|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
lots of pos##.tmp file Red X on H.D
|
Original Message
|
Name: spockie
Date: February 4, 2008 at 14:18:46 Pacific
Subject: lots of pos##.tmp file Red X on H.DOS: XPCPU/Ram: 1.66/512mbManufacturer/Model: Dell/Inspiron 6400 |
Comment: I have about 8000 pos##.tmp files and a red x on my hard drive.
Can someone help me get rid on these files
Thanks Looking for a community website
www.bluefiregroup.com
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: February 4, 2008 at 20:08:38 Pacific
|
Reply: Go to the this link: Disable Realtime Protection Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files. Please download Atribune's VundoFix.exe from the following site to your desktop: Vundofix.exe Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files,
click "yes". Once you click yes, your desktop will go blank as it starts removing
Vundo. When completed, it will prompt that it will reboot your computer,
click "ok". Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: spockie
Date: February 5, 2008 at 12:48:09 Pacific
|
Reply: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:27 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\stunnel\stunnel-4.07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Delroy Gill\Desktop\dss.exe
C:\DOCUME~1\DELROY~1\Desktop\Delroy Gill.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nonstopneighbors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {30c33949-2878-85ba-ccd4-b45551e3eb43} - {34be3e15-554b-4dcc-ab58-878294933c03} - C:\WINDOWS\system32\qudcflci.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Shortcut to stunnel-4.07.lnk = C:\stunnel\stunnel-4.07.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/Slide...
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - http://www.devalvr.com/instalacion/...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3bet...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrob...
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driver...
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hp...
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: urqnkij - urqnkij.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE --
End of file - 12452 bytes
----------------
ComboFix 08-02.05.3 - Delroy Gill 2008-02-05 12:28:36.1 - NTFSx86
Running from: C:\Documents and Settings\Delroy Gill\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Documents and Settings\Delroy Gill\Application Data\macromedia\Flash Player\#SharedObjects\3LET6G2N\www.broadcaster.com
C:\Documents and Settings\Delroy Gill\Application Data\macromedia\Flash Player\#SharedObjects\3LET6G2N\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Delroy Gill\Application Data\macromedia\Flash Player\#SharedObjects\3LET6G2N\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Delroy Gill\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Delroy Gill\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\effqmibx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\osybylfm.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\wyadd.ini2 .
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
. 2008-02-04 14:39 . 2008-02-04 14:39 <DIR> d-------- C:\Deckard
2008-02-04 14:32 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-04 11:03 . 2008-02-04 13:18 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:34 . 2008-01-31 12:34 <DIR> d-------- C:\WINDOWS\Sun
2008-01-31 09:48 . 2008-01-31 09:48 <DIR> d-------- C:\Documents and Settings\Delroy Gill\Application Data\Pmcc
2008-01-30 11:11 . 2008-01-30 11:11 <DIR> d-------- C:\Program Files\Pmcc
2008-01-30 10:35 . 2008-01-30 10:34 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-23 10:07 . 2008-02-04 13:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 10:07 . 2008-01-23 10:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 10:05 . 2008-01-23 10:05 <DIR> d-------- C:\Program Files\iPod
2008-01-23 10:04 . 2008-01-23 10:04 <DIR> d-------- C:\Program Files\Bonjour
2008-01-22 21:23 . 2008-01-22 21:23 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-21 14:01 . 2008-01-21 14:01 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-01-21 13:29 . 2008-01-21 13:29 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-17 22:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-17 21:49 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\btodejykdaql.sys
2008-01-17 20:04 . 2008-01-18 00:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 20:04 . 2008-01-17 20:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-17 20:04 . 2008-01-17 20:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-17 20:04 . 2008-01-17 20:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Program Files\Common Files\Zeepe Framework 7
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Novatel Wireless
2008-01-16 20:57 . 2008-02-03 23:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-16 20:57 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-16 20:57 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-16 20:57 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-16 20:57 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-16 20:57 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-16 20:44 . 2008-02-05 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-13 19:41 . 2008-02-01 09:34 <DIR> d-------- C:\Documents and Settings\Delroy Gill\.housecall6.6
2008-01-13 16:59 . 2008-01-16 17:36 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 16:10 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-13 16:05 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-13 16:05 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-13 16:05 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-13 16:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-13 15:59 . 2008-01-13 16:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-13 15:57 . 2008-01-13 16:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-13 12:55 . 2008-02-05 12:42 4,704,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-13 12:55 . 2008-02-05 12:39 56,156 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-13 12:53 . 2008-01-13 12:53 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-13 12:26 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-13 12:25 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-11 20:15 . 2008-01-13 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-11 20:06 . 2008-01-11 20:06 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-11 10:50 . 2008-01-12 18:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-11 10:50 . 2008-01-12 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-10 09:52 . 2008-01-12 17:02 <DIR> d-------- C:\Program Files\Enigma Software Group .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 17:23 --------- d-----w C:\Program Files\support.com
