|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
Help I think my pc has being infect
|
Original Message
|
Name: aray
Date: August 8, 2008 at 18:08:36 Pacific
Subject: Help I think my pc has being infectOS: windows xpCPU/Ram: pentium(r) 4 cpu 1.25 GB Model/Manufacturer: dell/dm3000 |
Comment: I downloaded this torrent (I know I had it coming) , I believe it had a virus, a red window popped that read "antivirus 2008" , so I did not run it and instead did a full scan with Norton and another with "spybot search and destroy", both came up with a couple issues and I clicked the fix button.
After several reboots a big red X is next to mMy computer icon @ desktop. When I open the file my C: drive is nowhere to be found.
I being reading the forums and already downloaded the hijackthis.exe
I need help reading that log, I have no clue at all.
Thanks
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: August 8, 2008 at 19:12:15 Pacific
|
Reply: (edit)It will take a few post to get rid of this Vundo Trojan so hang in there please. Go to start> control panel> add/remove programs> and uninstall these programs if found: WinAntivirus 2008 or Antivirus 2008 WinAntivirus 2009 or Antivirus 2009 Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: aray
Date: August 8, 2008 at 19:34:11 Pacific
|
Reply: (edit)thank you, here is the log, I checked the programs in the Control Panel and did not find those programs. Log: ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:50 PM, on 08/08/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Aray\Desktop\New Folder\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\system32\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Antivirus-2008.exe] C:\Program Files\Antivirus 2008\Antivirus-2008.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommo...
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zyl...
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/gam...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: __A - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe --
End of file - 15149 bytes In the computer knowledge rank, I'm an idiot
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: jabuck
Date: August 8, 2008 at 19:57:47 Pacific
|
Reply: (edit)Removal and clean-up will take a few post so hang in there. Spybot's Teatimer must be shut down a s well as any other real time protection that you may have running. Go to the this link: Disable Realtime Protection Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files and corrupting the removal tools that we will need. Your java is out of date and has been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version. Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
10. Post a new Hijack this log please.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: aray
Date: August 8, 2008 at 23:57:38 Pacific
|
Reply: (edit)Here is the log, I already installed Java and deleted the older versions, now just tell me what to do :) thanks for your help: Malwarebytes' Anti-Malware 1.24
Database version: 1035
Windows 5.1.2600 Service Pack 2 2:41:24 AM 08/09/08
mbam-log-8-9-2008 (02-41-24).txt Scan type: Quick Scan
Objects scanned: 46564
Time elapsed: 17 minute(s), 1 second(s) Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5 Memory Processes Infected:
(No malicious items detected) Memory Modules Infected:
(No malicious items detected) Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__a (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully. Folders Infected:
(No malicious items detected) Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aray\Local Settings\Temp\DAP86Premium.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aray\Local Settings\Temp\dssc32.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot. In the computer knowledge rank, I'm an idiot
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: jabuck
Date: August 9, 2008 at 05:08:29 Pacific
|
Reply: (edit)Please post a new Hijack this log. Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: aray
Date: August 9, 2008 at 07:39:31 Pacific
|
Reply: (edit)ok, I did both, so here are the log files for combofix and hijackthis
and thanks again :)) ComboFix 08-08-08.07 - Aray 2008-08-09 9:55:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.814 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com\ud.sol
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\_003241_.tmp.dll
