|
|
|
micro antivirus 2009 here is my hjt log
|
|
|
chkinjoe
Junior Member
|
22. September 2008 @ 15:00 |
Link to this message
|
its basically a fake anti virus that keeps poping up fake detections and trying to open ie to a unknown page. i would apriciate it of someone could help me remove this. thanks for reading :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:53 AM, on 9/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\YURF0B7.exe
C:\Windows\System32\YURF2AB.exe
C:\Windows\System32\YURF6F1.exe
C:\Windows\System32\YURFABA.exe
C:\Windows\System32\YUR7BE8.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\MicroAV\MicroAV.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\5.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {2DD20DA4-14CD-4DE1-B413-632F3BCB703F} - C:\Windows\system32\cBSkljjK.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [\YURF0B7.exe] C:\Windows\system32\YURF0B7.exe
O4 - HKLM\..\Run: [\YURF2AB.exe] C:\Windows\system32\YURF2AB.exe
O4 - HKLM\..\Run: [\YURF6F1.exe] C:\Windows\system32\YURF6F1.exe
O4 - HKLM\..\Run: [\YURFABA.exe] C:\Windows\system32\YURFABA.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljJCvVPG.dll,#1
O4 - HKLM\..\Run: [\YUR7BE8.exe] C:\Windows\system32\YUR7BE8.exe
O4 - HKLM\..\Run: [f45aca6b] rundll32.exe "C:\Windows\system32\phkttaga.dll",b
O4 - HKLM\..\Run: [\YURC8C9.exe] C:\Windows\system32\YURC8C9.exe
O4 - HKLM\..\Run: [\YURC714.exe] C:\Windows\system32\YURC714.exe
O4 - HKLM\..\Run: [\YURC8B9.exe] C:\Windows\system32\YURC8B9.exe
O4 - HKLM\..\Run: [\YUR1C58.exe] C:\Windows\system32\YUR1C58.exe
O4 - HKLM\..\Run: [\YUR2F99.exe] C:\Windows\system32\YUR2F99.exe
O4 - HKCU\..\Run: [\YURF0B7.exe] C:\Windows\system32\YURF0B7.exe
O4 - HKCU\..\Run: [\YURF2AB.exe] C:\Windows\system32\YURF2AB.exe
O4 - HKCU\..\Run: [\YURF6F1.exe] C:\Windows\system32\YURF6F1.exe
O4 - HKCU\..\Run: [\YURFABA.exe] C:\Windows\system32\YURFABA.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKCU\..\Run: [\YUR7BE8.exe] C:\Windows\system32\YUR7BE8.exe
O4 - HKCU\..\Run: [\YURC8C9.exe] C:\Windows\system32\YURC8C9.exe
O4 - HKCU\..\Run: [\YURC714.exe] C:\Windows\system32\YURC714.exe
O4 - HKCU\..\Run: [\YURC8B9.exe] C:\Windows\system32\YURC8B9.exe
O4 - HKCU\..\Run: [\YUR1C58.exe] C:\Windows\system32\YUR1C58.exe
O4 - HKCU\..\Run: [\YUR2F99.exe] C:\Windows\system32\YUR2F99.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8331 bytes
i really apriciate this help guys
tokin it up
|
|
Advertisement
|
 |
|
|
AfterDawn Addict
|
22. September 2008 @ 18:33 |
Link to this message
|
Hi chkinjoe, 
Your Log shows a lot of infection?.
Let?s do a little Pre-Cleaning, run ComboFix and Post some Logs so we can see what?s going on?
Pre-Clean:
Please download ATF Cleaner by Atribune & save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
ComboFix:
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
3. Combo will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in
c:\comboFix.txt
Also, post the MBAM Log and a fresh HJT log in your next reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chkinjoe
Junior Member
|
23. September 2008 @ 03:43 |
Link to this message
|
heres the logs i apriciate all of your help i think its off so far but the combo fix has made my system clock stuck in 24hr format
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:39, on 2008-09-23
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\mobsync.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\Windows\system32\pojabese.dll nbksph.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5842 bytes
ComboFix 08-09-20.05 - Theo Moor 2008-09-23 0:24:31.1 - NTFSx86
Microsoft® Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.889 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\system32\1.ico
C:\Windows\system32\2.ico
C:\Windows\system32\agattkhp.ini
C:\Windows\system32\hwnhnree.ini
C:\Windows\system32\TDSSerrors.log
C:\Windows\System32\yspqrdjp.ini
----- BITS: Possible infected sites -----
http://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-22 23:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-08 00:11 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-08 00:11 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 16:03 . 2008-09-22 16:03 869,297 ---hs---- C:\Windows\System32\yspqrdjp.ini2
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-23 00:29 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 11:35 . 2008-09-22 11:35 53,248 --ahs---- C:\Windows\System32\khfDwxxw.dll
2008-09-22 11:32 . 2008-09-22 03:15 166,400 --a------ C:\Windows\System32\MicroAV.cpl
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-23 00:25 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-22 15:31 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-22 15:31 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-22 15:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-05 13:49 . 2008-09-05 13:49 970 --a------ C:\net_save.dna
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-08-30 09:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun
2008-08-23 21:05 . 2008-09-20 19:11 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-08-23 20:50 . 2008-08-23 20:53 <DIR> d-------- C:\Program Files\Java
2008-08-23 20:50 . 2008-08-23 20:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-23 20:19 . 2008-08-23 20:25 <DIR> d-------- C:\Program Files\LimeWire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 00:01 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-22 23:00 64,512 --sha-w C:\Windows\System32\pojabese.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\system32\pojabese.dll nbksph.dll
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll
[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-09-22 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-09-22 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-09-22 41217]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-06-13 66848]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWICH;VSTHWICH;C:\Windows\system32\DRIVERS\VSTICH3.SYS [2006-11-02 242176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-buvuzodala - C:\Windows\system32\kejajumo.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Theo Moor\AppData\Roaming\Mozilla\Firefox\Profiles\uh8vkm3r.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\pojabese.dll
PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\pojabese.dll
PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\pojabese.dll
.