2008-01-31 17:23 --------- d-----w C:\Program Files\QuickTime
2008-01-31 17:23 --------- d-----w C:\Program Files\OfficeUpdate11
2008-01-31 17:23 --------- d-----w C:\Program Files\Modem Helper
2008-01-31 17:23 --------- d-----w C:\Program Files\LogMeIn
2008-01-31 17:23 --------- d-----w C:\Program Files\DivX
2008-01-31 17:23 --------- d-----w C:\Program Files\Dell
2008-01-31 17:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-31 17:20 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\Nokia
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\DivX
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-30 17:59 --------- d-----w C:\Program Files\Broadcom
2008-01-24 03:00 1,239,040 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-23 19:55 --------- d-----w C:\Program Files\Windows Defender
2008-01-23 17:37 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-23 17:06 --------- d-----w C:\Program Files\iTunes
2008-01-23 04:58 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-23 04:32 2,931,712 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-22 16:27 1,474,048 ----a-w C:\WINDOWS\Internet Logs\xDB1A2.tmp
2008-01-18 16:17 --------- d-----w C:\Program Files\McAfee
2008-01-18 06:38 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-18 06:33 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-18 06:29 --------- d-----w C:\Program Files\BAE
2008-01-17 05:52 68,608 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-17 03:45 --------- d-----w C:\Program Files\Google
2008-01-16 06:17 1,391,616 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-15 18:12 134,656 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-14 17:18 144,896 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-14 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-13 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-13 19:07 --------- d-----w C:\Program Files\Picture Resize
2008-01-13 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-13 18:44 --------- d-----w C:\Program Files\DevalVR
2008-01-11 06:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 23:41 --------- d-----w C:\Program Files\DellSupport
2007-12-31 21:59 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\HP
2007-12-31 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-31 21:33 --------- d-----w C:\Program Files\Common Files\HP
2007-12-31 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-25 18:18 --------- d-----w C:\Program Files\Java
2007-05-23 16:34 16,023,844 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_10_28_01_full.dmp.zip
2007-05-23 16:32 21,869,046 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_08_06_01_full.dmp.zip
2007-01-22 23:26 88,257 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_37_small.dmp.zip
2007-01-22 23:26 81,367 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_33_small.dmp.zip
2006-11-27 18:43 74,808 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_11_25_18_39_42_small.dmp.zip
2006-09-13 23:28 92,396 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_13_07_56_00_small.dmp.zip
2006-09-06 17:45 92,181 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_06_06_48_35_small.dmp.zip
2006-04-13 18:27 3,167,744 ----a-w C:\Documents and Settings\Delroy Gill\gosetup.exe
.
[code]
----a-w 49,152 2008-01-08 21:56:11 C:\dell\E-Center\gtb .exe
----a-w 39,792 2008-01-04 20:17:43 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 31,816 2007-12-30 06:46:30 C:\Program Files\Citrix\GoToMeeting\198\g2mstart .exe
----a-w 198,184 2008-01-04 20:17:53 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd .exe
----a-w 81,920 2008-01-04 20:17:14 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 36,040 2008-01-08 16:51:05 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 49,152 2008-01-04 20:17:09 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 460,784 2008-01-04 20:18:17 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 256,576 2008-01-16 16:43:49 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-04 20:16:54 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 303,856 2008-01-04 20:17:25 C:\Program Files\LogMeIn\LogMeInSystray .exe
----a-w 1,121,792 2008-01-16 16:43:47 C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w 1,289,000 2008-01-09 21:10:28 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:31 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:33 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:34 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:35 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:36 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:06 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2008-01-12 23:58:39 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 761,947 2008-01-04 20:17:05 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 866,584 2008-01-16 16:43:50 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 919,016 2008-01-13 19:01:37 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w 15,360 2008-01-17 00:36:51 C:\WINDOWS\system32\ctfmon .exe
----a-w 77,824 2008-01-04 20:16:49 C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-01-04 20:16:51 C:\WINDOWS\system32\igfxpers .exe
----a-w 98,304 2008-01-04 20:16:48 C:\WINDOWS\system32\igfxtray .exe
----a-w 1,347,584 2008-01-09 19:52:12 C:\WINDOWS\system32\WLTRAY .exe
[/code]
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34be3e15-554b-4dcc-ab58-878294933c03}]
C:\WINDOWS\system32\qudcflci.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-13 12:53 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-13 12:53 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2008-01-09 14:10 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 20:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"@"="" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-16 17:36 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27 1065288]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 04:00 388608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-09 10:01 36040] C:\Documents and Settings\Delroy Gill\Start Menu\Programs\Startup\
Shortcut to stunnel-4.07.lnk - C:\stunnel\stunnel-4.07.exe [2006-12-10 16:54:10 78336] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-30 16:20:53 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-16 20:44:26 124400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-08-11 16:04 11496 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnkij]
urqnkij.dll R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-08-11 16:04]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-08-09 11:11]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2006-07-21 12:15] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3679b7f3-a804-11db-962b-0015c504b1b6}]
\Shell\AutoRun\command - E:\ONSPCLCK.exe .
