 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C98002D.VBN Infected: not-a-virus:FraudTool.Win32.SpyKill.b 2
C:\Users\Jim LeMaster\Desktop\Downloads\Retired Downloads\DVD TOOLS\Nero-8.1.1.0b_eng_trial(2).exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bm 1
C:\Users\Jim LeMaster\Desktop\Downloads\Retired Downloads\DVD TOOLS\Nero-8.1.1.0b_eng_trial.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bm 1
The selected area was scanned.

noahdfear · 2008/11/02

Delete the following files.

C:\Users\Jim LeMaster\Desktop\Downloads\Retired Downloads\DVD TOOLS\Nero-8.1.1.0b_eng_trial.exe
C:\000 Downloads Summer 000\April -May 08\July 08\Delicious_Winter_Edition_Deluxe.rar

Looks as though emptying the Norton quarantined items wasn't effective, so see if you can do it manually. Delete everything within the following 2 quarantine folders.

C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

If successful, empty the recycle bin and let me know when done so we can cleanup.

Herd72 · 2008/11/03

I was able to delete the following:
C:\Users\Jim LeMaster\Desktop\Downloads\Retired Downloads\DVD TOOLS\Nero-8.1.1.0b_eng_trial.exe
C:\000 Downloads Summer 000\April -May 08\July 08\Delicious_Winter_Edition_Deluxe.rar

But ... I can't seem to find the Norton Files following the path Kaspersky gives me. When I go to users there is not an all users to choose from! However, when I open the Symantec Antivirus and view the quarantine files it is empty! Maybe they are already gone and still showing up?

Should we just clean up and leave it like that or continue to search for them?
Jim

noahdfear · 2008/11/05

Click Start>Run (if you don't have Run, see below) then paste the first of the following paths into the run dialog and hit Enter. Be sure to include the quotes.

"C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine "
"C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine "

That should open the quarantine folder. Repeat with the second path.

To add the Run command to the Vista Start menu;

Right click on the Start button, and click Properties.
From the Taskbar and Start Menu Properties dialog, click Customize.
Scroll down through the list to find Run command and check the box next to it.
Click OK.

Herd72 · 2008/11/11

Sorry for the very slow reply. Cable internet has been down for a few days. I got that done. Thanks again for all your time and understanding!
Jim

noahdfear · 2008/11/13

Hi Jim,

Lets finish up. Open MBAM and remove any items quarantined. Do the same with your resident antivirus.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too. You may also wish to remove RSIT.exe and the C:\rsit folder.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

ATF Cleaner is a keeper, and handy for cleaning temps periodically. That should wrap things up. Let me know how the computer is doing now and if any issues remain.

Log in or Sign up

Inactive [InActive] W32.ircbot.gen

Herd72 Inactive Thread Starter

noahdfear Inactive

Herd72 Inactive Thread Starter

Herd72 Inactive Thread Starter

noahdfear Inactive

Herd72 Inactive Thread Starter

noahdfear Inactive

Herd72 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Inactive [InActive] W32.ircbot.gen

Herd72 Inactive Thread Starter

noahdfear Inactive

Herd72 Inactive Thread Starter

Herd72 Inactive Thread Starter

noahdfear Inactive

Herd72 Inactive Thread Starter

noahdfear Inactive

Herd72 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches