 |
 |
| Removal of virus help needed |
 |
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 8-23-2008 8:45 (GMT +1) |   | Hello WBJ 
Please download Malwarebytes' Anti-Malware:
to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch
Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
Copy and Paste that log into your next reply, along with hijackthis log.
NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Do NOT post your problem in someone elses thread.
| | Back to Top | | |
|
WBJ
New Member
Date Joined Aug 2008
Total Posts : 10
| Posted 8-23-2008 9:28 (GMT +1) | | | Ok will do sir! Also I have found in my research over the last few hours that the Blue Screen Im seeing is just a screen saver. | | Back to Top | | |
|
WBJ
New Member
Date Joined Aug 2008
Total Posts : 10
| Posted 8-23-2008 7:26 (GMT +1) | | Ok I ran both. The Malware software found more than I thought it would and said that certian items could not be removed. Then it prompted for a restart so I did. Upon a restart I ran Hjackthis and saved the log. Here are both logs.
Malware
Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 3
2:16:24 PM 8/23/2008
mbam-log-08-23-2008 (14-16-24).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 158440
Time elapsed: 51 minute(s), 26 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 17
Memory Processes Infected:
C:\WINDOWS\system32\lphcnc2j0e9cv.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\blphcnc2j0e9cv.scr (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcnc2j0e9cv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\oembios.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\oembios.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\blphcnc2j0e9cv.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.tt9B2.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\sai6BC.tmp (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\ginstall.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oembios.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lphcnc2j0e9cv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcnc2j0e9cv.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temp\cd1FCD.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 2:21:36 PM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
D:\Steam\Steam.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.augustatech.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [Steam] "D:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\partypoker\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\partypoker\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171543369171
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I still have the Hijackthis up showing all the boxes where I can click on the ones I wanna delete/keep. Ill keep it up and await further instructions! Once again thanks for all the help! | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 8-25-2008 5:26 (GMT +1) | | Please download Combofix:
And save to the desktop.
Close all other browser windows.
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When finished, it will produce a logfile located at C:\combofix.txt.
Post the contents of that log in your next reply
NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.
Do NOT post your problem in someone elses thread.
| | Back to Top | | |
|
WBJ
New Member
Date Joined Aug 2008
Total Posts : 10
| Posted 8-25-2008 9:53 (GMT +1) | | Ok boss, I downloaded and ran the ComboFix. The only problem I had was it rebooted my PC and while it was doing its thing my Norton came up trying to block it. I chose "Allow Script" and then a few minutes later the following log popped up.
ComboFix 08-08-24.02 - Jon 2008-08-25 4:20:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1619 [GMT -4:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\#SharedObjects\MNZHZTHJ\interclick.com
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\#SharedObjects\MNZHZTHJ\static.youku.com
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\#SharedObjects\MNZHZTHJ\www.broadcaster.com
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\tmp35.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.
2008-08-25 03:49 . 2008-08-25 03:50 <DIR> d-------- C:\WINDOWS\system32\SkillGround
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-23 04:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 04:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-23 03:08 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-23 02:38 . 2008-08-23 02:38 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\sysproc64
2008-08-22 05:50 . 2008-08-23 13:32 <DIR> d--hs---- C:\WINDOWS\system32\sysproc64
2008-08-22 05:50 . 2008-08-22 05:50 <DIR> d--hs---- C:\Documents and Settings\NetworkService\Application Data\sysproc64
2008-08-21 01:13 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-13 05:10 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-09 02:53 . 2008-08-22 05:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-09 02:53 . 2008-08-09 02:53 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 08:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-22 10:10 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-19 10:01 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-11 05:22 --------- d-----w C:\Program Files\Java
2008-08-02 09:30 --------- d-----w C:\Program Files\Apple Software Update