Completion time: 2008-09-23 0:33:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-23 07:33:11
Pre-Run: 53,101,305,856 bytes free
Post-Run: 52,845,821,952 bytes free
343 --- E O F --- 2008-09-23 07:00:06
Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 6.0.6001 Service Pack 1
9/22/2008 11:48:49 PM
mbam-log-2008-09-22 (23-48-43).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 112706
Time elapsed: 2 hour(s), 40 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 34
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Windows\System32\cBSkljjK.dll (Trojan.Vundo.H) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7f38bb8d-d665-4052-b23c-c251a32b8268} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7f38bb8d-d665-4052-b23c-c251a32b8268} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a455dbe0-d681-4784-aab2-4e8ff21ab5b9} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a455dbe0-d681-4784-aab2-4e8ff21ab5b9} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{429fd057-5063-4018-af29-4e31b1b5e44c} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{429fd057-5063-4018-af29-4e31b1b5e44c} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f77bbe3b-9c38-47f6-99d7-b79b453d0f50} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f77bbe3b-9c38-47f6-99d7-b79b453d0f50} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buvuzodala (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbskljjk -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbskljjk -> No action taken.
Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> No action taken.
Files Infected:
C:\Windows\System32\cBSkljjK.dll (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\KjjlkSBc.ini (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\KjjlkSBc.ini2 (Trojan.Vundo.H) -> No action taken.
C:\Windows\system32\nbksph.dll (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\wejuwava.dll (Trojan.BHO.H) -> No action taken.
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\efCvuutS.dll (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z2SLYTJ\nd82m0[1] (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Z2SLYTJ\upd105320[2] (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YB23S58A\cntr[1] (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00010f9b (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00011095 (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp000134f5 (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00016ced (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp0001b60c (Trojan.Vundo) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\tmp00021582 (Trojan.Vundo) -> No action taken.
C:\Windows\System32\opnlLDsQ.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\ddcCTmLd.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\nnnMfeEx.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> No action taken.
C:\Windows\System32\tdssl.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\tdssserf.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\tdssinit.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\tdssservers.dat (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\TDSSserv.sys (Trojan.Agent) -> No action taken.
C:\Windows\System32\kejajumo.dll (Trojan.Agent) -> No action taken.
C:\Users\Theo Moor\AppData\Local\Temp\lwpwer.exe (Trojan.FakeAlert) -> No action taken.
tokin it up
|
AfterDawn Addict
|
23. September 2008 @ 03:51 |
Link to this message
|
|
hehe the clock and other things will reset when we finish.
Not to worry :)
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
23. September 2008 @ 03:54 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
23. September 2008 @ 03:56 |
Link to this message
|
nevermind the HJT Log, I found it.. It's late :)
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
23. September 2008 @ 04:13 |
Link to this message
|
|
Hey chkinjoe,
It will take some time to go through the logs.
There?s a lot left to be removed and I am about dead right now so I will get some rest and hope to get a Fix to you by Tues. evening.
That way I won?t make mistakes.. :)
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
23. September 2008 @ 05:58 |
Link to this message
|
Hey chkinjoe,
You have some very strange files that I cannot find any info on so instead of having to ask you about each one of them, let?s do a little more cleaning and just see if we can get rid of some of them.
Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
? Double-click SUPERAntiSypware.exe and use the default settings for installation.
? An icon will be created on your desktop. Double-click that icon to launch the program.
? If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
? Under the "Configuration and Preferences", click the Preferences... button.
? Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
? Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
? Click the "Close" button to leave the control center screen and exit the program.
? Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
Scan with SUPERAntiSpyware as follows:
? Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
? On the left, make sure you check C:\Fixed Drive.
? On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
? After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
? Make sure everything has a checkmark next to it and click "Next".
? A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
? If asked if you want to reboot, click "Yes" and reboot normally.
? To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
? Click Close to exit the program.