C:\WINDOWS\system32\_003242_.tmp.dll
C:\WINDOWS\system32\_003243_.tmp.dll
C:\WINDOWS\system32\_003244_.tmp.dll
C:\WINDOWS\system32\_003251_.tmp.dll
C:\WINDOWS\system32\_003252_.tmp.dll
C:\WINDOWS\system32\_003253_.tmp.dll
C:\WINDOWS\system32\_003254_.tmp.dll
C:\WINDOWS\system32\_003256_.tmp.dll
C:\WINDOWS\system32\_003257_.tmp.dll
C:\WINDOWS\system32\_003260_.tmp.dll
C:\WINDOWS\system32\_003261_.tmp.dll
C:\WINDOWS\system32\_003263_.tmp.dll
C:\WINDOWS\system32\_003264_.tmp.dll
C:\WINDOWS\system32\_003265_.tmp.dll
C:\WINDOWS\system32\_003267_.tmp.dll
C:\WINDOWS\system32\_003268_.tmp.dll
C:\WINDOWS\system32\_003270_.tmp.dll
C:\WINDOWS\system32\_003271_.tmp.dll
C:\WINDOWS\system32\_003275_.tmp.dll
C:\WINDOWS\system32\_003276_.tmp.dll
C:\WINDOWS\system32\_003278_.tmp.dll
C:\WINDOWS\system32\_003281_.tmp.dll
C:\WINDOWS\system32\_003283_.tmp.dll
C:\WINDOWS\system32\_003284_.tmp.dll
C:\WINDOWS\system32\_003285_.tmp.dll
C:\WINDOWS\system32\_003286_.tmp.dll
C:\WINDOWS\system32\_003287_.tmp.dll
C:\WINDOWS\system32\_003290_.tmp.dll
C:\WINDOWS\system32\_003291_.tmp.dll
C:\WINDOWS\system32\_003292_.tmp.dll
C:\WINDOWS\system32\_003293_.tmp.dll
C:\WINDOWS\system32\_003294_.tmp.dll
C:\WINDOWS\system32\_003299_.tmp.dll
C:\WINDOWS\system32\_003301_.tmp.dll
C:\WINDOWS\system32\_003302_.tmp.dll
C:\WINDOWS\system32\msconfig32
C:\WINDOWS\system32\msconfig32\__msnusr_arytito@msn.com
C:\WINDOWS\system32\msconfig32\msscncrtdate.dat .
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
. 2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:52 . 2008-08-09 01:52 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 00:24 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:58 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-08 22:57 . 2008-08-08 22:57 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET36A.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET402.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET442.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --------- C:\WINDOWS\system32\SET474.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET4E9.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET557.tmp
2008-08-08 22:35 . 2008-04-13 20:11 193,536 --a------ C:\WINDOWS\system32\SET5A0.tmp
2008-08-08 22:35 . 2008-04-13 20:11 143,360 --a------ C:\WINDOWS\system32\SET59C.tmp
2008-08-08 22:35 . 2008-04-13 20:11 125,952 --a------ C:\WINDOWS\system32\SET595.tmp
2008-08-08 22:35 . 2008-04-13 20:11 98,304 --a------ C:\WINDOWS\system32\SET59E.tmp
2008-08-08 22:35 . 2008-04-13 20:12 44,544 --a------ C:\WINDOWS\system32\SET598.tmp
2008-08-08 21:41 . 2008-08-08 23:28 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 14:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 05:45 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-09 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 14:35 --------- d-----w C:\Documents and Settings\Aray\Application Data\AdobeUM
2008-06-13 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:45 --------- d-----w C:\Documents and Settings\Aray\Application Data\TaxCut
2008-06-12 15:27 --------- d-----w C:\Program Files\Common Files\Scanner
2008-06-12 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2005-10-14 00:11 56 --sh--r C:\WINDOWS\system32\ABD0B0C66D.sys
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208] C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.EXE"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azure R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24] *Newly Created Service* - COMHOST [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder 2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
- - - - ORPHANS REMOVED - - - - Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
C:\WINDOWS\Downloaded Program Files\ZylomGamesPlayer.inf
C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 10:09:17
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-08-09 10:29:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-09 14:29:33 Pre-Run: 39,992,070,144 bytes free
Post-Run: 40,881,082,368 bytes free 280 --- E O F --- 2008-07-24 04:03:13
**********************************************Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:37 AM, on 08/09/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Aray\Desktop\New Folder\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommo...
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zyl...
