Unable To Access Antivirus Websites

February 26, 2009 at 12:45:37
Specs: Windows XP
Hi Guys,

I am unable to access any anti-virus,
Microsoft website from my PC.
C:\WINDOWS\system32\drivers\etc\HOSTS doesn't
contain any suspicious entries.

please help me :)

Regards,
Naveed.

edited by moderator: Log Removal


See More: Unable To Access Antivirus Websites

Report •


#1
February 26, 2009 at 14:15:06
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
February 28, 2009 at 01:01:27
thanks for the reply....

Malwarebytes didn't find any malware.

Malwarebytes log file

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

2/28/2009 1:49:43 PM
mbam-log-2009-02-28 (13-49-43).txt

Scan type: Quick Scan
Objects scanned: 72446
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==============================

Hijack this log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:07 PM, on 2/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper
Corporation\Diskeeper\DkService.exe
C:\Program Files\DynDNS Updater\DynUpSvc.exe
C:\Program
Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common
Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image
Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Seagate\SeagateManager\FreeAgent
Status\StxMenuMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Naveed\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Naveed\Local Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Naveed\Local Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Naveed\Local Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Naveed\Local Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Naveed\Desktop\blabla2.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://www.update.microsoft.com/win...
n/x86/client/wuweb_site.cab?1206220459000
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-
1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service:
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
(Bonjour Service) - Apple Computer, Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program
Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DynDNS Updater - Dynamic Network Services, Inc.
- C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe
Ltd. - C:\Program Files\Common Files\Macrovision
Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) -
Seagate Technology LLC - C:\Program
Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506
(GoogleDesktopManager-092308-165331) - Google - C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google -
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:\Program
Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) -
McAfee, Inc. - C:\Program Files\McAfee\Common
Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. -
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee,
Inc. - C:\Program Files\McAfee\VirusScan
Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program
Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental)
(rpcapd) - CACE Technologies - C:\Program
Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC
Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. -
C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) -
VMware, Inc. - C:\Program Files\VMware\VMware
Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware,
Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2)
- VMware, Inc. - C:\Program Files\Common Files\VMware\VMware
Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. -
C:\WINDOWS\system32\vmnat.exe
O23 - Service: Webroot Spy Sweeper Engine
(WebrootSpySweeperService) - Webroot Software, Inc. -
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5703 bytes


Report •

#3
February 28, 2009 at 05:50:19
Looks like only part of a Hijack This log as there should be some 02's, 03's and 04's.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your McAfee, Spy Sweeper antivirus, and any other realtime antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

Related Solutions

#4
February 28, 2009 at 13:40:21
i am unable to disable my anti-virus, Macfee VirusScan 8.5.0i
even with Administrator privileges. little googling revealed that its
a bug in VirusScan which prevents OnAccess scan to be disabled
even from its menu :( and i can't get it updated since i can't
access McAfee website.

Can i use Combofix in safemode?


Report •

#5
February 28, 2009 at 14:34:04
Combofix will run from safe mode but if McAfee is still running while you are in safe mode do not run Combofix.

If McAfee will uninstall (it may not) you may be better off uninstalling it and install the free version of AVG or Avast. If you uninstall it download the new AV > go offline and uninstall McAfee> install the new Antivirus> update it.


Report •

#6
March 1, 2009 at 12:39:15
i just uninstalled mcafee and installed Avast home edition and
scanned my PC.. now i can browse antivirus sites.. :)

Report •

#7
March 1, 2009 at 16:39:43
There are may still be remnants of the malware on your computer. If you ran Combofix we would need the log to check your computer, it is located at C:\Combofix.txt

Also there is some clean-up that you need to do.


Report •

#8
March 2, 2009 at 00:08:40

Combo Fix log file:

ComboFix 09-02-28.01 - Naveed 2009-03-02 12:58:10.5 -
NTFSx86
Microsoft Windows XP Professional
5.1.2600.3.1252.1.1033.18.3061.2414 [GMT 5:00]
Running from: d:\setups\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090301-0] *On-access
scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY
CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02
)))))))))))))))))))))))))))))))
.

2009-03-01 15:21 . 2009-03-01 15:21 <DIR> d--------
c:\program files\Alwil Software
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\program files\Malwarebytes' Anti-Malware
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\documents and settings\Naveed\Application
Data\Malwarebytes
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-02-28 13:42 . 2009-02-11 10:19 38,496 --a------
c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 13:42 . 2009-02-11 10:19 15,504 --a------
c:\windows\system32\drivers\mbam.sys
2009-02-28 13:28 . 2004-08-04 03:56 221,184 --a------
c:\windows\system32\wmpns.dll
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\scripting
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\en
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\bits
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\l2schemas
2009-02-28 13:06 . 2009-02-28 13:13 <DIR> d--------
c:\windows\ServicePackFiles
2009-02-28 12:58 . 2009-03-02 03:01 1,355 --a------
c:\windows\imsins.BAK
2009-02-27 02:24 . 2009-02-27 02:43 <DIR> d--------
c:\program files\Spybot - Search & Destroy
2009-02-27 02:24 . 2009-02-27 03:44 <DIR> d--------
c:\documents and settings\All Users\Application Data\Spybot -
Search & Destroy
2009-02-27 00:51 . 2009-02-27 00:52 <DIR> d--------
c:\windows\ERUNT
2009-02-27 00:40 . 2009-02-27 01:10 <DIR> d-------- C:\SDFix
2009-02-22 02:26 . 2009-02-24 02:38 <DIR> d--------
c:\program files\Vuze
2009-02-22 02:26 . 2009-02-24 02:28 <DIR> d--------
c:\documents and settings\Naveed\Application Data\Azureus
2009-02-22 02:26 . 2009-02-22 02:26 <DIR> d--------
c:\documents and settings\All Users\Application Data\Azureus
2009-02-16 22:58 . 2009-02-16 20:23 225,280 --a------
c:\program files\tail.exe
2009-02-14 14:21 . 2009-02-14 14:21 <DIR> d--------
c:\program files\Seagate
2009-02-14 14:21 . 2009-02-14 14:21 <DIR> d--------
c:\documents and settings\All Users\Application Data\Seagate
2009-02-14 14:19 . 2009-02-14 14:19 <DIR> d--hs----
c:\windows\ftpcache
2009-02-11 08:32 . 2009-02-11 08:32 <DIR> d--------
c:\windows\SQLTools9_KB960089_ENU
2009-02-11 08:29 . 2009-02-11 08:29 <DIR> d--------
c:\windows\SQL9_KB960089_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 07:45 --------- d-----w c:\documents and
settings\NetworkService\Application Data\VMware
2009-03-02 07:45 --------- d-----w c:\documents and
settings\All Users\Application Data\VMware
2009-03-01 22:39 --------- d-----w c:\program files\Microsoft
Silverlight
2009-02-26 20:11 --------- d-----w c:\documents and
settings\Naveed\Application Data\VMware
2009-02-26 19:10 --------- d--h--w c:\program
files\InstallShield Installation Information
2009-02-26 19:10 --------- d-----w c:\program files\Yahoo!
2009-02-26 19:10 --------- d-----w c:\program files\Common
Files\InstallShield
2009-02-26 18:11 --------- d-----w c:\documents and
settings\All Users\Application Data\Microsoft Help
2009-02-24 21:00 --------- d-----w c:\program files\FlashGet
2009-02-22 12:42 --------- d-----w c:\program files\Wilcom
2009-02-17 00:51 --------- d-----w c:\program files\Unlocker
2009-02-15 12:58 --------- d-----w c:\program files\CCleaner
2009-02-14 21:20 --------- d-----w c:\documents and
settings\Naveed\Application Data\uTorrent
2009-02-11 03:32 --------- d-----w c:\program files\Microsoft
SQL Server
2009-01-23 00:48 --------- d-----w c:\program
files\SimonFell
2009-01-23 00:39 --------- d-----w c:\documents and
settings\Naveed\Application Data\Wireshark
2009-01-23 00:38 --------- d-----w c:\program
files\SoapTrace
2009-01-04 20:23 --------- d-----w c:\documents and
settings\Naveed\Application Data\Red Gate
2009-01-04 20:21 --------- d-----w c:\documents and
settings\Naveed\Application Data\IsolatedStorage
2009-01-04 19:58 --------- d-----w c:\documents and
settings\All Users\Application Data\Red Gate
2008-12-20 07:08 327,682 ----a-w c:\program
files\getbot.exe
2008-12-06 14:59 31 ----a-w c:\documents and
settings\Naveed\jagex_runescape_preferences.dat
2008-10-19 18:16 122,880 ----a-w c:\program files\mozilla
firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-01_15.30.10.81
)))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-07 09:07:23 135,168 ----a-w
c:\windows\$hf_mig$\KB951978\SP3QFE\cscript.exe
+ 2008-05-09 10:45:15 512,000 ----a-w
c:\windows\$hf_mig$\KB951978\SP3QFE\jscript.dll
+ 2008-05-09 10:45:16 180,224 ----a-w
c:\windows\$hf_mig$\KB951978\SP3QFE\scrobj.dll
+ 2008-05-09 10:45:16 172,032 ----a-w
c:\windows\$hf_mig$\KB951978\SP3QFE\scrrun.dll
+ 2008-05-09 10:45:16 430,080 ----a-w
c:\windows\$hf_mig$\KB951978\SP3QFE\vbscript.dll
+ 2008-05-08 11:24:44 155,648 ----a-w
c:\windows\$hf_mig$\KB951978\SP3QFE\wscript.exe
+ 2008-05-09 10:45:17 90,112 ----a-w
c:\windows\$hf_mig$\KB951978\SP3QFE\wshext.dll
+ 2007-11-30 12:39:22 17,272 ----a-w
c:\windows\$hf_mig$\KB951978\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w
c:\windows\$hf_mig$\KB951978\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w
c:\windows\$hf_mig$\KB951978\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w
c:\windows\$hf_mig$\KB951978\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w
c:\windows\$hf_mig$\KB951978\update\updspapi.dll
+ 2008-09-10 01:10:56 1,379,840 ----a-w
c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w
c:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w
c:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w
c:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w
c:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w
c:\windows\$hf_mig$\KB954459\update\updspapi.dll
+ 2008-06-17 19:04:34 8,461,824 ----a-w
c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w
c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w
c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w
c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w
c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w
c:\windows\$hf_mig$\KB967715\update\updspapi.dll
+ 2009-03-01 23:46:59 16,896 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Code.hxh4qq_a.dll
+ 2009-03-01 23:47:00 6,144 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_global.asax.yixspwii.dll
+ 2009-03-01 23:47:15 9,216 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Theme_Default.h3rntga
2.dll
+ 2009-03-01 23:47:16 9,728 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Theme_Printable.budj2
85a.dll
+ 2009-03-01 23:47:12 19,968 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_1mvfh_rc.dll
+ 2009-03-01 23:47:05 7,680 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_7bfr1llg.dll
+ 2009-03-01 23:47:13 90,112 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_a7z9fsgg.dll
+ 2009-03-01 23:47:04 4,608 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_aj3rab8x.dll
+ 2009-03-01 23:47:02 86,016 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_bill_payment.ascx
.d5be1dc5.6jowb3qo.dll
+ 2009-03-01 23:47:01 45,056 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_charity_payment.a
scx.d5be1dc5.9gjkrzr_.dll
+ 2009-03-01 23:47:11 40,960 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_ec2nm1wg.dll
+ 2009-03-01 23:47:04 28,672 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_fqxuo_pp.dll
+ 2009-03-01 23:47:07 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_iscyxymg.dll
+ 2009-03-01 23:47:09 32,768 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_j0n5zhom.dll
+ 2009-03-01 23:47:12 15,360 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\a96be05a\4732f9ed\App_Web_k3-
ohaxl.dll
+ 2009-03-01 23:47:15 36,864 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_kz9wmq2d.dll
+ 2009-03-01 23:47:06 73,728 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_mzwruqwu.dll
+ 2009-03-01 23:47:11 49,152 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\a96be05a\4732f9ed\App_Web_p-
cx_ygz.dll
+ 2009-03-01 23:47:08 241,664 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_vavh3nlc.dll
+ 2009-03-01 23:47:14 53,248 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_x3ukshav.dll
+ 2009-03-01 23:47:10 19,456 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_zwr9mzpf.dll
+ 2009-03-01 23:46:58 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\[u]0[/u]4cb504
2\42e786ee_0798c901\WebMonitorModule.DLL
- 2009-02-17 02:33:44 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\[u]0[/u]94f9b5b
\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-01 23:46:55 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\[u]0[/u]94f9b5b
\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-01 23:46:58 483,328 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\1e8b024a\e45
550fc_c79ac901\WorkflowEngine.DLL
- 2009-02-17 02:33:44 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\2b00785a\[u]0[
/u]0759170_dc7cc901\SecureSessionModule.DLL
+ 2009-03-01 23:46:57 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\2b00785a\[u]0[
/u]0759170_dc7cc901\SecureSessionModule.DLL
+ 2009-03-01 23:46:56 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\51bf439d\d433
30ab_db98c901\OperationManagement.DLL
- 2009-02-17 02:33:44 61,440 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5e559016\[u]0[
/u]09b6244_e47bc501\dotNetFreak.WebControls.FormShield.DL
L
+ 2009-03-01 23:46:55 61,440 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5e559016\[u]0[
/u]09b6244_e47bc501\dotNetFreak.WebControls.FormShield.DL
L
- 2009-02-17 02:33:44 253,952 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5f16157b\[u]0[/
u]039e331_cb61c901\Mono.Security.DLL
+ 2009-03-01 23:46:56 253,952 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5f16157b\[u]0[/
u]039e331_cb61c901\Mono.Security.DLL
- 2009-02-17 02:33:44 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\6a565691\[u]0[
/u]00cb230_cb61c901\Encryption.DLL
+ 2009-03-01 23:46:55 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\6a565691\[u]0[
/u]00cb230_cb61c901\Encryption.DLL
- 2009-02-17 02:33:44 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\c0ce319a\[u]0[/
u]036080b_d84dc601\Nini.DLL
+ 2009-03-01 23:46:56 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\c0ce319a\[u]0[/
u]036080b_d84dc601\Nini.DLL
- 2009-02-17 02:33:43 1,179,648 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\eaadd4ba\[u]0[
/u]016c213_9d7ac801\AjaxControlToolkit.DLL
+ 2009-03-01 23:46:55 1,179,648 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\eaadd4ba\[u]0[
/u]016c213_9d7ac801\AjaxControlToolkit.DLL
+ 2009-03-01 23:46:57 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\fb7fd042\48cb
0bfe_c79ac901\SecurityModule.DLL
+ 2009-03-01 23:47:20 15,872 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\bbdc672f\e2ff707d\App_Code.dll
+ 2009-03-01 23:47:21 5,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\bbdc672f\e2ff707d\App_global.asax.dll
+ 2009-03-01 23:47:22 4,608 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\App_Web_asasyhgj.dll
+ 2009-03-01 23:47:22 4,096 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\bbdc672f\e2ff707d\App_Web_b3-
ul6wj.dll
+ 2009-03-01 23:47:22 3,584 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\App_Web_zzidgfkd.dll
+ 2009-03-01 23:47:19 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\1e5b58ab\42e7
86ee_0798c901\WebMonitorModule.DLL
+ 2009-03-01 23:47:19 483,328 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\3d73ff49\e4555
0fc_c79ac901\WorkflowEngine.DLL
+ 2009-03-01 23:47:19 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\435c6cb8\[u]0[/u
]0759170_dc7cc901\SecureSessionModule.DLL
+ 2009-03-01 23:47:19 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\44911b02\d433
30ab_db98c901\OperationManagement.DLL
+ 2009-03-01 23:47:19 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\5b0c08c4\[u]0[/u
]036080b_d84dc601\Nini.DLL
+ 2009-03-01 23:47:18 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\7e6be330\[u]0[/u
]00cb230_cb61c901\Encryption.DLL
+ 2009-03-01 23:47:18 253,952 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\a437170b\[u]0[/u
]039e331_cb61c901\Mono.Security.DLL
+ 2009-03-01 23:47:18 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\b2651899\[u]0[/u
]0249980_43b2c501\Logger.DLL
+ 2009-03-01 23:47:18 61,440 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\cdaf5894\[u]0[/u]
09b6244_e47bc501\dotNetFreak.WebControls.FormShield.DLL
+ 2009-03-01 23:47:18 1,179,648 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\d2ee4cbc\[u]0[/u
]016c213_9d7ac801\AjaxControlToolkit.DLL
+ 2009-03-01 23:47:19 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\bbdc672f\e2ff707d\assembly\dl3\fede2cc6\48cb0
bfe_c79ac901\SecurityModule.DLL
+ 2009-03-01 21:42:53 40,960 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\App_Code.4q9
mkgf4.dll
- 2009-02-16 18:01:27 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\8
6e289f9\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-01 21:42:24 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\8
6e289f9\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-01 21:42:25 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\d
85012ca\b86aa692_b69ac901\OperationManagement.DLL
+ 2009-03-01 21:42:25 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\d
b502ebd\488ccf94_b69ac901\PrismDataServiceLayer.DLL
- 2009-02-16 18:01:27 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\f9
68376d\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-01 21:42:25 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\f9
68376d\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-01 21:42:55 5,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismsimulations\c31bfd1f\3c0e2b61\App_Code.dqmjfi
ql.dll
+ 2009-03-01 21:42:50 12,800 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\App_Code.sung
b2gb.dll
+ 2009-03-01 21:42:51 13,824 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\App_Web_3q0ci
jcu.dll
+ 2009-03-01 21:42:49 102,400 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\56
248b5f\30520f93_b69ac901\IRIS_APIs.DLL
+ 2009-03-01 21:42:49 65,536 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\5c
51c075\5cfe7c93_b69ac901\IRISTransactions.DLL
- 2009-02-16 18:25:06 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\9f
97f304\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-01 21:42:49 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\9f
97f304\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-01 21:42:49 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\f2
bcaf54\b86aa692_b69ac901\OperationManagement.DLL
- 2009-02-16 18:25:06 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\fd
4bb1ef\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-01 21:42:49 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\fd
4bb1ef\[u]0[/u]036080b_d84dc601\Nini.DLL
- 2008-04-14 00:12:15 139,264 ----a-w
c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 ----a-w
c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 -c----w
c:\windows\system32\dllcache\cscript.exe
+ 2008-05-09 10:53:39 512,000 -c----w
c:\windows\system32\dllcache\jscript.dll
- 2008-04-14 00:12:01 1,306,624 -c----w
c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c----w
c:\windows\system32\dllcache\msxml6.dll
+ 2008-05-09 10:53:39 180,224 -c----w
c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53:40 172,032 -c----w
c:\windows\system32\dllcache\scrrun.dll
+ 2008-06-17 19:02:19 8,461,312 -c----w
c:\windows\system32\dllcache\shell32.dll
+ 2008-05-09 10:53:40 430,080 -c----w
c:\windows\system32\dllcache\vbscript.dll
- 2007-04-10 09:00:46 236,928 -c----w
c:\windows\system32\dllcache\WgaLogon.dll
+ 2008-09-05 18:30:42 241,704 -c----w
c:\windows\system32\dllcache\wgaLogon.dll
- 2007-04-10 09:01:18 336,768 -c----w
c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-05 18:29:58 917,032 -c----w
c:\windows\system32\dllcache\WgaTray.exe
+ 2008-05-08 11:24:44 155,648 -c----w
c:\windows\system32\dllcache\wscript.exe
+ 2008-05-09 10:53:40 90,112 -c----w
c:\windows\system32\dllcache\wshext.dll
- 2009-02-28 23:46:05 251,968 ----a-w
c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-02 07:47:08 252,446 ----a-w
c:\windows\system32\inetsrv\MetaBase.bin
- 2008-04-14 00:11:56 512,000 ----a-w
c:\windows\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w
c:\windows\system32\jscript.dll
- 2007-10-11 09:12:48 1,468,968 ------w
c:\windows\system32\LegitCheckControl.dll
+ 2008-09-05 18:30:06 1,480,232 ------w
c:\windows\system32\LegitCheckControl.dll
- 2008-04-14 00:12:01 1,306,624 ----a-w
c:\windows\system32\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ----a-w
c:\windows\system32\msxml6.dll
- 2008-04-14 00:12:05 180,224 ----a-w
c:\windows\system32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w
c:\windows\system32\scrobj.dll
- 2008-04-14 00:12:05 172,032 ----a-w
c:\windows\system32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w
c:\windows\system32\scrrun.dll
- 2008-04-14 00:12:05 8,461,312 ----a-w
c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w
c:\windows\system32\shell32.dll
- 2008-04-14 00:12:08 434,176 ----a-w
c:\windows\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w
c:\windows\system32\vbscript.dll
- 2007-04-10 09:00:46 236,928 ------w
c:\windows\system32\WgaLogon.dll
+ 2008-09-05 18:30:42 241,704 ----a-w
c:\windows\system32\WgaLogon.dll
- 2007-04-10 09:01:18 336,768 ------w
c:\windows\system32\WgaTray.exe
+ 2008-09-05 18:29:58 917,032 ------w
c:\windows\system32\WgaTray.exe
- 2008-04-14 00:12:41 155,648 ----a-w
c:\windows\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w
c:\windows\system32\wscript.exe
- 2008-04-14 00:12:10 90,112 ----a-w
c:\windows\system32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w
c:\windows\system32\wshext.dll
+ 2009-03-02 07:45:22 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_4f4.dat
+ 2009-03-02 07:46:37 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_674.dat
+ 2009-03-02 07:45:07 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_7b8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curren
tVersion\Run]
"MsnMsgr"="c:\program files\Windows
Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14
15360]
"Google Update"="c:\documents and settings\Naveed\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe"
[2008-09-03 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search &
Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
tVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25
131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25
155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25
131072]
"MaxMenuMgr"="c:\program
files\Seagate\SeagateManager\FreeAgent
Status\StxMenuMgr.exe" [2008-07-20 177448]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06
81000]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25
c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Saf
eBoot\Minimal\WebrootSpySweeperService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
path=c:\documents and settings\All Users\Start
Menu\Programs\Startup\DynDNS Updater Tray Icon.lnk
backup=c:\windows\pss\DynDNS Updater Tray Icon.lnkCommon
Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader
8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-15 19:51 2356088 c:\program files\Common
Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-21 13:30 486856 c:\program files\DAEMON
Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2006-02-24 19:29 196709 c:\program files\Diskeeper
Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-10-19 23:15 30192 c:\program files\Google\Google
Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 02:50 133104 c:\documents and
settings\Naveed\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:12 1695232 c:\program
files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common
Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 c:\program files\Nokia\Nokia
PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-03-28 11:20 1079296 c:\program files\Nokia\Nokia
PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Skype]
--a------ 2007-02-09 16:01 25388584 c:\program
files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program
files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\swg]
--a------ 2008-04-12 02:43 68856 c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\VMware hqtray]
--a------ 2007-05-01 22:52 56112 c:\program files\VMware\VMware
Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\vmware-tray]
--a------ 2007-05-01 22:52 68400 c:\program files\VMware\VMware
Workstation\vmware-tray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standa
rdprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\JetBrains\\IntelliJ IDEA 7.0\\bin\\idea.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold
Legends\\StrongholdLegends.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Microsoft Visual Studio
8\\Common7\\IDE\\devenv.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"d:\\Games\\Valve\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standa
rdprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:*:Disabled:Gnutella
"1215:TCP"= 1215:TCP:OpenFT
"1216:TCP"= 1216:TCP:OpenFT
"59049:TCP"= 59049:TCP:*:Disabled:Ares
"2896:TCP"= 2896:TCP:pxnqjo