Please post back with the SAS Log and a fresh HJT Log.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chkinjoe
Junior Member
|
23. September 2008 @ 22:27 |
Link to this message
|
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/23/2008 at 07:18 PM
Application Version : 4.21.1004
Core Rules Database Version : 3578
Trace Rules Database Version: 1566
Scan type : Complete Scan
Total Scan Time : 00:54:27
Memory items scanned : 217
Memory threats detected : 0
Registry items scanned : 6477
Registry threats detected : 0
File items scanned : 88454
File threats detected : 9
Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\1.ICO.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\2.ICO.VIR
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\1.ICO
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\2.ICO
Trojan.Dropper/Win-NV
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YUR7BE8.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURF0B7.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURF2AB.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURF6F1.EXE
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\WINDOWS\SYSTEM32\YURFABA.EXE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:56 PM, on 9/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\Windows\system32\pojabese.dll nbksph.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5955 bytes
tokin it up
|
AfterDawn Addict
|
23. September 2008 @ 23:21 |
Link to this message
|
@chkinjoe,
Be sure to run HJT as Administrator:
Fix entries using HiJackThis
Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)
O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s (User 'LOCAL SERVICE')
O20 - AppInit_DLLs: C:\Windows\system32\pojabese.dll nbksph.dll
IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis
Now let me know if you are having any problems??
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chkinjoe
Junior Member
|
23. September 2008 @ 23:49 |
Link to this message
|
even though i delete them in hjt they still keep comming back
O2 - BHO: (no name) - {429fd057-5063-4018-af29-4e31b1b5e44c} - C:\Windows\system32\wejuwava.dll (file missing)
O4 - HKLM\..\Run: [buvuzodala] Rundll32.exe "C:\Windows\system32\kejajumo.dll",s
tokin it up
|
AfterDawn Addict
|
23. September 2008 @ 23:54 |
Link to this message
|
Are you SURE you're running HJT as ADMINISTRATOR???
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
24. September 2008 @ 00:13 |
Link to this message
|
@chkinjoe,
If you are running HJT as admin. and those lines keep comming back, there may be a rootkit that didn't show up in the Logs.
Go ahead and follow the previous instructions and re-run ComboFix.
Maybe I'll be able to find something after SuperAntiSpyware deleted some things..
please post the new combofix log.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chkinjoe
Junior Member
|
24. September 2008 @ 00:50 |
Link to this message
|
|
do i run combofix and SUPERAntiSpyware in safe mode?
tokin it up
|
AfterDawn Addict
|
24. September 2008 @ 01:06 |
Link to this message
|
No need to run SuperAntiSpyware again?
If you still have ComboFix on your desktop then skip downloading it again and go to instruction no.2
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
3. Combo will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in
c:\comboFix.txt
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chkinjoe
Junior Member
|
24. September 2008 @ 02:34 |
Link to this message
|
ComboFix 08-09-22.06 - Theo Moor 2008-09-23 22:06:43.2 - NTFSx86
Microsoft® Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.962 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-23 22:10 . 2008-09-23 22:12 170,507,212 --a------ C:\Windows\MEMORY.DMP
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 17:55 . 2008-09-23 17:55 <DIR> d-------- C:\DRIVERS
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-22 23:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-08 00:11 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-08 00:11 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 16:03 . 2008-09-22 16:03 869,297 ---hs---- C:\Windows\System32\yspqrdjp.ini2
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-23 22:10 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 11:35 . 2008-09-22 11:35 53,248 --ahs---- C:\Windows\System32\khfDwxxw.dll
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-23 22:12 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-23 00:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-05 13:49 . 2008-09-05 13:49 970 --a------ C:\net_save.dna
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-08-30 09:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 05:10 170,507,212 ----a-w C:\Windows\DUMP4e00.tmp
2008-09-23 00:01 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-21 02:11 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-24 03:53 --------- d-----w C:\Program Files\Java
2008-08-24 03:50 --------- d-----w C:\Program Files\Common Files\Java
2008-08-24 03:25 --------- d-----w C:\Program Files\LimeWire
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 09:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-31 09:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-31 08:51 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-31 08:51 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:23 233,888 ----a-w C:\Windows\System32\DreamScene.dll
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:19 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2008-07-31 07:17 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:28 9,847,296 ----a-w C:\Windows\System32\NlsData000a.dll
2008-07-31 06:26 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-07-31 06:25 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-07-31 06:22 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 06:20 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-07-31 06:17 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-31 06:16 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-07-31 06:16 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-22 23:00 64,512 --sha-w C:\Windows\System32\pojabese.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-23_ 0.32.07.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 01:11:05 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 01:11:05 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-24 05:11:21 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-24 05:11:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:01:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008092320080924\index.dat
- 2008-09-23 07:29:15 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-24 05:10:51 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 07:24:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-24 05:06:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-09-23 06:56:50 106,796 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-24 04:51:40 106,796 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-23 06:56:50 611,788 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-24 04:51:40 611,788 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-22 22:19:50 6,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
+ 2008-09-24 01:06:23 6,856 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
- 2008-09-22 22:19:50 59,240 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 01:06:23 60,132 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 03:26:37 34,256 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 04:49:14 34,444 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{429fd057-5063-4018-af29-4e31b1b5e44c}]
C:\Windows\system32\wejuwava.dll [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"buvuzodala"="C:\Windows\system32\kejajumo.dll" [BU]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\system32\pojabese.dll
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll
[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-09-22 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-09-22 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-09-22 41217]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-06-13 66848]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWICH;VSTHWICH;C:\Windows\system32\DRIVERS\VSTICH3.SYS [2006-11-02 242176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Theo Moor\AppData\Roaming\Mozilla\Firefox\Profiles\uh8vkm3r.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\pojabese.dll
PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\pojabese.dll
PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\pojabese.dll
.