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/gam...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe --
End of file - 13766 bytes In the computer knowledge rank, I'm an idiot
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: aray
Date: August 9, 2008 at 07:50:51 Pacific
|
Reply: (edit)I,m proud to tell you that the big red X next to My computer icon is gone, and the C: file now can be seen inside the folder. Now I want to get rid of all the trash for good so I'll come back for further instructions. I also tried to install the update Service Pk 3 from microsoft but halfway throught the operation I'm getting an error message that reads: access denied. T.H.A.N.K Y.O.U S.O M.U.C.H! In the computer knowledge rank, I'm an idiot
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: jabuck
Date: August 9, 2008 at 11:53:26 Pacific
|
Reply: (edit)Before we continue I need you to check some files for me, the second ones is a folder and may not run but try it please. Please go to Virus Total and upload the following file for analysis: C:\WINDOWS\system32\ABD0B0C66D.sys C:\WINDOWS\system32\CatRoot_bak Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". Post the results in your reply.
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: aray
Date: August 9, 2008 at 14:08:24 Pacific
|
Reply: (edit)the first file: File ABD0B0C66D.sys received on 08.09.2008 23:05:01 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/35 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.09 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 -
Ikarus T3.1.1.34.0 2008.08.09 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 -
NOD32v2 3342 2008.08.09 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 -
Additional information
File size: 56 bytes
MD5...: 54790804f216223b95effc9c6cfb0cf9
SHA1..: 048485de0e341a08e1a9ea524ef8ba7a83bf73d0
SHA256: 6d26e4ecd935afcfd1802df56ecb1bdd586970efe693ccc8e6662a22a501787c
SHA512: d5ca756cf8ccc7d03e26e833a4960f533390f4842c084d354e06d7eed206ff38
f3c560ddeedab356011ba8cf4c74e9b5fc33b7d31fcec746f325d62befb37d07
PEiD..: -
PEInfo: - In the computer knowledge rank, I'm an idiot
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: aray
Date: August 9, 2008 at 14:10:48 Pacific
|
Reply: (edit)the second folder did not run :( I'll check back for your reply in a while....thank you In the computer knowledge rank, I'm an idiot
Report Offensive Follow Up For Removal
|
|
Response Number 11
|
Name: jabuck
Date: August 9, 2008 at 17:40:16 Pacific
|
Reply: (edit)Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked": O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (unless you set this) Exit Hijack This Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET402.tmp
C:\WINDOWS\system32\SET442.tmp
C:\WINDOWS\system32\SET474.tmp
C:\WINDOWS\system32\SET4E9.tmp
C:\WINDOWS\system32\SET557.tmp
C:\WINDOWS\system32\SET5A0.tmp
C:\WINDOWS\system32\SET59C.tmp
C:\WINDOWS\system32\SET595.tmp
C:\WINDOWS\system32\SET59E.tmp
C:\WINDOWS\system32\SET598.tmp
C:\WINDOWS\system32\ABD0B0C66D.sys
Driver::