R1 aswSP;avast! Self
Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-01
114768]
R2
aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys
[2009-03-01 20560]
R2 DynDNS Updater;DynDNS Updater;c:\program files\DynDNS
Updater\DynUpSvc.exe [2008-06-24 65536]
R2 FreeAgentGoNext Service;Seagate Service;c:\program
files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-
07-20 161064]
R2 trysftnt;trysftnt;c:\windows\system32\drivers\TRYSFTNT.SYS
[2008-09-14 39136]
R2
wntpport;wntpport;c:\windows\system32\drivers\WNTPPORT.SYS
[2008-09-14 28416]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys -->
c:\windows\system32\drivers\Partizan.sys [?]
S2 hsnfwji;Network Security;c:\windows\system32\svchost.exe -k
netsvcs [2004-08-04 14336]
S3 adusbser;AnyDATA USB Device for Legacy Serial
Communication;c:\windows\system32\drivers\adusbser.sys
[2008-11-15 93440]
S3 CV2K1;CommView Network
Monitor;c:\windows\system32\DRIVERS\cv2k1.sys -->
c:\windows\system32\DRIVERS\cv2k1.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop
Manager 5.8.809.23506;c:\program files\Google\Google Desktop
Search\GoogleDesktop.exe [2008-10-19 30192]
S3 NPF;NetGroup Packet Filter
Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 PORTMON;PORTMON;\??\c:\program
files\SysinternalsSuite\PORTMSYS.SYS --> c:\program
files\SysinternalsSuite\PORTMSYS.SYS [?]
S3 SydexFDD;Sydex Diskette
Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [2008-09-14
13359]
S4 msvsmon80;Visual Studio 2005 Remote
Debugger;c:\program files\Microsoft Visual Studio
8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-
02 2805000]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Svchost - NetSvcs
hsnfwji