Completion time: 2008-09-23 22:16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 05:16:19
ComboFix2.txt 2008-09-23 07:33:31
Pre-Run: 48,388,767,744 bytes free
Post-Run: 48,000,577,536 bytes free
393 --- E O F --- 2008-09-23 07:00:06
tokin it up
|
|
chkinjoe
Junior Member
|
24. September 2008 @ 02:35 |
Link to this message
|
ComboFix 08-09-22.06 - Theo Moor 2008-09-23 22:06:43.2 - NTFSx86
Microsoft® Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.962 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-23 22:10 . 2008-09-23 22:12 170,507,212 --a------ C:\Windows\MEMORY.DMP
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 17:55 . 2008-09-23 17:55 <DIR> d-------- C:\DRIVERS
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-22 23:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-08 00:11 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-08 00:11 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 16:03 . 2008-09-22 16:03 869,297 ---hs---- C:\Windows\System32\yspqrdjp.ini2
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-23 22:10 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 11:35 . 2008-09-22 11:35 53,248 --ahs---- C:\Windows\System32\khfDwxxw.dll
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-23 22:12 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-23 21:58 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-23 00:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-05 13:49 . 2008-09-05 13:49 970 --a------ C:\net_save.dna
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-08-30 09:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 05:10 170,507,212 ----a-w C:\Windows\DUMP4e00.tmp
2008-09-23 00:01 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-21 02:11 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-24 03:53 --------- d-----w C:\Program Files\Java
2008-08-24 03:50 --------- d-----w C:\Program Files\Common Files\Java
2008-08-24 03:25 --------- d-----w C:\Program Files\LimeWire
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 09:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-31 09:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-31 08:51 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-31 08:51 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:23 233,888 ----a-w C:\Windows\System32\DreamScene.dll
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:19 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2008-07-31 07:17 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:28 9,847,296 ----a-w C:\Windows\System32\NlsData000a.dll
2008-07-31 06:26 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-07-31 06:25 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-07-31 06:22 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 06:20 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-07-31 06:17 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-31 06:16 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-07-31 06:16 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-22 23:00 64,512 --sha-w C:\Windows\System32\pojabese.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-23_ 0.32.07.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 01:11:05 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 01:11:05 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-24 05:10:42 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-24 05:11:21 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-24 05:11:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:01:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008092320080924\index.dat
- 2008-09-23 07:29:15 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-24 05:10:51 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-24 05:10:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 07:24:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-24 05:06:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-09-23 06:56:50 106,796 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-24 04:51:40 106,796 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-23 06:56:50 611,788 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-24 04:51:40 611,788 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-22 22:19:50 6,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
+ 2008-09-24 01:06:23 6,856 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
- 2008-09-22 22:19:50 59,240 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 01:06:23 60,132 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 03:26:37 34,256 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 04:49:14 34,444 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{429fd057-5063-4018-af29-4e31b1b5e44c}]
C:\Windows\system32\wejuwava.dll [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"buvuzodala"="C:\Windows\system32\kejajumo.dll" [BU]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\system32\pojabese.dll
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll
[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-09-22 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-09-22 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-09-22 41217]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-06-13 66848]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWICH;VSTHWICH;C:\Windows\system32\DRIVERS\VSTICH3.SYS [2006-11-02 242176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Theo Moor\AppData\Roaming\Mozilla\Firefox\Profiles\uh8vkm3r.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/a/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\pojabese.dll
PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\pojabese.dll
PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\pojabese.dll
.
Completion time: 2008-09-23 22:16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 05:16:19
ComboFix2.txt 2008-09-23 07:33:31
Pre-Run: 48,388,767,744 bytes free
Post-Run: 48,000,577,536 bytes free
393 --- E O F --- 2008-09-23 07:00:06
tokin it up
|
|
chkinjoe
Junior Member
|
24. September 2008 @ 02:42 |
Link to this message
|
|
and im still getting the dll file error on startup saying cannot run kejajumo.dll
tokin it up
|
AfterDawn Addict
|
24. September 2008 @ 03:09 |
Link to this message
|
Quote:
and im still getting the dll file error on startup saying cannot run kejajumo.dll
Thanks for the info ? that helps.
I?ll keep digging and post a fix for you but please give me a little time to dig it all out. 
Back as soon as I can..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
24. September 2008 @ 05:11 |
Link to this message
|
@ chkinjoe,
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C
Quote:
KIllall::
File::
C:\Windows\System32\yspqrdjp.ini2
C:\Windows\System32\khfDwxxw.dll
C:\Windows\system32\pojabese.dll
C:\Windows\system32\kejajumo.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{429fd057-5063-4018-af29-4e31b1b5e44c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"buvuzodala"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
Referring to the picture above, drag CFScript into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chkinjoe
Junior Member
|
24. September 2008 @ 23:54 |
Link to this message
|
ComboFix 08-09-22.06 - Theo Moor 2008-09-24 17:25:31.3 - NTFSx86
Microsoft® Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.919 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: C:\Users\Theo Moor\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Windows\system32\kejajumo.dll
C:\Windows\System32\khfDwxxw.dll
C:\Windows\system32\pojabese.dll
C:\Windows\System32\yspqrdjp.ini2
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\khfDwxxw.dll
C:\Windows\system32\pojabese.dll
C:\Windows\System32\yspqrdjp.ini2
.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.