Contents of the 'Scheduled Tasks' folder
"2008-02-01 03:03:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-04-08 18:06:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-02-05 03:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELROY-Delroy Gill).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-15 08:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-13 23:02:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 12:42:22
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
r Running Proce
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-05 12:47:38 - machine was rebooted [Delroy Gill]
ComboFix-quarantined-files.txt 2008-02-05 19:47:30
.
2008-01-23 10:01:37 --- E O F ---
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: jabuck
Date: February 5, 2008 at 17:52:17 Pacific
|
Reply: Open Notepad and copy/paste everything between the X"s into it and make sure "RenV::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV:: ----a-w 49,152 2008-01-08 21:56:11 C:\dell\E-Center\gtb .exe
----a-w 39,792 2008-01-04 20:17:43 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 31,816 2007-12-30 06:46:30 C:\Program Files\Citrix\GoToMeeting\198\g2mstart .exe
----a-w 198,184 2008-01-04 20:17:53 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd .exe
----a-w 81,920 2008-01-04 20:17:14 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 36,040 2008-01-08 16:51:05 C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w 49,152 2008-01-04 20:17:09 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 460,784 2008-01-04 20:18:17 C:\Program Files\DellSupport\DSAgnt .exe
----a-w 256,576 2008-01-16 16:43:49 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-04 20:16:54 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 303,856 2008-01-04 20:17:25 C:\Program Files\LogMeIn\LogMeInSystray .exe
----a-w 1,121,792 2008-01-16 16:43:47 C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w 1,289,000 2008-01-09 21:10:28 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:31 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:33 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:34 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:35 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:36 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:06 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2008-01-12 23:58:39 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 761,947 2008-01-04 20:17:05 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 866,584 2008-01-16 16:43:50 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 919,016 2008-01-13 19:01:37 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w 15,360 2008-01-17 00:36:51 C:\WINDOWS\system32\ctfmon .exe
----a-w 77,824 2008-01-04 20:16:49 C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-01-04 20:16:51 C:\WINDOWS\system32\igfxpers .exe
----a-w 98,304 2008-01-04 20:16:48 C:\WINDOWS\system32\igfxtray .exe
----a-w 1,347,584 2008-01-09 19:52:12 C:\WINDOWS\system32\WLTRAY .exe File::
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\qudcflci.dll
C:\Program Files\BAE\BAE.dll
Driver::
urqnkij Folder::
C:\Program Files\BAE
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnkij]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34be3e15-554b-4dcc-ab58-878294933c03}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Please go to Virus Total and upload the following file for analysis: C:\WINDOWS\system32\drivers\btodejykdaql.sys
Post the results in your reply.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link:
ATF Cleaner
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button. Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply. Post a new Combofix log.
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: spockie
Date: February 6, 2008 at 21:28:15 Pacific
|
Reply: ---------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 10:26:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/02/2008
Kaspersky Anti-Virus database records: 552902
--------------------- Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true Scan Target - Memory: Scan Statistics:
Total number of scanned objects: 2732
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:01:29 Infected Object Name / Virus Name / Last Action
[872] winlogon.exe => C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped Scan process completed. ___________________________ ComboFix 08-02.05.3 - Delroy Gill 2008-02-06 16:10:34.2 - NTFSx86
Running from: C:\Documents and Settings\Delroy Gill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Delroy Gill\Desktop\CFScript.txt
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE
C:\Program Files\BAE\BAE.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\qudcflci.dll
C:\WINDOWS\system32\Uninstall.ico
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\Program Files\BAE
C:\Program Files\BAE\BAE.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico .
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
. 2008-02-05 12:25 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-04 14:39 . 2008-02-04 14:39 <DIR> d-------- C:\Deckard
2008-02-04 11:03 . 2008-02-04 13:18 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:34 . 2008-01-31 12:34 <DIR> d-------- C:\WINDOWS\Sun
2008-01-31 09:48 . 2008-01-31 09:48 <DIR> d-------- C:\Documents and Settings\Delroy Gill\Application Data\Pmcc
2008-01-30 11:11 . 2008-01-30 11:11 <DIR> d-------- C:\Program Files\Pmcc
2008-01-30 10:35 . 2008-01-30 10:34 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-23 10:07 . 2008-02-05 18:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 10:07 . 2008-01-23 10:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 10:05 . 2008-01-23 10:05 <DIR> d-------- C:\Program Files\iPod
2008-01-23 10:04 . 2008-01-23 10:04 <DIR> d-------- C:\Program Files\Bonjour
2008-01-22 21:23 . 2008-01-22 21:23 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-21 14:01 . 2008-01-21 14:01 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-01-21 13:29 . 2008-01-21 13:29 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-17 22:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-17 21:49 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\btodejykdaql.sys
2008-01-17 20:04 . 2008-01-18 00:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Program Files\Common Files\Zeepe Framework 7
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Novatel Wireless
2008-01-16 20:57 . 2008-02-03 23:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-16 20:57 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-16 20:57 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-16 20:57 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-16 20:57 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-16 20:57 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-16 20:44 . 2008-02-06 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-13 19:41 . 2008-02-01 09:34 <DIR> d-------- C:\Documents and Settings\Delroy Gill\.housecall6.6
2008-01-13 16:59 . 2008-01-16 17:36 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-13 16:59 . 2008-01-16 17:36 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-13 16:10 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-13 16:05 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-13 16:05 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-13 16:05 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-13 16:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-13 15:59 . 2008-01-13 16:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-13 15:57 . 2008-01-13 16:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-13 12:55 . 2008-02-06 16:21 4,847,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-13 12:55 . 2008-02-06 16:19 57,836 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-13 12:53 . 2008-01-13 12:53 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-13 12:26 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-13 12:25 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-11 20:15 . 2008-01-13 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-11 20:06 . 2008-01-11 20:06 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-11 10:50 . 2008-02-06 16:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-11 10:50 . 2008-01-12 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-10 09:52 . 2008-01-12 17:02 <DIR> d-------- C:\Program Files\Enigma Software Group .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 23:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-06 23:19 --------- d-----w C:\Program Files\iTunes
2008-02-06 23:10 --------- d-----w C:\Program Files\Windows Defender
2008-02-06 23:10 --------- d-----w C:\Program Files\QuickTime
2008-02-06 23:09 --------- d-----w C:\Program Files\LogMeIn
2008-02-06 23:09 --------- d-----w C:\Program Files\DellSupport
2008-01-31 17:23 --------- d-----w C:\Program Files\support.com
2008-01-31 17:23 --------- d-----w C:\Program Files\OfficeUpdate11
2008-01-31 17:23 --------- d-----w C:\Program Files\Modem Helper
2008-01-31 17:23 --------- d-----w C:\Program Files\DivX
2008-01-31 17:23 --------- d-----w C:\Program Files\Dell
2008-01-31 17:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-31 17:20 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\Nokia
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\DivX
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-30 17:59 --------- d-----w C:\Program Files\Broadcom
2008-01-24 03:00 1,239,040 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-23 17:37 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-23 04:58 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-23 04:32 2,931,712 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-22 16:27 1,474,048 ----a-w C:\WINDOWS\Internet Logs\xDB1A2.tmp
2008-01-18 16:17 --------- d-----w C:\Program Files\McAfee
2008-01-18 06:33 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-17 05:52 68,608 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-17 03:45 --------- d-----w C:\Program Files\Google
2008-01-16 06:17 1,391,616 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-15 18:12 134,656 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-14 17:18 144,896 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-14 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-13 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-13 19:07 --------- d-----w C:\Program Files\Picture Resize
2008-01-13 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-13 18:44 --------- d-----w C:\Program Files\DevalVR
2008-01-11 06:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 21:59 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\HP
2007-12-31 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-31 21:33 --------- d-----w C:\Program Files\Common Files\HP
2007-12-31 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-25 18:18 --------- d-----w C:\Program Files\Java
2007-05-23 16:34 16,023,844 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_10_28_01_full.dmp.zip
2007-05-23 16:32 21,869,046 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_08_06_01_full.dmp.zip
2007-01-22 23:26 88,257 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_37_small.dmp.zip
2007-01-22 23:26 81,367 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_33_small.dmp.zip
2006-11-27 18:43 74,808 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_11_25_18_39_42_small.dmp.zip
2006-09-13 23:28 92,396 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_13_07_56_00_small.dmp.zip
2006-09-06 17:45 92,181 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_06_06_48_35_small.dmp.zip
2006-04-13 18:27 3,167,744 ----a-w C:\Documents and Settings\Delroy Gill\gosetup.exe
.