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c4530b8-b329-11dd-9d0c-
005056c00008}]
\Shell\AutoRun\command - J:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c9f15f0-d779-11dd-9d7a-
005056c00008}]
\Shell\AutoRun\command - I:\ij.bat
\Shell\explore\Command - I:\ij.bat
\Shell\open\Command - I:\ij.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{187cbe99-0d6e-11dd-a7d2-
0019d1877ed0}]
\Shell\AutoRun\command - t.com
\Shell\explore\Command - t.com
\Shell\open\Command - t.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1a46a988-916f-11dd-9cac-
005056c00008}]
\Shell\AutoRun\command - qxbx9blb.com
\Shell\explore\Command - qxbx9blb.com
\Shell\open\Command - qxbx9blb.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1f3ba164-f8e8-11dc-8f65-
0019d1877ed0}]
\Shell\Auto\command - ServerNet.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE
Shell32.DLL,ShellExec_RunDLL ServerNet.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{3ff4b1cf-b018-11dd-9d05-
005056c00008}]
\Shell\AutoRun\command - I:\2u.com
\Shell\explore\Command - I:\2u.com
\Shell\open\Command - I:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{a4bcaf90-e588-11dd-9d92-
005056c00008}]
\Shell\AutoRun\command - ycxexw.exe
\Shell\explore\Command - ycxexw.exe
\Shell\open\Command - ycxexw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{ccf2a2d7-5017-11dd-a8b6-
005056c00008}]
\Shell\AutoRun\command - J:\klp8j6i.com
\Shell\explore\Command - J:\klp8j6i.com
\Shell\open\Command - J:\klp8j6i.com

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{10880D85-AAD9-4558-ABDC-
2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-
1801674531-1343024091-682003330-1006.job
- c:\documents and settings\Naveed\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext =
hxxp://www.skype.com/go/help.guides.ieaddon?lang=en
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download All by FlashGet - c:\program
files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program
files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Naveed\Application
Data\Mozilla\Firefox\Profiles\kw21kyxi.default\
FF - component: c:\program files\Mozilla
Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Naveed\Local
Settings\Application
Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\K-Lite Codec
Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec
Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.

***********************************************************************
***

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector
by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 13:01:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************************
***

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hsnfwj
i]
"ServiceDll"="c:\windows\system32\uatgucj.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1343024091-682003330-
1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-03-02 13:03:29
ComboFix-quarantined-files.txt 2009-03-02 08:03:27
ComboFix2.txt 2009-03-01 10:31:24
ComboFix3.txt 2009-02-28 02:23:31
ComboFix4.txt 2009-02-26 22:55:54
ComboFix5.txt 2009-03-02 07:57:50

Pre-Run: 1,168,842,752 bytes free
Post-Run: 1,153,908,736 bytes free

394 --- E O F --- 2009-03-01 22:02:30


Report •

#9
March 2, 2009 at 19:09:39
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\uatgucj.dll

Driver::
hsnfwji

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hsnfwji]
"ServiceDll"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c4530b8-b329-11dd-9d0c-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c9f15f0-d779-11dd-9d7a-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{187cbe99-0d6e-11dd-a7d2-
0019d1877ed0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1a46a988-916f-11dd-9cac-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1f3ba164-f8e8-11dc-8f65-
0019d1877ed0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{3ff4b1cf-b018-11dd-9d05-
005056c00008}]
\[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{a4bcaf90-e588-11dd-9d92-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{ccf2a2d7-5017-11dd-a8b6-
005056c00008}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#10
March 3, 2009 at 20:18:54
Combo fix log file

ComboFix 09-02-28.01 - Naveed 2009-03-04 9:01:29.6 -
NTFSx86
Microsoft Windows XP Professional
5.1.2600.3.1252.1.1033.18.3061.2296 [GMT 5:00]
Running from: d:\setups\ComboFix.exe
Command switches used :: c:\documents and
settings\Naveed\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090303-2] *On-access
scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY
CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\uatgucj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HSNFWJI
-------\Service_hsnfwji


((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04
)))))))))))))))))))))))))))))))
.