__A XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log.
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
Name: aray
Date: August 9, 2008 at 19:49:55 Pacific
|
Reply: (edit)All done, here is the log :)))
ComboFix 08-08-08.07 - Aray 2008-08-09 22:14:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.654 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aray\Desktop\CFScript.txt
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE ::
C:\WINDOWS\system32\ABD0B0C66D.sys
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET402.tmp
C:\WINDOWS\system32\SET442.tmp
C:\WINDOWS\system32\SET474.tmp
C:\WINDOWS\system32\SET4E9.tmp
C:\WINDOWS\system32\SET557.tmp
C:\WINDOWS\system32\SET595.tmp
C:\WINDOWS\system32\SET598.tmp
C:\WINDOWS\system32\SET59C.tmp
C:\WINDOWS\system32\SET59E.tmp
C:\WINDOWS\system32\SET5A0.tmp
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\#SharedObjects\T6G8BDR9\interclick.com\ud.sol
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\_000190_.tmp.dll
C:\WINDOWS\system32\_000201_.tmp.dll
C:\WINDOWS\system32\_000203_.tmp.dll
C:\WINDOWS\system32\_003249_.tmp.dll
C:\WINDOWS\system32\_003250_.tmp.dll
C:\WINDOWS\system32\_003251_.tmp.dll
C:\WINDOWS\system32\_003252_.tmp.dll
C:\WINDOWS\system32\_003259_.tmp.dll
C:\WINDOWS\system32\_003260_.tmp.dll
C:\WINDOWS\system32\_003261_.tmp.dll
C:\WINDOWS\system32\_003262_.tmp.dll
C:\WINDOWS\system32\_003263_.tmp.dll
C:\WINDOWS\system32\_003264_.tmp.dll
C:\WINDOWS\system32\_003265_.tmp.dll
C:\WINDOWS\system32\_003266_.tmp.dll
C:\WINDOWS\system32\_003267_.tmp.dll
C:\WINDOWS\system32\_003268_.tmp.dll
C:\WINDOWS\system32\_003269_.tmp.dll
C:\WINDOWS\system32\_003270_.tmp.dll
C:\WINDOWS\system32\_003271_.tmp.dll
C:\WINDOWS\system32\_003272_.tmp.dll
C:\WINDOWS\system32\_003274_.tmp.dll
C:\WINDOWS\system32\_003277_.tmp.dll
C:\WINDOWS\system32\_003278_.tmp.dll
C:\WINDOWS\system32\_003282_.tmp.dll
C:\WINDOWS\system32\_003283_.tmp.dll
C:\WINDOWS\system32\_003284_.tmp.dll
C:\WINDOWS\system32\_003285_.tmp.dll
C:\WINDOWS\system32\_003286_.tmp.dll
C:\WINDOWS\system32\_003287_.tmp.dll
C:\WINDOWS\system32\_003288_.tmp.dll
C:\WINDOWS\system32\_003290_.tmp.dll
C:\WINDOWS\system32\_003291_.tmp.dll
C:\WINDOWS\system32\_003292_.tmp.dll
C:\WINDOWS\system32\_003293_.tmp.dll
C:\WINDOWS\system32\_003294_.tmp.dll
C:\WINDOWS\system32\_003295_.tmp.dll
C:\WINDOWS\system32\_003296_.tmp.dll
C:\WINDOWS\system32\_003297_.tmp.dll
C:\WINDOWS\system32\_003298_.tmp.dll
C:\WINDOWS\system32\_003299_.tmp.dll
C:\WINDOWS\system32\_003300_.tmp.dll
C:\WINDOWS\system32\_003303_.tmp.dll
C:\WINDOWS\system32\_003304_.tmp.dll
C:\WINDOWS\system32\_003305_.tmp.dll
C:\WINDOWS\system32\_003307_.tmp.dll
C:\WINDOWS\system32\_003308_.tmp.dll
C:\WINDOWS\system32\_003309_.tmp.dll
C:\WINDOWS\system32\_003310_.tmp.dll
C:\WINDOWS\system32\_003311_.tmp.dll
C:\WINDOWS\system32\_003313_.tmp.dll
C:\WINDOWS\system32\_003314_.tmp.dll
C:\WINDOWS\system32\_003316_.tmp.dll
C:\WINDOWS\system32\_003317_.tmp.dll
C:\WINDOWS\system32\_003321_.tmp.dll
C:\WINDOWS\system32\_003322_.tmp.dll
C:\WINDOWS\system32\_003324_.tmp.dll
C:\WINDOWS\system32\_003327_.tmp.dll
C:\WINDOWS\system32\_003329_.tmp.dll
C:\WINDOWS\system32\_003330_.tmp.dll
C:\WINDOWS\system32\_003331_.tmp.dll
C:\WINDOWS\system32\_003332_.tmp.dll
C:\WINDOWS\system32\_003335_.tmp.dll
C:\WINDOWS\system32\_003336_.tmp.dll
C:\WINDOWS\system32\_003337_.tmp.dll
C:\WINDOWS\system32\_003338_.tmp.dll
C:\WINDOWS\system32\_003339_.tmp.dll
C:\WINDOWS\system32\_003344_.tmp.dll
C:\WINDOWS\system32\_003346_.tmp.dll
C:\WINDOWS\system32\_003347_.tmp.dll
C:\WINDOWS\system32\ABD0B0C66D.sys
C:\WINDOWS\system32\SET36A.tmp
C:\WINDOWS\system32\SET402.tmp
C:\WINDOWS\system32\SET442.tmp
C:\WINDOWS\system32\SET474.tmp
C:\WINDOWS\system32\SET4E9.tmp
C:\WINDOWS\system32\SET557.tmp
C:\WINDOWS\system32\SET595.tmp
C:\WINDOWS\system32\SET598.tmp
C:\WINDOWS\system32\SET59C.tmp
C:\WINDOWS\system32\SET59E.tmp
C:\WINDOWS\system32\SET5A0.tmp .