[code]
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 1,289,000 2008-01-09 21:10:28 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:31 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:33 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:34 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:35 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 919,016 2008-01-13 19:01:37 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
[/code]
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-13 12:53 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-13 12:53 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2008-01-09 14:10 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-16 17:36 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 20:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-04 13:17 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-16 17:36 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-09 14:13 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 09:43 256576]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27 1065288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-08 09:51 36040] C:\Documents and Settings\Delroy Gill\Start Menu\Programs\Startup\
Shortcut to stunnel-4.07.lnk - C:\stunnel\stunnel-4.07.exe [2006-12-10 16:54:10 78336] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-30 16:20:53 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-16 20:44:26 124400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-08-11 16:04 11496 C:\WINDOWS\system32\LMIinit.dll R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-08-11 16:04]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-08-09 11:11]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2006-07-21 12:15] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3679b7f3-a804-11db-962b-0015c504b1b6}]
\Shell\AutoRun\command - E:\ONSPCLCK.exe .
Contents of the 'Scheduled Tasks' folder
"2008-02-01 03:03:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-04-08 18:06:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-02-06 03:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELROY-Delroy Gill).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-15 08:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-13 23:02:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 16:21:49
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
r Running Proce
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-06 16:31:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 23:31:44
ComboFix2.txt 2008-02-05 19:47:38
.
2008-01-23 10:01:37 --- E O F ---
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: jabuck
Date: February 7, 2008 at 03:22:44 Pacific
|
Reply: Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\system32\drivers\btodejykdaql.sys
Post the results in your reply.
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: spockie
Date: February 7, 2008 at 11:26:40 Pacific
|
Reply: File btodejykdaql.sys received on 02.07.2008 20:28:12 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.07 -
Authentium 4.93.8 2008.02.06 -
Avast 4.7.1098.0 2008.02.06 -
AVG 7.5.0.516 2008.02.07 -
BitDefender 7.2 2008.02.07 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.07 -
DrWeb 4.44.0.09170 2008.02.07 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5518 2008.02.07 -
Ewido 4.0 2008.02.07 -
FileAdvisor 1 2008.02.07 -
Fortinet 3.14.0.0 2008.02.07 -
F-Prot 4.4.2.54 2008.02.07 -
F-Secure 6.70.13260.0 2008.02.07 -
Ikarus T3.1.1.20 2008.02.07 -
Kaspersky 7.0.0.125 2008.02.07 -
McAfee 5225 2008.02.07 -
Microsoft 1.3204 2008.02.07 -
NOD32v2 2856 2008.02.07 -
Norman 5.80.02 2008.02.07 -
Panda 9.0.0.4 2008.02.07 -
Prevx1 V2 2008.02.07 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.07 -
Sunbelt 2.2.907.0 2008.02.07 -
Symantec 10 2008.02.07 -
TheHacker 6.2.9.211 2008.02.06 -
VBA32 3.12.6.0 2008.02.07 -
VirusBuster 4.3.26:9 2008.02.07 -
Webwasher-Gateway 6.6.2 2008.02.07 -
Additional information
File size: 8576 bytes
MD5: d7dbfbc453b645111e6d21142305e80b
SHA1: e134b78030cfca8dbfd0af144193fc445db86572
PEiD: -
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: jabuck
Date: February 7, 2008 at 14:46:45 Pacific
|
Reply: make sure spysweeper is turned off, then go offline and turn off mcafee. Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 1,289,000 2008-01-09 21:10:28 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:31 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:33 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:34 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:35 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 919,016 2008-01-13 19:01:37 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe File::
C:\WINDOWS\system32\drivers\btodejykdaql.sys
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Restart the computer and make sure Mcafee started before you go online. Post a new Combofix log please.