2008-09-24 00:05 . 2008-09-24 00:06 102,649,700 --a------ C:\Windows\MEMORY.DMP
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 17:55 . 2008-09-23 17:55 <DIR> d-------- C:\DRIVERS
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-23 23:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-24 20:43 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-24 17:29 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-23 23:54 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-23 23:54 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-23 00:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-09-23 23:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 00:20 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-21 02:11 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-24 03:53 --------- d-----w C:\Program Files\Java
2008-08-24 03:50 --------- d-----w C:\Program Files\Common Files\Java
2008-08-24 03:25 --------- d-----w C:\Program Files\LimeWire
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 09:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-31 09:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-31 08:51 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-31 08:51 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:23 233,888 ----a-w C:\Windows\System32\DreamScene.dll
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:19 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2008-07-31 07:17 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:28 9,847,296 ----a-w C:\Windows\System32\NlsData000a.dll
2008-07-31 06:26 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-07-31 06:25 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-07-31 06:22 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 06:20 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-07-31 06:17 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-31 06:16 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-07-31 06:16 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-23_ 0.32.07.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 01:11:05 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 01:11:05 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-25 03:43:30 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-25 03:43:30 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-25 03:43:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:01:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008092320080924\index.dat
- 2008-09-23 07:29:15 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-25 03:43:06 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-25 03:43:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 07:24:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-24 05:06:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-09-23 06:56:50 106,796 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-24 15:45:37 106,796 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-23 06:56:50 611,788 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-24 15:45:37 611,788 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-22 22:19:50 6,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
+ 2008-09-24 01:06:23 6,856 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
- 2008-09-22 22:19:50 59,240 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 01:06:23 60,132 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 03:26:37 34,256 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 06:59:48 34,460 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll
[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-buvuzodala - C:\Windows\system32\kejajumo.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 20:43:40
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\Explorer.exe
-> ?:\Windows\system32\MLANG.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\ibmpmsvc.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwsc.exe
.
**************************************************************************
.
Completion time: 2008-09-24 20:46:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 03:46:42
ComboFix2.txt 2008-09-23 07:33:31
Pre-Run: 45,926,862,848 bytes free
Post-Run: 45,781,835,776 bytes free
394 --- E O F --- 2008-09-23 07:00:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:42 PM, on 9/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5690 bytes
tokin it up
|
|
chkinjoe
Junior Member
|
24. September 2008 @ 23:55 |
Link to this message
|
ComboFix 08-09-22.06 - Theo Moor 2008-09-24 17:25:31.3 - NTFSx86
Microsoft® Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.919 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: C:\Users\Theo Moor\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Windows\system32\kejajumo.dll
C:\Windows\System32\khfDwxxw.dll
C:\Windows\system32\pojabese.dll
C:\Windows\System32\yspqrdjp.ini2
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\khfDwxxw.dll
C:\Windows\system32\pojabese.dll
C:\Windows\System32\yspqrdjp.ini2
.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.
2008-09-24 00:05 . 2008-09-24 00:06 102,649,700 --a------ C:\Windows\MEMORY.DMP
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 17:55 . 2008-09-23 17:55 <DIR> d-------- C:\DRIVERS
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-23 23:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-24 20:43 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-24 17:29 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-23 23:54 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-23 23:54 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-23 00:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-09-23 23:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 00:20 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-21 02:11 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-24 03:53 --------- d-----w C:\Program Files\Java
2008-08-24 03:50 --------- d-----w C:\Program Files\Common Files\Java
2008-08-24 03:25 --------- d-----w C:\Program Files\LimeWire
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 09:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-31 09:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-31 08:51 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-31 08:51 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:23 233,888 ----a-w C:\Windows\System32\DreamScene.dll
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:19 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2008-07-31 07:17 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:28 9,847,296 ----a-w C:\Windows\System32\NlsData000a.dll
2008-07-31 06:26 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-07-31 06:25 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-07-31 06:22 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 06:20 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-07-31 06:17 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-31 06:16 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-07-31 06:16 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-23_ 0.32.07.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 01:11:05 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 01:11:05 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-25 03:43:30 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-25 03:43:30 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-25 03:43:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:01:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008092320080924\index.dat
- 2008-09-23 07:29:15 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-25 03:43:06 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-25 03:43:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 07:24:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-24 05:06:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-09-23 06:56:50 106,796 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-24 15:45:37 106,796 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-23 06:56:50 611,788 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-24 15:45:37 611,788 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-22 22:19:50 6,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
+ 2008-09-24 01:06:23 6,856 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
- 2008-09-22 22:19:50 59,240 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 01:06:23 60,132 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 03:26:37 34,256 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 06:59:48 34,460 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll
[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-buvuzodala - C:\Windows\system32\kejajumo.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 20:43:40
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\Explorer.exe
-> ?:\Windows\system32\MLANG.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\ibmpmsvc.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwsc.exe
.
**************************************************************************
.