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
. 2008-08-09 20:35 . 2008-08-09 20:35 3,151 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 12:55 . 2004-08-04 06:00 71,040 --------- C:\WINDOWS\system32\drivers\_003237_.tmp.dll
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:52 . 2008-08-09 01:52 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:58 . 2004-08-04 06:00 71,040 --------- C:\WINDOWS\system32\drivers\_003227_.tmp.dll
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET2F1.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET460.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET4C7.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --a------ C:\WINDOWS\system32\SET520.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET5D4.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET642.tmp
2008-08-08 22:35 . 2008-04-13 20:11 193,536 --a------ C:\WINDOWS\system32\SET68B.tmp
2008-08-08 22:35 . 2008-04-13 20:11 193,536 --a------ C:\WINDOWS\system32\SET576.tmp
2008-08-08 22:35 . 2008-04-13 20:11 143,360 --a------ C:\WINDOWS\system32\SET687.tmp
2008-08-08 22:35 . 2008-04-13 20:11 143,360 --a------ C:\WINDOWS\system32\SET570.tmp
2008-08-08 22:35 . 2008-04-13 20:11 125,952 --a------ C:\WINDOWS\system32\SET680.tmp
2008-08-08 22:35 . 2008-04-13 20:11 125,952 --a------ C:\WINDOWS\system32\SET568.tmp
2008-08-08 22:35 . 2008-04-13 20:11 98,304 --a------ C:\WINDOWS\system32\SET689.tmp
2008-08-08 22:35 . 2008-04-13 20:11 98,304 --a------ C:\WINDOWS\system32\SET573.tmp
2008-08-08 22:35 . 2008-04-13 20:12 44,544 --a------ C:\WINDOWS\system32\SET683.tmp
2008-08-08 22:35 . 2008-04-13 20:12 44,544 --a------ C:\WINDOWS\system32\SET56B.tmp
2008-08-08 21:41 . 2008-08-09 20:09 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 02:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-09 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 16:56 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-13 14:35 --------- d-----w C:\Documents and Settings\Aray\Application Data\AdobeUM
2008-06-13 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 20:45 --------- d-----w C:\Documents and Settings\Aray\Application Data\TaxCut
2008-06-12 15:27 --------- d-----w C:\Program Files\Common Files\Scanner
2005-10-14 00:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
. ((((((((((((((((((((((((((((( snapshot@2008-08-09_10.28.48.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-10 01:52:05 5,424 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{22B8852C-2591-4680-B45A-2565E0D0CCCE}.bin
+ 2004-08-04 10:00:00 71,040 ------w C:\WINDOWS\system32\drivers\_003227_.tmp.dll
+ 2004-08-04 10:00:00 71,040 ------w C:\WINDOWS\system32\drivers\_003237_.tmp.dll
- 2008-08-09 04:52:11 66,662 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-09 17:54:52 66,662 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-09 04:52:11 414,008 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-09 17:54:52 414,008 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-08-04 10:00:00 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\[u]0[/u]017\DriverFiles\i386\intelppm.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 11:26 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 07:03 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"BuildBU"="c:\dell\bldbubg.exe" [2005-08-12 22:13 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-19 17:03 180269]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25 634880]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SprintModemUpdate"="javaw.exe" [2008-06-10 01:21 135168 C:\WINDOWS\system32\javaw.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 10:05 94208] C:\Documents and Settings\Aray\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispSettingPage"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Business Attorney\\BA.EXE"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TaxCut Business 2007\\TaxCut2007.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"47877:TCP"= 47877:TCP:azure R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys [2007-08-16 15:24]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24] *Newly Created Service* - COMHOST [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DC9D8B83-C748-CEAF-A491-BB3F3900CAC0}]
C:\WINDOWS\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder 2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Aray.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]
.