2009-03-02 15:06 . 2009-03-02 15:06 23,416 --a------
C:\633716032066250000_ABKPrism_Emails_Body.html
2009-03-01 15:21 . 2009-03-01 15:21 <DIR> d--------
c:\program files\Alwil Software
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\program files\Malwarebytes' Anti-Malware
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\documents and settings\Naveed\Application
Data\Malwarebytes
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-02-28 13:42 . 2009-02-11 10:19 38,496 --a------
c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 13:42 . 2009-02-11 10:19 15,504 --a------
c:\windows\system32\drivers\mbam.sys
2009-02-28 13:28 . 2004-08-04 03:56 221,184 --a------
c:\windows\system32\wmpns.dll
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\scripting
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\en
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\bits
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\l2schemas
2009-02-28 13:06 . 2009-02-28 13:13 <DIR> d--------
c:\windows\ServicePackFiles
2009-02-28 12:58 . 2009-03-02 03:01 1,355 --a------
c:\windows\imsins.BAK
2009-02-27 02:24 . 2009-02-27 02:43 <DIR> d--------
c:\program files\Spybot - Search & Destroy
2009-02-27 02:24 . 2009-02-27 03:44 <DIR> d--------
c:\documents and settings\All Users\Application Data\Spybot -
Search & Destroy
2009-02-27 00:51 . 2009-02-27 00:52 <DIR> d--------
c:\windows\ERUNT
2009-02-27 00:40 . 2009-02-27 01:10 <DIR> d-------- C:\SDFix
2009-02-22 02:26 . 2009-02-24 02:38 <DIR> d--------
c:\program files\Vuze
2009-02-22 02:26 . 2009-02-24 02:28 <DIR> d--------
c:\documents and settings\Naveed\Application Data\Azureus
2009-02-22 02:26 . 2009-02-22 02:26 <DIR> d--------
c:\documents and settings\All Users\Application Data\Azureus
2009-02-16 22:58 . 2009-02-16 20:23 225,280 --a------
c:\program files\tail.exe
2009-02-14 14:21 . 2009-02-14 14:21 <DIR> d--------
c:\program files\Seagate
2009-02-14 14:21 . 2009-02-14 14:21 <DIR> d--------
c:\documents and settings\All Users\Application Data\Seagate
2009-02-14 14:19 . 2009-02-14 14:19 <DIR> d--hs----
c:\windows\ftpcache
2009-02-11 08:32 . 2009-02-11 08:32 <DIR> d--------
c:\windows\SQLTools9_KB960089_ENU
2009-02-11 08:29 . 2009-02-11 08:29 <DIR> d--------
c:\windows\SQL9_KB960089_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 04:07 --------- d-----w c:\documents and
settings\NetworkService\Application Data\VMware
2009-03-04 04:07 --------- d-----w c:\documents and
settings\All Users\Application Data\VMware
2009-03-02 21:50 --------- d-----w c:\documents and
settings\Naveed\Application Data\uTorrent
2009-03-02 08:54 --------- d--h--w c:\program
files\InstallShield Installation Information
2009-03-02 08:53 --------- d-----w c:\documents and
settings\All Users\Application Data\Firefly Studios
2009-03-01 22:39 --------- d-----w c:\program files\Microsoft
Silverlight
2009-02-26 20:11 --------- d-----w c:\documents and
settings\Naveed\Application Data\VMware
2009-02-26 19:10 --------- d-----w c:\program files\Yahoo!
2009-02-26 19:10 --------- d-----w c:\program files\Common
Files\InstallShield
2009-02-26 18:11 --------- d-----w c:\documents and
settings\All Users\Application Data\Microsoft Help
2009-02-24 21:00 --------- d-----w c:\program files\FlashGet
2009-02-22 12:42 --------- d-----w c:\program files\Wilcom
2009-02-17 00:51 --------- d-----w c:\program files\Unlocker
2009-02-15 12:58 --------- d-----w c:\program files\CCleaner
2009-02-11 03:32 --------- d-----w c:\program files\Microsoft
SQL Server
2009-01-23 00:48 --------- d-----w c:\program
files\SimonFell
2009-01-23 00:39 --------- d-----w c:\documents and
settings\Naveed\Application Data\Wireshark
2009-01-23 00:38 --------- d-----w c:\program
files\SoapTrace
2009-01-04 20:23 --------- d-----w c:\documents and
settings\Naveed\Application Data\Red Gate
2009-01-04 20:21 --------- d-----w c:\documents and
settings\Naveed\Application Data\IsolatedStorage
2009-01-04 19:58 --------- d-----w c:\documents and
settings\All Users\Application Data\Red Gate
2008-12-20 07:08 327,682 ----a-w c:\program
files\getbot.exe
2008-12-06 14:59 31 ----a-w c:\documents and
settings\Naveed\jagex_runescape_preferences.dat
2008-10-19 18:16 122,880 ----a-w c:\program files\mozilla
firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-02_13.02.17.71
)))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 15:02:28 163,328 ----a-w
c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-03 00:48:26 16,896 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Code.p3glu66m.dll
+ 2009-03-03 00:48:27 6,144 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_global.asax._jatyxco.dll
+ 2009-03-03 00:48:43 9,216 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Theme_Default.fnw0qu
yr.dll
+ 2009-03-03 00:48:43 9,728 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Theme_Printable.cod5z
q2f.dll
+ 2009-03-03 01:12:23 15,360 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_1gr87vbm.dll
+ 2009-03-03 01:29:35 49,152 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_2nfplsoy.dll
+ 2009-03-03 01:22:55 90,112 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_3zxg9fuo.dll
+ 2009-03-03 01:11:38 73,728 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_5oxmpdp3.dll
+ 2009-03-03 01:35:46 36,864 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_76wxp80c.dll
+ 2009-03-03 01:29:35 19,968 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_7gsbpalz.dll
+ 2009-03-03 00:48:33 266,240 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_9mjlgwxi.dll
+ 2009-03-03 01:35:45 53,248 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_alwkmswm.dll
+ 2009-03-03 00:48:34 94,208 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\a96be05a\4732f9ed\App_Web_bjc-
ffvd.dll
+ 2009-03-03 00:48:28 9,728 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_bmdx7xgv.dll
+ 2009-03-03 00:48:40 90,112 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_cvdk30fd.dll
+ 2009-03-03 00:48:36 40,960 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_d3jxlloo.dll
+ 2009-03-03 00:48:36 11,264 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_dx_l3wc1.dll
+ 2009-03-03 01:29:36 15,360 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_fpaoruwb.dll
+ 2009-03-03 00:48:31 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_fqewhkro.dll
+ 2009-03-03 00:48:30 73,728 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_frklbexa.dll
+ 2009-03-03 01:11:39 49,152 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_fvg914c2.dll
+ 2009-03-03 01:12:22 49,152 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_gdf3bycl.dll
+ 2009-03-03 02:56:33 15,360 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_ge8jjjoj.dll
+ 2009-03-03 01:11:41 90,112 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_h98jxzn0.dll
+ 2009-03-03 00:48:29 28,672 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_hemhcqum.dll
+ 2009-03-03 01:35:00 36,864 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\a96be05a\4732f9ed\App_Web_io-
ijdg8.dll
+ 2009-03-03 01:12:21 73,728 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\a96be05a\4732f9ed\App_Web_k-
peqrm2.dll
+ 2009-03-03 01:14:29 10,752 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_masterpageregist
ered.master.7371103c.4hbysh0f.dll
+ 2009-03-03 01:11:40 15,360 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET Files\abkprism\a96be05a\4732f9ed\App_Web_qj-rwt-
f.dll
+ 2009-03-03 01:11:40 19,968 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_s2s9ynid.dll
+ 2009-03-03 00:48:37 49,152 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_t_w_tdjs.dll
+ 2009-03-03 00:48:41 36,864 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_ucxogy8n.dll
+ 2009-03-03 01:12:22 19,968 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_vgbignkc.dll
+ 2009-03-03 00:48:38 19,968 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_wqxp7tl_.dll
+ 2009-03-03 01:29:34 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_xe4psysr.dll
+ 2009-03-03 00:48:35 19,456 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_yq_a5sbh.dll
+ 2009-03-03 00:48:39 15,360 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\App_Web_yysnp76d.dll
+ 2009-03-03 00:48:24 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\[u]0[/u]4cb504
2\1419b8b5_999bc901\WebMonitorModule.DLL
- 2009-03-01 23:46:55 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\[u]0[/u]94f9b5b
\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 00:48:23 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\[u]0[/u]94f9b5b
\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 00:48:19 483,328 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\1e8b024a\[u]0[
/u]6a675ba_999bc901\WorkflowEngine.DLL
- 2009-03-01 23:46:57 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\2b00785a\[u]0[
/u]0759170_dc7cc901\SecureSessionModule.DLL
+ 2009-03-03 00:48:24 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\2b00785a\[u]0[
/u]0759170_dc7cc901\SecureSessionModule.DLL
+ 2009-03-03 00:48:23 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\51bf439d\eeb7
f0b3_999bc901\OperationManagement.DLL
- 2009-03-01 23:46:55 61,440 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5e559016\[u]0[
/u]09b6244_e47bc501\dotNetFreak.WebControls.FormShield.DL
L
+ 2009-03-03 00:48:23 61,440 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5e559016\[u]0[
/u]09b6244_e47bc501\dotNetFreak.WebControls.FormShield.DL
L
- 2009-03-01 23:46:56 253,952 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5f16157b\[u]0[/
u]039e331_cb61c901\Mono.Security.DLL
+ 2009-03-03 00:48:18 253,952 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\5f16157b\[u]0[/
u]039e331_cb61c901\Mono.Security.DLL
- 2009-03-01 23:46:55 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\6a565691\[u]0[
/u]00cb230_cb61c901\Encryption.DLL
+ 2009-03-03 00:48:23 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\6a565691\[u]0[
/u]00cb230_cb61c901\Encryption.DLL
- 2009-03-01 23:46:56 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\c0ce319a\[u]0[/
u]036080b_d84dc601\Nini.DLL
+ 2009-03-03 00:48:18 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\c0ce319a\[u]0[/
u]036080b_d84dc601\Nini.DLL
- 2009-03-01 23:46:55 1,179,648 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\eaadd4ba\[u]0[
/u]016c213_9d7ac801\AjaxControlToolkit.DLL
+ 2009-03-03 00:48:16 1,179,648 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\eaadd4ba\[u]0[
/u]016c213_9d7ac801\AjaxControlToolkit.DLL
+ 2009-03-03 00:48:24 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprism\a96be05a\4732f9ed\assembly\dl3\fb7fd042\7401
b9bc_999bc901\SecurityModule.DLL
+ 2009-03-03 00:48:09 40,960 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\App_Code.oow
vp3qx.dll
- 2009-03-01 21:42:24 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\8
6e289f9\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 00:48:07 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\8
6e289f9\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 00:48:08 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\d
85012ca\eeb7f0b3_999bc901\OperationManagement.DLL
+ 2009-03-03 00:48:08 65,536 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\d
b502ebd\7a6b69b5_999bc901\PrismDataServiceLayer.DLL
- 2009-03-01 21:42:25 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\f9
68376d\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-03 00:48:08 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\a9e566e3\5183bc0b\assembly\dl3\f9
68376d\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-03 01:35:49 36,864 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\e2131f3d\60ec5475\App_Code.dll
+ 2009-03-03 01:35:48 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\e2131f3d\60ec5475\assembly\dl3\1e
58aea9\eeb7f0b3_999bc901\OperationManagement.DLL
+ 2009-03-03 01:35:48 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\e2131f3d\60ec5475\assembly\dl3\3a
5d51a0\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 01:35:48 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\e2131f3d\60ec5475\assembly\dl3\9b
5325eb\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-03 01:35:48 65,536 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\abkprismdataservices\e2131f3d\60ec5475\assembly\dl3\d0
99ed27\7a6b69b5_999bc901\PrismDataServiceLayer.DLL
+ 2009-03-03 01:35:54 12,288 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\[u]0[/u]deb4619\444542e4\App_Code.
dll
+ 2009-03-03 01:35:55 7,680 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\[u]0[/u]deb4619\444542e4\App_Web_
xrbhsttz.dll
+ 2009-03-03 01:35:53 61,440 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\[u]0[/u]deb4619\444542e4\assembly\
dl3\42cd7300\8cd3efb4_999bc901\IRISTransactions.DLL
+ 2009-03-03 01:35:53 98,304 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\[u]0[/u]deb4619\444542e4\assembly\
dl3\6b342ae4\1c9bb6b4_999bc901\IRIS_APIs.DLL
+ 2009-03-03 01:35:53 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\[u]0[/u]deb4619\444542e4\assembly\
dl3\e017b4b6\eeb7f0b3_999bc901\OperationManagement.DLL
+ 2009-03-03 01:35:53 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\[u]0[/u]deb4619\444542e4\assembly\
dl3\e2e3a6fa\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-03 01:35:53 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\[u]0[/u]deb4619\444542e4\assembly\
dl3\fe6f5ecd\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 00:48:08 12,800 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\App_Code.uxb6i
vag.dll
+ 2009-03-03 00:48:10 13,824 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\App_Web_vge8
u3n7.dll
+ 2009-03-03 00:48:05 98,304 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\56
248b5f\1c9bb6b4_999bc901\IRIS_APIs.DLL
+ 2009-03-03 00:48:05 61,440 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\5c
51c075\8cd3efb4_999bc901\IRISTransactions.DLL
- 2009-03-01 21:42:49 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\9f
97f304\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 00:48:06 20,480 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\9f
97f304\[u]0[/u]0249980_43b2c501\Logger.DLL
+ 2009-03-03 00:48:07 57,344 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\f2
bcaf54\eeb7f0b3_999bc901\OperationManagement.DLL
- 2009-03-01 21:42:49 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\fd
4bb1ef\[u]0[/u]036080b_d84dc601\Nini.DLL
+ 2009-03-03 00:48:06 69,632 ----a-w
c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary
ASP.NET
Files\iristransactionservice\b3849985\8826621e\assembly\dl3\fd
4bb1ef\[u]0[/u]036080b_d84dc601\Nini.DLL
- 2009-02-28 08:26:47 1,487,288 ----a-w
c:\windows\system32\FNTCACHE.DAT
+ 2009-03-02 09:36:44 1,489,464 ----a-w
c:\windows\system32\FNTCACHE.DAT
- 2009-03-02 07:47:08 252,446 ----a-w
c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-04 04:08:20 252,437 ----a-w
c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-04 04:07:38 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_2b4.dat
+ 2009-03-04 04:08:56 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_424.dat
+ 2009-03-04 04:06:31 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_794.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curren
tVersion\Run]
"MsnMsgr"="c:\program files\Windows
Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14
15360]
"Google Update"="c:\documents and settings\Naveed\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe"
[2008-09-03 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search &
Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
tVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25
131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25
155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25
131072]
"MaxMenuMgr"="c:\program
files\Seagate\SeagateManager\FreeAgent
Status\StxMenuMgr.exe" [2008-07-20 177448]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06
81000]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25
c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Saf
eBoot\Minimal\WebrootSpySweeperService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
path=c:\documents and settings\All Users\Start
Menu\Programs\Startup\DynDNS Updater Tray Icon.lnk
backup=c:\windows\pss\DynDNS Updater Tray Icon.lnkCommon
Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader
8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-15 19:51 2356088 c:\program files\Common
Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-21 13:30 486856 c:\program files\DAEMON
Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2006-02-24 19:29 196709 c:\program files\Diskeeper
Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-10-19 23:15 30192 c:\program files\Google\Google
Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 02:50 133104 c:\documents and
settings\Naveed\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:12 1695232 c:\program
files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common
Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 c:\program files\Nokia\Nokia
PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-03-28 11:20 1079296 c:\program files\Nokia\Nokia
PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Skype]
--a------ 2007-02-09 16:01 25388584 c:\program
files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program
files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\swg]
--a------ 2008-04-12 02:43 68856 c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\VMware hqtray]
--a------ 2007-05-01 22:52 56112 c:\program files\VMware\VMware
Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\vmware-tray]
--a------ 2007-05-01 22:52 68400 c:\program files\VMware\VMware
Workstation\vmware-tray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standa
rdprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\JetBrains\\IntelliJ IDEA 7.0\\bin\\idea.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Microsoft Visual Studio
8\\Common7\\IDE\\devenv.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"d:\\Games\\Valve\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standa
rdprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:*:Disabled:Gnutella
"1215:TCP"= 1215:TCP:OpenFT
"1216:TCP"= 1216:TCP:OpenFT
"59049:TCP"= 59049:TCP:*:Disabled:Ares
"2896:TCP"= 2896:TCP:pxnqjo