Completion time: 2008-09-24 20:46:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 03:46:42
ComboFix2.txt 2008-09-23 07:33:31
Pre-Run: 45,926,862,848 bytes free
Post-Run: 45,781,835,776 bytes free
394 --- E O F --- 2008-09-23 07:00:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:42 PM, on 9/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5690 bytes
tokin it up
|
|
chkinjoe
Junior Member
|
24. September 2008 @ 23:56 |
Link to this message
|
ComboFix 08-09-22.06 - Theo Moor 2008-09-24 17:25:31.3 - NTFSx86
Microsoft® Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.919 [GMT -7:00]
Running from: C:\Users\Theo Moor\Desktop\combofix.exe
Command switches used :: C:\Users\Theo Moor\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Windows\system32\kejajumo.dll
C:\Windows\System32\khfDwxxw.dll
C:\Windows\system32\pojabese.dll
C:\Windows\System32\yspqrdjp.ini2
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\khfDwxxw.dll
C:\Windows\system32\pojabese.dll
C:\Windows\System32\yspqrdjp.ini2
.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.
2008-09-24 00:05 . 2008-09-24 00:06 102,649,700 --a------ C:\Windows\MEMORY.DMP
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-23 18:11 . 2008-09-23 18:11 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\SUPERAntiSpyware.com
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-23 18:10 . 2008-09-23 18:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 17:55 . 2008-09-23 17:55 <DIR> d-------- C:\DRIVERS
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-22 20:39 . 2008-09-22 20:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-22 20:39 . 2008-09-23 23:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 20:39 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-22 20:39 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\Users\All Users\Avira
2008-09-22 16:07 . 2008-09-22 16:09 <DIR> d-------- C:\ProgramData\Avira
2008-09-22 16:07 . 2008-09-22 16:07 <DIR> d-------- C:\Program Files\Avira
2008-09-22 15:13 . 2008-09-22 15:13 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-22 15:13 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-09-22 15:12 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0015.TMP
2008-09-22 15:11 . 2008-09-24 20:43 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-09-22 15:11 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-09-22 14:54 . 2008-09-22 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-22 11:54 . 2008-09-22 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-09-22 01:37 . 2008-09-22 01:37 <DIR> d-------- C:\ProgramData\CheckPoint
2008-09-22 01:37 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-09-22 01:36 . 2008-09-22 15:13 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-09-22 01:35 . 2008-09-24 17:29 <DIR> d-------- C:\Windows\Internet Logs
2008-09-22 01:25 . 2008-09-23 23:54 <DIR> d-a------ C:\Users\All Users\TEMP
2008-09-22 01:25 . 2008-09-23 23:54 <DIR> d-a------ C:\ProgramData\TEMP
2008-09-22 01:25 . 2008-09-23 00:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-09 11:23 . 2008-07-30 18:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 11:23 . 2008-08-01 18:01 625,152 --a------ C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 11:23 . 2008-06-25 20:29 565,248 --a------ C:\Windows\System32\emdmgmt.dll
2008-09-09 11:23 . 2008-06-25 20:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-09 11:23 . 2008-05-08 12:21 211,968 --a------ C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 11:23 . 2008-05-19 19:07 148,480 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-09-09 11:23 . 2008-06-25 20:29 45,056 --a------ C:\Windows\System32\dataclen.dll
2008-09-09 11:23 . 2008-08-01 20:26 36,864 --a------ C:\Windows\System32\cdd.dll
2008-09-09 11:23 . 2008-07-30 20:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-08 23:40 . 2008-09-08 23:40 <DIR> d-------- C:\Program Files\warlords battlecry
2008-09-06 17:55 . 2008-09-06 17:55 <DIR> d-------- C:\Program Files\7-Zip
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Users\All Users\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\Viewpoint
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\ProgramData\acccore
2008-09-05 23:17 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\Users\All Users\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Users\All Users\AOL
2008-09-05 23:16 . 2008-09-05 23:18 <DIR> d-------- C:\ProgramData\AOL OCP
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\ProgramData\AOL
2008-09-05 23:16 . 2008-09-05 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-05 23:16 . 2008-09-05 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-09-05 23:16 . 2008-09-05 23:17 364 --ah----- C:\IPH.PH
2008-09-05 15:45 . 2008-04-26 01:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.original
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\support.com
2008-09-05 13:49 . 2008-09-05 13:49 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2008-09-04 23:52 . 2008-09-09 17:55 <DIR> d-------- C:\Users\Theo Moor\psp files
2008-09-04 23:40 . 2008-09-04 23:41 <DIR> d-------- C:\Program Files\PSP Pandora Deluxe
2008-08-30 09:56 . 2008-08-30 09:56 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-08-30 09:48 . 2008-09-23 23:49 <DIR> d-------- C:\temp
2008-08-30 01:29 . 2008-08-30 01:29 <DIR> d-------- C:\Program Files\THQ
2008-08-30 01:29 . 2006-09-28 13:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-08-30 01:29 . 2006-09-28 13:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-08-30 01:29 . 2006-07-28 06:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-08-30 01:29 . 2006-09-28 13:04 68,888 --a------ C:\Windows\System32\xinput1_3.dll
2008-08-30 01:29 . 2006-07-28 06:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-08-30 01:29 . 2006-09-28 13:03 15,128 --a------ C:\Windows\System32\x3daudio1_1.dll
2008-08-29 13:29 . 2008-08-29 16:26 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\WordWeb
2008-08-29 13:23 . 2008-08-29 13:23 <DIR> d-------- C:\Program Files\Merriam-Webster
2008-08-28 06:31 . 2008-08-28 06:31 <DIR> d-------- C:\Program Files\ffdshow
2008-08-28 06:31 . 2008-06-08 20:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-08-28 06:31 . 2008-06-12 17:36 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-08-28 06:31 . 2007-07-10 15:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-08-26 16:48 . 2008-08-26 16:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-26 16:09 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-26 16:09 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-26 16:09 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-26 16:09 . 2008-07-18 19:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-26 16:09 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-26 16:09 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-26 16:09 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-26 16:09 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-26 16:09 . 2008-07-18 17:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-25 17:53 . 2008-08-25 17:53 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\Xbins