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: spockie
Date: February 7, 2008 at 22:53:29 Pacific
|
Reply: ComboFix 08-02.05.3 - Delroy Gill 2008-02-07 17:13:00.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT -7:00]
Running from: C:\Documents and Settings\Delroy Gill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Delroy Gill\Desktop\CFScript.txt
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE
C:\WINDOWS\system32\drivers\btodejykdaql.sys
. ((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
. 2008-02-07 16:30 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-07 16:11 . 2008-02-07 16:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 16:11 . 2008-02-07 16:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 14:17 . 2008-02-07 14:17 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-06 21:59 . 2008-02-06 21:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-06 21:59 . 2008-02-06 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 14:39 . 2008-02-04 14:39 <DIR> d-------- C:\Deckard
2008-02-04 11:03 . 2008-02-04 13:18 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:34 . 2008-01-31 12:34 <DIR> d-------- C:\WINDOWS\Sun
2008-01-31 09:48 . 2008-01-31 09:48 <DIR> d-------- C:\Documents and Settings\Delroy Gill\Application Data\Pmcc
2008-01-30 11:11 . 2008-01-30 11:11 <DIR> d-------- C:\Program Files\Pmcc
2008-01-30 10:35 . 2008-01-30 10:34 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-23 10:05 . 2008-01-23 10:05 <DIR> d-------- C:\Program Files\iPod
2008-01-23 10:04 . 2008-01-23 10:04 <DIR> d-------- C:\Program Files\Bonjour
2008-01-22 21:23 . 2008-01-22 21:23 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-21 14:01 . 2008-01-21 14:01 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-01-21 13:29 . 2008-01-21 13:29 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-17 22:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-17 20:04 . 2008-01-18 00:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Program Files\Common Files\Zeepe Framework 7
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Novatel Wireless
2008-01-16 20:57 . 2008-02-03 23:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-16 20:57 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-16 20:57 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-16 20:57 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-16 20:57 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-16 20:57 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-16 20:44 . 2008-02-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-13 19:41 . 2008-02-01 09:34 <DIR> d-------- C:\Documents and Settings\Delroy Gill\.housecall6.6
2008-01-13 16:59 . 2008-01-16 17:36 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-13 16:59 . 2008-01-16 17:36 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-13 16:10 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-13 16:05 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-13 16:05 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-13 16:05 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-13 16:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-13 15:59 . 2008-01-13 16:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-13 15:57 . 2008-01-13 16:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-13 12:55 . 2008-02-07 17:18 5,042,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-13 12:55 . 2008-02-07 16:47 59,876 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-13 12:53 . 2008-01-13 12:53 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-13 12:26 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-13 12:25 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-11 20:15 . 2008-01-13 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-11 20:06 . 2008-01-11 20:06 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-11 10:50 . 2008-01-12 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-10 09:52 . 2008-01-12 17:02 <DIR> d-------- C:\Program Files\Enigma Software Group .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 23:48 1,384,950 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-06 23:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-06 23:19 --------- d-----w C:\Program Files\iTunes
2008-02-06 23:10 --------- d-----w C:\Program Files\Windows Defender
2008-02-06 23:10 --------- d-----w C:\Program Files\QuickTime
2008-02-06 23:09 --------- d-----w C:\Program Files\LogMeIn
2008-02-06 23:09 --------- d-----w C:\Program Files\DellSupport
2008-01-31 17:23 --------- d-----w C:\Program Files\support.com
2008-01-31 17:23 --------- d-----w C:\Program Files\OfficeUpdate11
2008-01-31 17:23 --------- d-----w C:\Program Files\Modem Helper
2008-01-31 17:23 --------- d-----w C:\Program Files\DivX
2008-01-31 17:23 --------- d-----w C:\Program Files\Dell
2008-01-31 17:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-31 17:20 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\Nokia
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\DivX
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-30 17:59 --------- d-----w C:\Program Files\Broadcom
2008-01-24 03:00 1,239,040 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-23 17:37 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-23 04:58 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-23 04:32 2,931,712 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-22 16:27 1,474,048 ----a-w C:\WINDOWS\Internet Logs\xDB1A2.tmp
2008-01-18 16:17 --------- d-----w C:\Program Files\McAfee
2008-01-18 06:33 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-17 05:52 68,608 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-17 03:45 --------- d-----w C:\Program Files\Google
2008-01-16 06:17 1,391,616 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-15 18:12 134,656 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-14 17:18 144,896 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-14 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-13 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-13 22:15 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-13 19:07 --------- d-----w C:\Program Files\Picture Resize
2008-01-13 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-13 18:44 --------- d-----w C:\Program Files\DevalVR
2008-01-11 06:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 19:52 1,347,584 ----a-w C:\WINDOWS\system32\WLTRAY.exe
2008-01-04 20:16 98,304 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-04 20:16 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-04 20:16 118,784 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-31 21:59 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\HP
2007-12-31 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-31 21:33 --------- d-----w C:\Program Files\Common Files\HP
2007-12-31 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-29 07:05 111,831 ----a-w C:\WINDOWS\system32\ope109.exe
2007-12-29 07:04 352,410 ----a-w C:\WINDOWS\system32\opeFF.exe
2007-12-25 18:18 --------- d-----w C:\Program Files\Java
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-11-29 22:30 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-29 22:30 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-05-23 16:34 16,023,844 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_10_28_01_full.dmp.zip
2007-05-23 16:32 21,869,046 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_08_06_01_full.dmp.zip
2007-01-22 23:26 88,257 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_37_small.dmp.zip
2007-01-22 23:26 81,367 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_33_small.dmp.zip
2006-11-27 18:43 74,808 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_11_25_18_39_42_small.dmp.zip
2006-09-13 23:28 92,396 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_13_07_56_00_small.dmp.zip
2006-09-06 17:45 92,181 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_06_06_48_35_small.dmp.zip
2006-04-13 18:27 3,167,744 ----a-w C:\Documents and Settings\Delroy Gill\gosetup.exe
.