R1 aswSP;avast! Self
Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-01
114768]
R2
aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys
[2009-03-01 20560]
R2 DynDNS Updater;DynDNS Updater;c:\program files\DynDNS
Updater\DynUpSvc.exe [2008-06-24 65536]
R2 FreeAgentGoNext Service;Seagate Service;c:\program
files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-
07-20 161064]
R2 trysftnt;trysftnt;c:\windows\system32\drivers\TRYSFTNT.SYS
[2008-09-14 39136]
R2
wntpport;wntpport;c:\windows\system32\drivers\WNTPPORT.SYS
[2008-09-14 28416]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys -->
c:\windows\system32\drivers\Partizan.sys [?]
S3 adusbser;AnyDATA USB Device for Legacy Serial
Communication;c:\windows\system32\drivers\adusbser.sys
[2008-11-15 93440]
S3 CV2K1;CommView Network
Monitor;c:\windows\system32\DRIVERS\cv2k1.sys -->
c:\windows\system32\DRIVERS\cv2k1.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop
Manager 5.8.809.23506;c:\program files\Google\Google Desktop
Search\GoogleDesktop.exe [2008-10-19 30192]
S3 NPF;NetGroup Packet Filter
Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 PORTMON;PORTMON;\??\c:\program
files\SysinternalsSuite\PORTMSYS.SYS --> c:\program
files\SysinternalsSuite\PORTMSYS.SYS [?]
S3 SydexFDD;Sydex Diskette
Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [2008-09-14
13359]
S4 msvsmon80;Visual Studio 2005 Remote
Debugger;c:\program files\Microsoft Visual Studio
8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-
02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c4530b8-b329-11dd-9d0c-
005056c00008}]
\Shell\AutoRun\command - J:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c9f15f0-d779-11dd-9d7a-
005056c00008}]
\Shell\AutoRun\command - I:\ij.bat
\Shell\explore\Command - I:\ij.bat
\Shell\open\Command - I:\ij.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{187cbe99-0d6e-11dd-a7d2-
0019d1877ed0}]
\Shell\AutoRun\command - t.com
\Shell\explore\Command - t.com
\Shell\open\Command - t.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1a46a988-916f-11dd-9cac-
005056c00008}]
\Shell\AutoRun\command - qxbx9blb.com
\Shell\explore\Command - qxbx9blb.com
\Shell\open\Command - qxbx9blb.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1f3ba164-f8e8-11dc-8f65-
0019d1877ed0}]
\Shell\Auto\command - ServerNet.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE
Shell32.DLL,ShellExec_RunDLL ServerNet.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{3ff4b1cf-b018-11dd-9d05-
005056c00008}]
\Shell\AutoRun\command - I:\2u.com
\Shell\explore\Command - I:\2u.com
\Shell\open\Command - I:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{a4bcaf90-e588-11dd-9d92-
005056c00008}]
\Shell\AutoRun\command - ycxexw.exe
\Shell\explore\Command - ycxexw.exe
\Shell\open\Command - ycxexw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{ccf2a2d7-5017-11dd-a8b6-
005056c00008}]
\Shell\AutoRun\command - J:\klp8j6i.com
\Shell\explore\Command - J:\klp8j6i.com
\Shell\open\Command - J:\klp8j6i.com

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{10880D85-AAD9-4558-ABDC-
2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-
1801674531-1343024091-682003330-1006.job
- c:\documents and settings\Naveed\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext =
hxxp://www.skype.com/go/help.guides.ieaddon?lang=en
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download All by FlashGet - c:\program
files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program
files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Naveed\Application
Data\Mozilla\Firefox\Profiles\kw21kyxi.default\
FF - component: c:\program files\Mozilla
Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Naveed\Local
Settings\Application
Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\K-Lite Codec
Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec
Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.