- - - - ORPHANS REMOVED - - - - HKCU-Run-DellSupportCenter - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DellSupportCenter - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
Notify-__A - (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 22:27:13
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-08-09 22:46:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 02:46:12
ComboFix2.txt 2008-08-09 14:29:59 Pre-Run: 39,733,268,480 bytes free
Post-Run: 39,887,470,592 bytes free 343 --- E O F --- 2008-08-10 01:50:25 In the computer knowledge rank, I'm an idiot
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
Name: jabuck
Date: August 9, 2008 at 20:31:03 Pacific
|
Reply: (edit)Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\drivers\_003237_.tmp.dll
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\system32\drivers\_003227_.tmp.dll
C:\WINDOWS\system32\SET2F1.tmp
C:\WINDOWS\system32\SET460.tmp
C:\WINDOWS\system32\SET4C7.tmp
C:\WINDOWS\system32\SET520.tmp
C:\WINDOWS\system32\SET5D4.tmp
C:\WINDOWS\system32\SET642.tmp
C:\WINDOWS\system32\SET68B.tmp
C:\WINDOWS\system32\SET576.tmp
C:\WINDOWS\system32\SET687.tmp
C:\WINDOWS\system32\SET570.tmp
C:\WINDOWS\system32\SET680.tmp
C:\WINDOWS\system32\SET568.tmp
C:\WINDOWS\system32\SET689.tmp
C:\WINDOWS\system32\SET573.tmp
C:\WINDOWS\system32\SET683.tmp
C:\WINDOWS\system32\SET56B.tmp XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log and a new Hiajck This llog please.
Report Offensive Follow Up For Removal
|
|
Response Number 14
|
Name: aray
Date: August 10, 2008 at 10:25:58 Pacific
|
Reply: (edit)The combofix log file (after I ran the program my computer went blank, blue desktop and I had to shut it down to be able to enter it again, on restart it was ok)
I'll post the hijackthis log file next.
ComboFix 08-08-09.06 - Aray 2008-08-10 12:55:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.785 [GMT -4:00]
Running from: C:\Documents and Settings\Aray\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aray\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE ::
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\system32\drivers\_003227_.tmp.dll
C:\WINDOWS\system32\drivers\_003237_.tmp.dll
C:\WINDOWS\system32\SET2F1.tmp
C:\WINDOWS\system32\SET460.tmp
C:\WINDOWS\system32\SET4C7.tmp
C:\WINDOWS\system32\SET520.tmp
C:\WINDOWS\system32\SET568.tmp
C:\WINDOWS\system32\SET56B.tmp
C:\WINDOWS\system32\SET570.tmp
C:\WINDOWS\system32\SET573.tmp
C:\WINDOWS\system32\SET576.tmp
C:\WINDOWS\system32\SET5D4.tmp
C:\WINDOWS\system32\SET642.tmp
C:\WINDOWS\system32\SET680.tmp
C:\WINDOWS\system32\SET683.tmp
C:\WINDOWS\system32\SET687.tmp
C:\WINDOWS\system32\SET689.tmp
C:\WINDOWS\system32\SET68B.tmp
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\WINDOWS\system32\drivers\_003227_.tmp.dll
C:\WINDOWS\system32\drivers\_003237_.tmp.dll
C:\WINDOWS\system32\SET2F1.tmp
C:\WINDOWS\system32\SET460.tmp
C:\WINDOWS\system32\SET4C7.tmp
C:\WINDOWS\system32\SET520.tmp
C:\WINDOWS\system32\SET568.tmp
C:\WINDOWS\system32\SET56B.tmp
C:\WINDOWS\system32\SET570.tmp
C:\WINDOWS\system32\SET573.tmp
C:\WINDOWS\system32\SET576.tmp
C:\WINDOWS\system32\SET5D4.tmp
C:\WINDOWS\system32\SET642.tmp
C:\WINDOWS\system32\SET680.tmp
C:\WINDOWS\system32\SET683.tmp
C:\WINDOWS\system32\SET687.tmp
C:\WINDOWS\system32\SET689.tmp
C:\WINDOWS\system32\SET68B.tmp .