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-18 06:56 --------- d-----w C:\Documents and Settings\Jon\Application Data\mIRC
2008-07-09 01:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 01:08 --------- d-----w C:\Documents and Settings\Jon\Application Data\AdobeUM
2008-07-08 08:14 --------- d-----w C:\Documents and Settings\Jon\Application Data\HLSW
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-05 18:38 --------- d-----w C:\Documents and Settings\Jon\Application Data\SPORE Creature Creator
2008-06-30 07:50 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-30 07:50 --------- d-----w C:\Documents and Settings\Jon\Application Data\Nexon
2008-06-25 08:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-25 08:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-16 06:53 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-12-29 02:55 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-05-17 05:22 20 ---h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\PKP_DLec.DAT
2005-02-22 04:03 32 --sha-w C:\WINDOWS\{2841F0CE-74B7-4296-A1D4-221E1D14448D}.dat
2005-02-22 04:03 32 --sha-w C:\WINDOWS\system32\{E0209B35-F675-461F-91D9-4C31E0AC2A19}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 04:40 218032]
"Steam"="D:\Steam\Steam.exe" [2008-07-21 01:33 1271032]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-26 03:59 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 04:40 218032]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 18:50 180224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 18:43 2051096]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"nwiz"="nwiz.exe" [2007-06-29 01:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 10752 C:\WINDOWS\system32\SPIRUN.DLL]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 18:44 271672 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series]
--a------ 2003-07-28 18:50 106496 C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk]
--a------ 2003-06-13 14:57 294912 C:\PROGRA~1\LEXMAR~1\lxbrksk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 21:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsLime]
--a------ 2005-09-08 16:10 159744 C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\World of Warcraft\\WoW-1.2.3-patch-enUS-Downloader.exe"=
"D:\\World of Warcraft\\WoW-1.2.4-to-1.3.0-enUS-downloader.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\World of Warcraft\\WoW-1.3.1.4297-to-1.4.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.4.2.4375-to-1.5.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"D:\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"=
"D:\\Xfire\\Xfire.exe"=
"D:\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"D:\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Steam\\SteamApps\\killektiv\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Steam\\SteamApps\\killektiv\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\killektiv\\day of defeat source beta\\hl2.exe"=
"D:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Documents and Settings\\Jon\\Desktop\\mirc.exe"=
"D:\\Steam\\steamapps\\killektiv\\day of defeat source\\hl2.exe"=
"D:\\Steam\\steamapps\\killektiv\\day of defeat source beta\\hl2.exe"=
"D:\\HLSW\\hlsw.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [2005-02-11 18:11]
S3 FXDRV;FXDRV;F:\Fxdrv.sys []
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a3724c2-84c1-11d9-9c78-806d6172696f}]
\Shell\AutoRun\command - F:\SETUP.EXE /UPDATE
.
Contents of the 'Scheduled Tasks' folder
2008-08-18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2007-02-15 C:\WINDOWS\Tasks\Fall Into Sleep.job
- C:\Documents and Settings\Jon\My Documents\My Music\Lost and Found\Fall Into Sleep.mp3 []
2008-08-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe [2002-11-14 20:31]
2008-08-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-NVMixerTray - C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
MSConfigStartUp-Steam - C:\Program Files\Steam\Steam.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\9pgya8my.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://csramotorsports.com/site/index.php?option=com_smf&Itemid=74
FF -: plugin - C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\9pgya8my.default\extensions\{642BD07B-43AB-4157-921B-3E62B71AD39F}\plugins\npskill.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 04:26:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-08-25 4:49:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 08:47:19
Pre-Run: 11,276,517,376 bytes free
Post-Run: 12,238,450,688 bytes free
254 --- E O F --- 2008-08-24 10:00:30 | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 8-25-2008 12:14 (GMT +1) | | Open notepad and copy/paste the text in the quotebox below into it:
Quote:
|
Killall::
Snapshot::
FileLook::
C:\WINDOWS\_MSRSTRT.EXE
FolderLook::
C:\Documents and Settings\LocalService\Application Data\sysproc64
FolderLook::
C:\WINDOWS\system32\sysproc64
FolderLook::
C:\Documents and Settings\NetworkService\Application Data\sysproc64
|
Save this as:
CFScript
Refering to the picture above, drag CFScript into ComboFix.exe
Then post fresh combofix log.
Do NOT post your problem in someone elses thread.
| | Back to Top | | |
|
WBJ
New Member
Date Joined Aug 2008
Total Posts : 10
| Posted 8-25-2008 4:56 (GMT +1) | | Alright, this time I made sure Norton was not coming up on restart.