***********************************************************************
***

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector
by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 09:08:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************************
***
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1343024091-682003330-
1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\program files\Common Files\VMware\VMware Virtual Image
Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
***********************************************************************
***
.
Completion time: 2009-03-04 9:14:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-04 04:13:57
ComboFix2.txt 2009-03-02 08:03:30
ComboFix3.txt 2009-03-01 10:31:24
ComboFix4.txt 2009-02-28 02:23:31
ComboFix5.txt 2009-03-04 04:00:48

Pre-Run: 2,320,986,112 bytes free
Post-Run: 2,199,465,984 bytes free

373 --- E O F --- 2009-03-01 22:02:30


Report •

#11
March 4, 2009 at 14:15:17
Once you get SDFix downloaded go offline, turn off your antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

#12
March 7, 2009 at 13:08:45
SDFix log file

[b]SDFix: Version 1.240 [/b]
Run by Naveed on Sun 03/08/2009 at 01:48 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 01:58:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s
ptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s
ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:f3,20,64,f0,bd,ab,ec,86,df,5c,ca,d1,59,c5,f4,d9,4c,7a,c
e,d9,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s
ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,02,3f,47,4f,ba,a3,f8,a3,9e,fc,77,80,22,8c,f0,9
1,b4,..
"khjeh"=hex:27,b4,5b,50,c9,9f,30,e5,a6,86,62,d3,c3,8a,b1,b9,72,f
7,1e,fe,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s
ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf4
0]
"khjeh"=hex:31,b3,e3,4f,90,51,1f,7a,65,f6,46,76,82,47,93,66,68,51
,a2,97,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hsnf
wji]
"DisplayName"="Network Security"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k
netsvcs"
"ObjectName"="LocalSystem"
"Description"="Allows error reporting for services and applictions
running in non-standard environments."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hsnf
wji\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\uatgucj.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\
Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:f3,20,64,f0,bd,ab,ec,86,df,5c,ca,d1,59,c5,f4,d9,4c,7a,c
e,d9,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\
Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,02,3f,47,4f,ba,a3,f8,a3,9e,fc,77,80,22,8c,f0,9
1,b4,..
"khjeh"=hex:27,b4,5b,50,c9,9f,30,e5,a6,86,62,d3,c3,8a,b1,b9,72,f
7,1e,fe,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\
Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:31,b3,e3,4f,90,51,1f,7a,65,f6,46,76,82,47,93,66,68,51
,a2,97,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\
Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:f3,20,64,f0,bd,ab,ec,86,df,5c,ca,d1,59,c5,f4,d9,4c,7a,c
e,d9,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\
Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,02,3f,47,4f,ba,a3,f8,a3,9e,fc,77,80,22,8c,f0,9
1,b4,..
"khjeh"=hex:27,b4,5b,50,c9,9f,30,e5,a6,86,62,d3,c3,8a,b1,b9,72,f
7,1e,fe,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\
Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:31,b3,e3,4f,90,51,1f,7a,65,f6,46,76,82,47,93,66,68,51
,a2,97,99,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shar
edaccess\parameters\firewallpolicy\standardprofile\authorizedap
plications\list]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program
Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program
Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Warcraft III\\Warcraft III.exe"="C:\\Warcraft III\\Warcraft
III.exe:*:Enabled:Warcraft III"
"C:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo
! Messenger"
"C:\\Program
Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program
Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT
Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program
Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\JetBrains\\IntelliJ IDEA
7.0\\bin\\idea.exe"="C:\\Program Files\\JetBrains\\IntelliJ IDEA
7.0\\bin\\idea.exe:*:Disabled:idea"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system
32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WIN
DOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Disabled:Remot
e Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Microsoft Visual Studio
8\\Common7\\IDE\\devenv.exe"="C:\\Program Files\\Microsoft
Visual Studio 8\\Common7\\IDE\\devenv.exe:*:Enabled:Microsoft
Visual Studio 2005"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program
Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"D:\\Games\\Valve\\hl.exe"="D:\\Games\\Valve\\hl.exe:*:Enabled:Ha
lf-Life Launcher"
"C:\\Program Files\\Microsoft
Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft
Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office
Outlook"
"%windir%\\Network
Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\ses
smgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows
Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows
Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live
Messenger"
"C:\\Program Files\\Windows
Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows
Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger
(Phone)"
"C:\\Program Files\\Malwarebytes' Anti-
Malware\\mbam.exe"="C:\\Program Files\\Malwarebytes' Anti-
Malware\\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shar
edaccess\parameters\firewallpolicy\domainprofile\authorizedappl
ications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\ses
smgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network
Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows
Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows
Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live
Messenger"
"C:\\Program Files\\Windows
Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows
Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger
(Phone)"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:


[b]Finished![/b]



Report •

#13
March 7, 2009 at 17:26:17
When you run this script be sure that Spybot and SpySweeper are turned off.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\program files\tail.exe
c:\windows\system32\DRIVERS\cv2k1.sys
I:\ij.bat
I:\2u.com
J:\klp8j6i.com

Driver::
CV2K1

Folder::
c:\program files\tail.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c9f15f0-d779-11dd-9d7a-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{187cbe99-0d6e-11dd-a7d2-
0019d1877ed0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1a46a988-916f-11dd-9cac-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1f3ba164-f8e8-11dc-8f65-
0019d1877ed0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{3ff4b1cf-b018-11dd-9d05-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{a4bcaf90-e588-11dd-9d92-
005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{ccf2a2d7-5017-11dd-a8b6-
005056c00008}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#14
March 8, 2009 at 04:33:04
ComboFix log file

ComboFix 09-03-06.02 - Naveed 2009-03-08 16:17:19.7 -
NTFSx86
Microsoft Windows XP Professional
5.1.2600.3.1252.1.1033.18.3061.2301 [GMT 5:00]
Running from: d:\setups\ComboFix.exe
Command switches used :: c:\documents and
settings\Naveed\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090307-0] *On-access
scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY
CONSOLE INSTALLED !!

FILE ::
c:\program files\tail.exe
c:\windows\system32\DRIVERS\cv2k1.sys
I:\2u.com
I:\ij.bat
J:\klp8j6i.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\tail.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CV2K1
-------\Service_CV2K1


((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08
)))))))))))))))))))))))))))))))
.