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
. 2008-08-09 22:32 . 2008-08-09 22:32 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-09 22:32 . 2008-08-09 22:32 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-08-09 19:39 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-09 19:38 . 2007-02-28 05:08 2,136,064 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-08-09 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 02:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 02:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 01:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-09 01:53 . 2008-08-09 01:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-09 01:52 . 2008-08-09 01:52 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-08-09 01:12 . 2008-08-09 01:12 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 23:26 . 2008-08-09 20:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 22:57 . 2008-08-09 19:38 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 22:41 . 2008-04-13 20:12 8,461,312 --a------ C:\WINDOWS\system32\SET264.tmp
2008-08-08 22:40 . 2008-04-13 20:12 1,703,936 --a------ C:\WINDOWS\system32\SET321.tmp
2008-08-08 22:39 . 2008-04-13 20:11 2,843,136 --a------ C:\WINDOWS\system32\SET384.tmp
2008-08-08 22:38 . 2008-04-13 20:11 1,028,096 --a------ C:\WINDOWS\system32\SET3C9.tmp
2008-08-08 22:37 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\SET489.tmp
2008-08-08 22:36 . 2008-04-13 20:11 1,267,200 --a------ C:\WINDOWS\system32\SET514.tmp
2008-08-08 21:41 . 2008-08-09 20:09 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-05 07:06 . 2008-08-05 07:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-05 07:05 . 2008-08-05 07:07 <DIR> d-------- C:\Documents and Settings\Aray\.housecall6.6
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\PlayFirst
2008-07-26 14:56 . 2008-07-26 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-12 14:39 . 2008-07-12 14:39 <DIR> d-------- C:\Documents and Settings\Aray\Saved Games
2008-07-12 14:36 . 2008-07-12 14:36 <DIR> d-------- C:\Documents and Settings\Aray\Application Data\iWin
2008-07-12 14:21 . 2008-08-05 12:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 13:48 . 2007-12-17 21:27 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-07-12 13:48 . 2007-12-17 21:27 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-07-12 13:48 . 2007-12-17 21:27 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 02:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 23:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-09 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 16:13 --------- d-----w C:\Program Files\Dell Support Center
2008-08-09 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-09 05:56 --------- d-----w C:\Program Files\Java
2008-08-09 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 02:15 --------- d-----w C:\Program Files\Intel
2008-08-09 02:13 --------- d-----w C:\Program Files\Real
2008-08-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-09 01:49 --------- d-----w C:\Program Files\Google
2008-08-08 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-05 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 20:37 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-04 18:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-04 17:05 --------- d-----w C:\Documents and Settings\Aray\Application Data\Azureus
2008-08-03 16:41 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-12 17:48 --------- d-----w C:\Program Files\Azureus
2008-07-06 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-07-05 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 23:20 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-13 21:34 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-13 21:34 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-13 21:34 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-13 21:34 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-13 21:34 --------- d-----w C:\Program Files\Symantec
2008-06-13 21:20 --------- d-----w C:\Documents and Settings\Aray\Application Data\Symantec
2008-06-13 21:17 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WI
| |