[code]
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 1,289,000 2008-01-09 21:10:28 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:31 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:33 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:34 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:35 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 919,016 2008-01-13 19:01:37 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
[/code]
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-13 12:53 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-13 12:53 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2008-01-09 14:10 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-16 17:36 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 20:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-04 13:17 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-16 17:36 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-09 14:13 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 09:43 256576] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-08 09:51 36040] C:\Documents and Settings\Delroy Gill\Start Menu\Programs\Startup\
Shortcut to stunnel-4.07.lnk - C:\stunnel\stunnel-4.07.exe [2006-12-10 16:54:10 78336] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-30 16:20:53 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-16 20:44:26 124400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-08-11 16:04 11496 C:\WINDOWS\system32\LMIinit.dll R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-08-11 16:04]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-08-09 11:11]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2006-07-21 12:15] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3679b7f3-a804-11db-962b-0015c504b1b6}]
\Shell\AutoRun\command - E:\ONSPCLCK.exe .
Contents of the 'Scheduled Tasks' folder
"2008-02-01 03:03:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-04-08 18:06:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-02-07 03:30:02 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELROY-Delroy Gill).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-15 08:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-13 23:02:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 17:18:46
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2008-02-07 17:19:54
ComboFix-quarantined-files.txt 2008-02-08 00:19:43
ComboFix2.txt 2008-02-07 23:38:14
ComboFix3.txt 2008-02-06 23:31:53
ComboFix4.txt 2008-02-05 19:47:38
.
2008-01-23 10:01:37 --- E O F ---
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: jabuck
Date: February 8, 2008 at 03:41:57 Pacific
|
Reply: Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 1,289,000 2008-01-09 21:10:28 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:31 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:33 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:34 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:35 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 919,016 2008-01-13 19:01:37 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log.
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: spockie
Date: February 15, 2008 at 15:09:40 Pacific
|
Reply: ComboFix 08-02.05.3 - Delroy Gill 2008-02-08 15:04:32.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.155 [GMT -7:00]
Running from: C:\Documents and Settings\Delroy Gill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Delroy Gill\Desktop\CFScript.txt
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
. ((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
. 2008-02-07 16:43 . 2004-08-04 04:00 388,608 --a------ C:\kmd.exe
2008-02-07 16:11 . 2008-02-07 16:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 16:11 . 2008-02-07 16:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 14:17 . 2008-02-07 14:17 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-06 21:59 . 2008-02-06 21:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-06 21:59 . 2008-02-06 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 14:39 . 2008-02-04 14:39 <DIR> d-------- C:\Deckard
2008-02-04 11:03 . 2008-02-08 10:24 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:34 . 2008-01-31 12:34 <DIR> d-------- C:\WINDOWS\Sun
2008-01-31 09:48 . 2008-01-31 09:48 <DIR> d-------- C:\Documents and Settings\Delroy Gill\Application Data\Pmcc
2008-01-30 11:11 . 2008-01-30 11:11 <DIR> d-------- C:\Program Files\Pmcc
2008-01-30 10:35 . 2008-01-30 10:34 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-23 10:05 . 2008-01-23 10:05 <DIR> d-------- C:\Program Files\iPod
2008-01-23 10:04 . 2008-01-23 10:04 <DIR> d-------- C:\Program Files\Bonjour
2008-01-22 21:23 . 2008-01-22 21:23 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-21 14:01 . 2008-01-21 14:01 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-01-21 13:29 . 2008-01-21 13:29 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-17 22:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-17 20:04 . 2008-01-18 00:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Program Files\Common Files\Zeepe Framework 7
2008-01-17 16:04 . 2008-01-17 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Novatel Wireless
2008-01-16 20:57 . 2008-02-03 23:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-16 20:57 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-16 20:57 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-16 20:57 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-16 20:57 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-16 20:57 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-16 20:44 . 2008-02-08 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-13 19:41 . 2008-02-01 09:34 <DIR> d-------- C:\Documents and Settings\Delroy Gill\.housecall6.6