ComboFix 08-08-24.02 - Jon 2008-08-25 11:44:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1597 [GMT -4:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.
2008-08-25 05:11 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-23 04:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 04:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-23 03:08 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-23 02:38 . 2008-08-23 02:38 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\sysproc64
2008-08-22 05:50 . 2008-08-23 13:32 <DIR> d--hs---- C:\WINDOWS\system32\sysproc64
2008-08-22 05:50 . 2008-08-22 05:50 <DIR> d--hs---- C:\Documents and Settings\NetworkService\Application Data\sysproc64
2008-08-21 01:13 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-13 05:10 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-09 02:53 . 2008-08-22 05:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-09 02:53 . 2008-08-09 02:53 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 15:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-25 15:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-22 10:10 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-19 10:01 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-11 05:22 --------- d-----w C:\Program Files\Java
2008-08-02 09:30 --------- d-----w C:\Program Files\Apple Software Update
2008-07-18 06:56 --------- d-----w C:\Documents and Settings\Jon\Application Data\mIRC
2008-07-09 01:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 01:08 --------- d-----w C:\Documents and Settings\Jon\Application Data\AdobeUM
2008-07-08 08:14 --------- d-----w C:\Documents and Settings\Jon\Application Data\HLSW
2008-07-05 18:38 --------- d-----w C:\Documents and Settings\Jon\Application Data\SPORE Creature Creator
2008-06-30 07:50 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-30 07:50 --------- d-----w C:\Documents and Settings\Jon\Application Data\Nexon
2008-06-16 06:53 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-12-29 02:55 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-05-17 05:22 20 ---h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\PKP_DLec.DAT
2005-02-22 04:03 32 --sha-w C:\WINDOWS\{2841F0CE-74B7-4296-A1D4-221E1D14448D}.dat
2005-02-22 04:03 32 --sha-w C:\WINDOWS\system32\{E0209B35-F675-461F-91D9-4C31E0AC2A19}.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\_MSRSTRT.EXE -- Unable to find Resource table header.
MD5: 815372073da85b2098a37ded84083c8a
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 04:40 218032]
"Steam"="D:\Steam\Steam.exe" [2008-07-21 01:33 1271032]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-26 03:59 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 04:40 218032]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 18:50 180224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 18:43 2051096]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"nwiz"="nwiz.exe" [2007-06-29 01:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 10752 C:\WINDOWS\system32\SPIRUN.DLL]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-26 14:40:02 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-05-15 21:10:53 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 18:44 271672 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series]
--a------ 2003-07-28 18:50 106496 C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk]
--a------ 2003-06-13 14:57 294912 C:\PROGRA~1\LEXMAR~1\lxbrksk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 21:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\World of Warcraft\\WoW-1.2.3-patch-enUS-Downloader.exe"=
"D:\\World of Warcraft\\WoW-1.2.4-to-1.3.0-enUS-downloader.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\World of Warcraft\\WoW-1.3.1.4297-to-1.4.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.4.2.4375-to-1.5.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"D:\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"D:\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Steam\\SteamApps\\killektiv\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Steam\\SteamApps\\killektiv\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\killektiv\\day of defeat source beta\\hl2.exe"=
"D:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Steam\\steamapps\\killektiv\\day of defeat source\\hl2.exe"=
"D:\\Steam\\steamapps\\killektiv\\day of defeat source beta\\hl2.exe"=
"D:\\HLSW\\hlsw.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [2005-02-11 18:11]
S3 FXDRV;FXDRV;F:\Fxdrv.sys []
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a3724c2-84c1-11d9-9c78-806d6172696f}]
\Shell\AutoRun\command - F:\SETUP.EXE /UPDATE
.