2008-08-25 17:07 . 2008-08-25 17:08 <DIR> d-------- C:\Users\Theo Moor\AppData\Roaming\ImgBurn
2008-08-25 17:05 . 2008-08-25 17:06 <DIR> d-------- C:\Program Files\ImgBurn
2008-08-25 11:55 . 2008-08-25 11:55 <DIR> d-------- C:\Windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 00:20 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\uTorrent
2008-09-22 23:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 23:28 --------- d-----w C:\ProgramData\Symantec
2008-09-21 02:11 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\LimeWire
2008-09-10 04:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-09 04:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 05:34 --------- d-----w C:\Program Files\NoAdware
2008-08-24 03:53 --------- d-----w C:\Program Files\Java
2008-08-24 03:50 --------- d-----w C:\Program Files\Common Files\Java
2008-08-24 03:25 --------- d-----w C:\Program Files\LimeWire
2008-08-22 04:26 --------- d-----w C:\Program Files\LucasArts
2008-08-22 04:22 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-22 04:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\ATI
2008-08-22 04:16 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-22 04:16 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\DAEMON Tools
2008-08-21 01:36 --------- d-----w C:\Program Files\uTorrent
2008-08-20 04:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-20 03:02 --------- d-----w C:\Program Files\Yahoo!
2008-08-19 22:24 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-08-17 02:02 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Ceedo
2008-08-16 03:46 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 15:20 --------- d-----w C:\Program Files\Spotmau WinCares 2007
2008-08-01 20:54 --------- d-----w C:\ProgramData\Yahoo!
2008-08-01 20:53 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\Yahoo!
2008-08-01 20:39 --------- d-----w C:\ProgramData\Apple Computer
2008-08-01 20:39 --------- d-----w C:\Program Files\QuickTime
2008-08-01 20:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-01 19:51 --------- d-----w C:\Program Files\Microsoft Works
2008-08-01 19:50 --------- d-----w C:\Program Files\MSBuild
2008-08-01 19:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-01 19:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-07-31 11:00 --------- d-----w C:\Program Files\ThinkPad
2008-07-31 11:00 --------- d-----w C:\Program Files\Lenovo
2008-07-31 10:56 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-31 10:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-31 10:03 174 --sha-w C:\Program Files\desktop.ini
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Journal
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Defender
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-31 09:55 --------- d-----w C:\Program Files\Windows Calendar
2008-07-31 09:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-31 09:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-31 08:51 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-31 08:51 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-31 08:09 --------- d-----w C:\Users\Theo Moor\AppData\Roaming\ATI
2008-07-31 08:06 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2008-07-31 08:03 --------- d-----w C:\ProgramData\UIB
2008-07-31 08:03 --------- d-----w C:\Program Files\Common Files\ThinkVantage Fingerprint Software
2008-07-31 08:01 --------- d-----w C:\Program Files\ATI Technologies
2008-07-31 08:00 --------- d-----w C:\Program Files\ATI
2008-07-31 07:37 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-07-31 07:23 233,888 ----a-w C:\Windows\System32\DreamScene.dll
2008-07-31 07:21 --------- d-----w C:\Program Files\UPEK
2008-07-31 07:20 --------- d-----w C:\Program Files\BitLocker
2008-07-31 07:19 1,171,848 ----a-w C:\Windows\System32\SecureKeyBackupCPL.dll
2008-07-31 07:17 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-07-31 07:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-31 07:15 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-31 07:15 --------- d-----w C:\Program Files\Synaptics
2008-07-31 07:15 --------- d-----w C:\Program Files\CONEXANT
2008-07-31 06:28 9,847,296 ----a-w C:\Windows\System32\NlsData000a.dll
2008-07-31 06:26 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-07-31 06:25 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-07-31 06:22 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-07-31 06:22 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-31 06:20 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-31 06:20 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-07-31 06:17 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-31 06:16 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-07-31 06:16 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-23_ 0.32.07.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 01:11:05 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 01:11:05 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-25 03:43:30 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-23 07:29:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-25 03:43:30 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-25 03:43:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-24 05:01:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008092320080924\index.dat
- 2008-09-23 07:29:15 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-25 03:43:06 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-23 07:29:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-25 03:43:06 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-23 07:24:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-24 05:06:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-09-23 06:56:50 106,796 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-24 15:45:37 106,796 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-23 06:56:50 611,788 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-24 15:45:37 611,788 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-22 22:19:50 6,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