2008-01-13 16:59 . 2008-01-16 17:36 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-13 16:59 . 2008-01-16 17:36 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-13 16:10 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-13 16:05 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-13 16:05 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-13 16:05 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-13 16:05 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-13 16:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-13 15:59 . 2008-01-13 16:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-13 15:57 . 2008-01-13 16:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-13 12:55 . 2008-02-08 15:11 5,328,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-13 12:55 . 2008-02-08 10:32 62,612 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-13 12:53 . 2008-01-13 12:53 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-13 12:26 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-13 12:25 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-11 20:15 . 2008-01-13 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-11 20:06 . 2008-01-11 20:06 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-11 10:50 . 2008-01-12 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-10 09:52 . 2008-01-12 17:02 <DIR> d-------- C:\Program Files\Enigma Software Group .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 23:48 1,384,950 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-06 23:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-06 23:19 --------- d-----w C:\Program Files\iTunes
2008-02-06 23:10 --------- d-----w C:\Program Files\Windows Defender
2008-02-06 23:10 --------- d-----w C:\Program Files\QuickTime
2008-02-06 23:09 --------- d-----w C:\Program Files\LogMeIn
2008-02-06 23:09 --------- d-----w C:\Program Files\DellSupport
2008-01-31 17:23 --------- d-----w C:\Program Files\support.com
2008-01-31 17:23 --------- d-----w C:\Program Files\OfficeUpdate11
2008-01-31 17:23 --------- d-----w C:\Program Files\Modem Helper
2008-01-31 17:23 --------- d-----w C:\Program Files\DivX
2008-01-31 17:23 --------- d-----w C:\Program Files\Dell
2008-01-31 17:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-31 17:20 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\Nokia
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\DivX
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-31 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-30 17:59 --------- d-----w C:\Program Files\Broadcom
2008-01-24 03:00 1,239,040 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-23 17:37 230,400 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-23 04:58 72,192 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-23 04:32 2,931,712 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-22 16:27 1,474,048 ----a-w C:\WINDOWS\Internet Logs\xDB1A2.tmp
2008-01-18 16:17 --------- d-----w C:\Program Files\McAfee
2008-01-18 06:33 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-17 05:52 68,608 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-17 03:45 --------- d-----w C:\Program Files\Google
2008-01-16 06:17 1,391,616 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-15 18:12 134,656 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-14 17:18 144,896 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-14 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-13 23:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-13 22:15 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-13 19:07 --------- d-----w C:\Program Files\Picture Resize
2008-01-13 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-13 18:44 --------- d-----w C:\Program Files\DevalVR
2008-01-11 06:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 19:52 1,347,584 ----a-w C:\WINDOWS\system32\WLTRAY.exe
2008-01-04 20:16 98,304 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-04 20:16 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-04 20:16 118,784 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-31 21:59 --------- d-----w C:\Documents and Settings\Delroy Gill\Application Data\HP
2007-12-31 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-31 21:33 --------- d-----w C:\Program Files\Common Files\HP
2007-12-31 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-29 07:05 111,831 ----a-w C:\WINDOWS\system32\ope109.exe
2007-12-29 07:04 352,410 ----a-w C:\WINDOWS\system32\opeFF.exe
2007-12-25 18:18 --------- d-----w C:\Program Files\Java
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-11-29 22:30 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-29 22:30 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-05-23 16:34 16,023,844 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_10_28_01_full.dmp.zip
2007-05-23 16:32 21,869,046 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_23_08_06_01_full.dmp.zip
2007-01-22 23:26 88,257 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_37_small.dmp.zip
2007-01-22 23:26 81,367 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_01_21_14_02_33_small.dmp.zip
2006-11-27 18:43 74,808 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_11_25_18_39_42_small.dmp.zip
2006-09-13 23:28 92,396 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_13_07_56_00_small.dmp.zip
2006-09-06 17:45 92,181 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_06_06_48_35_small.dmp.zip
2006-04-13 18:27 3,167,744 ----a-w C:\Documents and Settings\Delroy Gill\gosetup.exe
.
[code]
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:41 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2008-01-09 21:04:42 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 1,289,000 2008-01-09 21:10:28 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:31 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:33 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:34 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 1,289,000 2008-01-09 21:10:35 C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 286,720 2008-01-09 21:13:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 919,016 2008-01-13 19:01:37 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
[/code]
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-13 12:53 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-13 12:53 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2008-01-09 14:10 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-16 17:36 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 20:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-04 13:17 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-16 17:36 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-09 14:13 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 09:43 256576] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-01-08 09:51 36040] C:\Documents and Settings\Delroy Gill\Start Menu\Programs\Startup\
Shortcut to stunnel-4.07.lnk - C:\stunnel\stunnel-4.07.exe [2006-12-10 16:54:10 78336] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-30 16:20:53 24
| |