Contents of the 'Scheduled Tasks' folder
2008-08-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2007-02-15 C:\WINDOWS\Tasks\Fall Into Sleep.job
- C:\Documents and Settings\Jon\My Documents\My Music\Lost and Found\Fall Into Sleep.mp3 []
2008-08-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe [2002-11-14 20:31]
2008-08-25 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-PhilipsLime - C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 11:47:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-25 11:54:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 15:54:50
ComboFix2.txt 2008-08-25 08:49:24
Pre-Run: 13,548,015,616 bytes free
Post-Run: 13,536,952,320 bytes free
210 --- E O F --- 2008-08-24 10:00:30 | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 8-25-2008 6:57 (GMT +1) | | |
Open notepad and copy/paste the text in the quotebox below into it:
Quote:
|
Killall::
Snapshot::
File::
C:\WINDOWS\_MSRSTRT.EXE
Folder::
C:\Documents and Settings\LocalService\Application Data\sysproc64
C:\WINDOWS\system32\sysproc64
C:\Documents and Settings\NetworkService\Application Data\sysproc64
|
Save this as:
CFScript
Refering to the picture above, drag CFScript into ComboFix.exe
Then post fresh combofix log, and tell how things are running ?
Do NOT post your problem in someone elses thread.
| | Back to Top | | |
|
WBJ
New Member
Date Joined Aug 2008
Total Posts : 10
| Posted 8-25-2008 8:28 (GMT +1) | | Everything seems to be running ok. I havent tried it since this last scan, but I am having a sound issue. If I play a game and have WM Player in the background the sound is choppy. Im assuming that a sound driver update will fix this but Ive held off from doing it until my main issue here is all good.
ComboFix 08-08-24.02 - Jon 2008-08-25 15:10:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1600 [GMT -4:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\_MSRSTRT.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService\Application Data\sysproc64
C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys
C:\Documents and Settings\NetworkService\Application Data\sysproc64
C:\Documents and Settings\NetworkService\Application Data\sysproc64\sysproc32.sys
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\system32\sysproc64
C:\WINDOWS\system32\sysproc64\sysproc32.sys
C:\WINDOWS\system32\sysproc64\sysproc86.sys
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
2008-08-23 04:36 . 2008-08-23 04:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-23 04:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 04:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-23 03:13 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-23 03:08 . 2008-08-23 03:13 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-21 01:13 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-13 05:10 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-09 02:53 . 2008-08-22 05:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-09 02:53 . 2008-08-09 02:53 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 19:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-25 15:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-22 10:10 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-19 10:01 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-11 05:22 --------- d-----w C:\Program Files\Java
2008-08-02 09:30 --------- d-----w C:\Program Files\Apple Software Update
2008-07-18 06:56 --------- d-----w C:\Documents and Settings\Jon\Application Data\mIRC
2008-07-09 01:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-09 01:08 --------- d-----w C:\Documents and Settings\Jon\Application Data\AdobeUM
2008-07-08 08:14 --------- d-----w C:\Documents and Settings\Jon\Application Data\HLSW
2008-07-05 18:38 --------- d-----w C:\Documents and Settings\Jon\Application Data\SPORE Creature Creator
2008-06-30 07:50 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-30 07:50 --------- d-----w C:\Documents and Settings\Jon\Application Data\Nexon
2007-12-29 02:55 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-05-17 05:22 20 ---h--w C:\Documents and Settings\All Users.WINDOWS\Application Data\PKP_DLec.DAT
2005-02-22 04:03 32 --sha-w C:\WINDOWS\{2841F0CE-74B7-4296-A1D4-221E1D14448D}.dat
2005-02-22 04:03 32 --sha-w C:\WINDOWS\system32\{E0209B35-F675-461F-91D9-4C31E0AC2A19}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 04:40 218032]
"Steam"="D:\Steam\Steam.exe" [2008-07-21 01:33 1271032]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-02-26 03:59 100056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 04:40 218032]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 18:50 180224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 18:43 2051096]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"nwiz"="nwiz.exe" [2007-06-29 01:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 10752 C:\WINDOWS\system32\SPIRUN.DLL]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-26 14:40:02 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-05-15 21:10:53 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 18:44 271672 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series]
--a------ 2003-07-28 18:50 106496 C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk]
--a------ 2003-06-13 14:57 294912 C:\PROGRA~1\LEXMAR~1\lxbrksk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 21:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\World of Warcraft\\WoW-1.2.3-patch-enUS-Downloader.exe"=
"D:\\World of Warcraft\\WoW-1.2.4-to-1.3.0-enUS-downloader.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\World of Warcraft\\WoW-1.3.1.4297-to-1.4.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.4.2.4375-to-1.5.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"D:\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"D:\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"D:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= | |
| |