+ 2008-09-24 01:06:23 6,856 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2498408150-3981597196-2587865111-1000_UserData.bin
- 2008-09-22 22:19:50 59,240 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 01:06:23 60,132 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-23 03:26:37 34,256 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-24 06:59:48 34,460 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-09-22 266497]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd C:\Windows\system32\pojabese.dll C:\Windows\system32\pojabese.dll
[HKLM\~\startupfolder\C:^Users^Theo Moor^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Theo Moor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2008-06-13 02:30 214576 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2008-06-05 02:36 242976 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
--------- 2008-06-13 02:30 591136 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-11-21 18:08 820520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--a------ 2008-03-04 10:34 487424 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 23:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2498408150-3981597196-2587865111-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{14C99733-4468-449F-AB4D-7CB22BDA2F19}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{31EADDE9-E2AD-4510-A8C7-D6BE7691CB5C}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA5929B-C65D-49A4-A870-E70FC95C4EED}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E49912C-6B00-4DB5-B24E-EFD6CAF97AD6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5066E27B-0873-4BA2-9B5D-CA2FBE6BA843}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{994B4A53-2A8E-4B10-BCE3-7C38486C36FD}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{09159D92-EA6A-4D82-9A2A-6AB4D7D72E3F}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BEB6BFDE-56E4-4F55-B505-AAC495B1344A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E94EADD5-AA7A-4487-80FD-0E80AA5461B8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9F97F662-2B3A-4DB6-B2CE-FA2D2482BF5C}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{C0862004-5E5C-43F9-B5F5-DE6D0496A394}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{EF61FAD2-4E03-424B-8FED-040BCE8C8699}"= UDP:5721:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{6BF31B32-A0E6-467E-856D-33A27E555335}"= UDP:1034:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{56BDB850-4D1D-4364-A053-53F1926542D7}"= UDP:5678:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{62244E3E-F731-42C5-A10E-C37B5AE9C60C}"= UDP:999:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{CBF2E472-9B7E-46A1-8732-C3B520B63FE2}"= UDP:26675:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{FCA69773-1341-4A43-A42D-FD75AF173083}"= UDP:990:LocalSubnet:LocalSubnet|IF={3F4D0C69-B544-4D8D-927E-E2EAFB598D3A}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{FA61575D-0DBF-4B1B-94EE-11C6CA413E3E}"= UDP:5721:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
"{C0275CA5-3711-4887-93D8-2235D68075D9}"= UDP:1034:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4003
"{CEAE717D-9660-4906-8F94-E52C9B4C62E9}"= UDP:5678:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4004
"{096C14BC-7EAB-49B8-8536-0379D118B857}"= UDP:999:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%systemroot%\WindowsMobile\wmdHost.exe:@%systemroot%\WindowsMobile\wmdc.exe,-4005
"{952340F9-65E5-4544-AA58-90C9F29699C5}"= UDP:26675:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}:@%systemroot%\WindowsMobile\wmdc.exe,-4006
"{33EA85A1-8F53-4BE7-9E5A-EBE4619379AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={B9EA0412-E9F4-4760-9C11-B1FEC00561A0}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdc.exe,-4001
"{4E9731CD-6D92-49F5-8AD6-FCE70BDEADB3}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{EDF13208-E6B8-44CD-83BF-87ACD83751F2}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{224B317F-9D86-4EB4-9B26-455BCAE2774D}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{141B6876-88C0-4085-9DDF-FD24F7076100}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{6448E642-07C8-4AF5-A5C4-0C76D9B1FB8E}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{1B94555C-451E-4970-B9DA-DAE44AD99BF9}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{8F4F7A7B-08AD-46B9-B33C-9623F1E51B3A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BB56A87-F810-40DA-9616-0BD3F85B053F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{431C8773-0CCD-4077-9506-7678D8C7C678}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D2C19758-638C-4B8A-901C-3FA609D145F7}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{60E15E31-81F5-4238-8184-601ED071D8D3}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F618D534-A0E9-406F-A44A-B60998F08498}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:µTorrent
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2008-06-13 12080]
R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-05 2464768]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-02 179712]
R3 HSXHWICH;HSXHWICH;C:\Windows\system32\DRIVERS\HSXHWICH.sys [2006-10-18 248320]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b32395b-7001-11dd-9017-000000000000}]
\shell\AutoRun\command - E:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-buvuzodala - C:\Windows\system32\kejajumo.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 20:43:40
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\Explorer.exe
-> ?:\Windows\system32\MLANG.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\ibmpmsvc.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avwsc.exe
.
**************************************************************************
.
Completion time: 2008-09-24 20:46:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 03:46:42
ComboFix2.txt 2008-09-23 07:33:31
Pre-Run: 45,926,862,848 bytes free
Post-Run: 45,781,835,776 bytes free
394 --- E O F --- 2008-09-23 07:00:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:42 PM, on 9/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/sh...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5690 bytes
tokin it up
|
AfterDawn Addict
|
25. September 2008 @ 00:05 |
Link to this message
|
|
Talk to me.....
Your Log is CLEAN.. Any more problems????
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
|
chkinjoe
Junior Member
|
25. September 2008 @ 00:12 |
Link to this message
|
|
ye asorry about that the posting was messed up but thanks for your help and no theers no more problems. i would just like to know one thing were can i go to learn how to read whats legit and whats not, and be able to do this for myself and help others too?
tokin it up
|
|