2009-03-08 04:29 . 2009-03-08 04:29 <DIR> d--------
C:\Downloads
2009-03-08 01:46 . 2009-03-08 01:46 578,560 --a--c---
c:\windows\system32\dllcache\user32.dll
2009-03-08 01:39 . 2009-03-08 02:02 <DIR> d-------- C:\SDFix
2009-03-02 15:06 . 2009-03-02 15:06 23,416 --a------
C:\633716032066250000_ABKPrism_Emails_Body.html
2009-03-01 15:21 . 2009-03-01 15:21 <DIR> d--------
c:\program files\Alwil Software
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\program files\Malwarebytes' Anti-Malware
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\documents and settings\Naveed\Application
Data\Malwarebytes
2009-02-28 13:42 . 2009-02-28 13:42 <DIR> d--------
c:\documents and settings\All Users\Application
Data\Malwarebytes
2009-02-28 13:42 . 2009-02-11 10:19 38,496 --a------
c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 13:42 . 2009-02-11 10:19 15,504 --a------
c:\windows\system32\drivers\mbam.sys
2009-02-28 13:28 . 2004-08-04 03:56 221,184 --a------
c:\windows\system32\wmpns.dll
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\scripting
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\en
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\system32\bits
2009-02-28 13:12 . 2009-02-28 13:12 <DIR> d--------
c:\windows\l2schemas
2009-02-28 13:06 . 2009-02-28 13:13 <DIR> d--------
c:\windows\ServicePackFiles
2009-02-27 02:24 . 2009-02-27 02:43 <DIR> d--------
c:\program files\Spybot - Search & Destroy
2009-02-27 02:24 . 2009-03-08 02:04 <DIR> d--------
c:\documents and settings\All Users\Application Data\Spybot -
Search & Destroy
2009-02-27 00:51 . 2009-02-27 00:52 <DIR> d--------
c:\windows\ERUNT
2009-02-22 02:26 . 2009-02-24 02:38 <DIR> d--------
c:\program files\Vuze
2009-02-22 02:26 . 2009-02-24 02:28 <DIR> d--------
c:\documents and settings\Naveed\Application Data\Azureus
2009-02-22 02:26 . 2009-02-22 02:26 <DIR> d--------
c:\documents and settings\All Users\Application Data\Azureus
2009-02-14 14:21 . 2009-02-14 14:21 <DIR> d--------
c:\program files\Seagate
2009-02-14 14:21 . 2009-02-14 14:21 <DIR> d--------
c:\documents and settings\All Users\Application Data\Seagate
2009-02-14 14:19 . 2009-02-14 14:19 <DIR> d--hs----
c:\windows\ftpcache
2009-02-11 08:32 . 2009-02-11 08:32 <DIR> d--------
c:\windows\SQLTools9_KB960089_ENU
2009-02-11 08:29 . 2009-02-11 08:29 <DIR> d--------
c:\windows\SQL9_KB960089_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 11:20 --------- d-----w c:\documents and
settings\NetworkService\Application Data\VMware
2009-03-08 11:20 --------- d-----w c:\documents and
settings\All Users\Application Data\VMware
2009-03-08 11:17 --------- d-----w c:\documents and
settings\Naveed\Application Data\uTorrent
2009-03-07 23:31 --------- d-----w c:\program files\FlashGet
2009-03-02 08:54 --------- d--h--w c:\program
files\InstallShield Installation Information
2009-03-02 08:53 --------- d-----w c:\documents and
settings\All Users\Application Data\Firefly Studios
2009-03-01 22:39 --------- d-----w c:\program files\Microsoft
Silverlight
2009-02-26 20:11 --------- d-----w c:\documents and
settings\Naveed\Application Data\VMware
2009-02-26 19:10 --------- d-----w c:\program files\Yahoo!
2009-02-26 19:10 --------- d-----w c:\program files\Common
Files\InstallShield
2009-02-26 18:11 --------- d-----w c:\documents and
settings\All Users\Application Data\Microsoft Help
2009-02-22 12:42 --------- d-----w c:\program files\Wilcom
2009-02-17 00:51 --------- d-----w c:\program files\Unlocker
2009-02-15 12:58 --------- d-----w c:\program files\CCleaner
2009-02-11 03:32 --------- d-----w c:\program files\Microsoft
SQL Server
2009-01-23 00:48 --------- d-----w c:\program
files\SimonFell
2009-01-23 00:39 --------- d-----w c:\documents and
settings\Naveed\Application Data\Wireshark
2009-01-23 00:38 --------- d-----w c:\program
files\SoapTrace
2008-12-20 07:08 327,682 ----a-w c:\program
files\getbot.exe
2008-12-06 14:59 31 ----a-w c:\documents and
settings\Naveed\jagex_runescape_preferences.dat
2008-10-19 18:16 122,880 ----a-w c:\program files\mozilla
firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-04_ 9.12.53.89
)))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-26 19:52:54 8,417,280 ----a-w
c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2009-03-07 20:44:49 10,584,064 ----a-w
c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2009-02-26 19:52:54 200,704 ----a-w
c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2009-03-07 20:44:49 200,704 ----a-w
c:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
- 2009-03-04 04:08:20 252,437 ----a-w
c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-08 11:21:48 252,436 ----a-w
c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-08 11:20:01 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_4f0.dat
+ 2009-03-08 11:21:08 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_550.dat
+ 2009-03-08 11:19:48 16,384 ----atw
c:\windows\temp\Perflib_Perfdata_77c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curren
tVersion\Run]
"MsnMsgr"="c:\program files\Windows
Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14
15360]
"Google Update"="c:\documents and settings\Naveed\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe"
[2008-09-03 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search &
Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren
tVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25
131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25
155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25
131072]
"MaxMenuMgr"="c:\program
files\Seagate\SeagateManager\FreeAgent
Status\StxMenuMgr.exe" [2008-07-20 177448]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06
81000]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25
c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Saf
eBoot\Minimal\WebrootSpySweeperService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start
Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
path=c:\documents and settings\All Users\Start
Menu\Programs\Startup\DynDNS Updater Tray Icon.lnk
backup=c:\windows\pss\DynDNS Updater Tray Icon.lnkCommon
Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader
8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-15 19:51 2356088 c:\program files\Common
Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-21 13:30 486856 c:\program files\DAEMON
Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2006-02-24 19:29 196709 c:\program files\Diskeeper
Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-10-19 23:15 30192 c:\program files\Google\Google
Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 02:50 133104 c:\documents and
settings\Naveed\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:12 1695232 c:\program
files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common
Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 c:\program files\Nokia\Nokia
PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-03-28 11:20 1079296 c:\program files\Nokia\Nokia
PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Skype]
--a------ 2007-02-09 16:01 25388584 c:\program
files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program
files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\swg]
--a------ 2008-04-12 02:43 68856 c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\VMware hqtray]
--a------ 2007-05-01 22:52 56112 c:\program files\VMware\VMware
Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\vmware-tray]
--a------ 2007-05-01 22:52 68400 c:\program files\VMware\VMware
Workstation\vmware-tray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standa
rdprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\JetBrains\\IntelliJ IDEA 7.0\\bin\\idea.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Microsoft Visual Studio
8\\Common7\\IDE\\devenv.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"d:\\Games\\Valve\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standa
rdprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:*:Disabled:Gnutella
"1215:TCP"= 1215:TCP:OpenFT
"1216:TCP"= 1216:TCP:OpenFT
"59049:TCP"= 59049:TCP:*:Disabled:Ares
"2896:TCP"= 2896:TCP:pxnqjo

R1 aswSP;avast! Self
Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-01
114768]
R2
aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys
[2009-03-01 20560]
R2 DynDNS Updater;DynDNS Updater;c:\program files\DynDNS
Updater\DynUpSvc.exe [2008-06-24 65536]
R2 FreeAgentGoNext Service;Seagate Service;c:\program
files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-
07-20 161064]
R2 trysftnt;trysftnt;c:\windows\system32\drivers\TRYSFTNT.SYS
[2008-09-14 39136]
R2
wntpport;wntpport;c:\windows\system32\drivers\WNTPPORT.SYS
[2008-09-14 28416]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys -->
c:\windows\system32\drivers\Partizan.sys [?]
S3 adusbser;AnyDATA USB Device for Legacy Serial
Communication;c:\windows\system32\drivers\adusbser.sys
[2008-11-15 93440]
S3 GoogleDesktopManager-092308-165331;Google Desktop
Manager 5.8.809.23506;c:\program files\Google\Google Desktop
Search\GoogleDesktop.exe [2008-10-19 30192]
S3 NPF;NetGroup Packet Filter
Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 PORTMON;PORTMON;\??\c:\program
files\SysinternalsSuite\PORTMSYS.SYS --> c:\program
files\SysinternalsSuite\PORTMSYS.SYS [?]
S3 SydexFDD;Sydex Diskette
Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [2008-09-14
13359]
S4 msvsmon80;Visual Studio 2005 Remote
Debugger;c:\program files\Microsoft Visual Studio
8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-
02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c4530b8-b329-11dd-9d0c-
005056c00008}]
\Shell\AutoRun\command - J:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{0c9f15f0-d779-11dd-9d7a-
005056c00008}]
\Shell\AutoRun\command - I:\ij.bat
\Shell\explore\Command - I:\ij.bat
\Shell\open\Command - I:\ij.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{187cbe99-0d6e-11dd-a7d2-
0019d1877ed0}]
\Shell\AutoRun\command - t.com
\Shell\explore\Command - t.com
\Shell\open\Command - t.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1a46a988-916f-11dd-9cac-
005056c00008}]
\Shell\AutoRun\command - qxbx9blb.com
\Shell\explore\Command - qxbx9blb.com
\Shell\open\Command - qxbx9blb.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{1f3ba164-f8e8-11dc-8f65-
0019d1877ed0}]
\Shell\Auto\command - ServerNet.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE
Shell32.DLL,ShellExec_RunDLL ServerNet.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{3ff4b1cf-b018-11dd-9d05-
005056c00008}]
\Shell\AutoRun\command - I:\2u.com
\Shell\explore\Command - I:\2u.com
\Shell\open\Command - I:\2u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{a4bcaf90-e588-11dd-9d92-
005056c00008}]
\Shell\AutoRun\command - ycxexw.exe
\Shell\explore\Command - ycxexw.exe
\Shell\open\Command - ycxexw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentver
sion\explorer\mountpoints2\{ccf2a2d7-5017-11dd-a8b6-
005056c00008}]
\Shell\AutoRun\command - J:\klp8j6i.com
\Shell\explore\Command - J:\klp8j6i.com
\Shell\open\Command - J:\klp8j6i.com

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{10880D85-AAD9-4558-ABDC-
2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-
1801674531-1343024091-682003330-1006.job
- c:\documents and settings\Naveed\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext =
hxxp://www.skype.com/go/help.guides.ieaddon?lang=en
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download All by FlashGet - c:\program
files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program
files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Naveed\Application
Data\Mozilla\Firefox\Profiles\kw21kyxi.default\
FF - component: c:\program files\Mozilla
Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Naveed\Local
Settings\Application
Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\K-Lite Codec
Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec
Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.

***********************************************************************
***

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector
by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 16:23:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************************
***
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1343024091-682003330-
1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\program files\Common Files\VMware\VMware Virtual Image
Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
***********************************************************************
***
.
Completion time: 2009-03-08 16:28:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 11:28:02
ComboFix2.txt 2009-03-04 04:14:01
ComboFix3.txt 2009-03-02 08:03:30
ComboFix4.txt 2009-03-01 10:31:24
ComboFix5.txt 2009-03-08 11:16:20

Pre-Run: 1,442,967,552 bytes free
Post-Run: 1,426,722,816 bytes free

289 --- E O F --- 2009-03-06 18:49:33


Report •

#15
March 8, 2009 at 09:51:20
You have a stubborn infection.

Download Dr.Web CureIt to the desktop from the following link.

Drweb-Cureit

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Run Dr.Web CureIt as follows:


1. Doubleclick the drweb-cureit.exe file and 2. Allow to run the express scan
3. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
4. Once the short scan has finished, mark the drives that you want to scan.
5. Select all drives. A red dot shows which drives have been chosen.
6. Click the green arrow at the right, and the scan will start.
7. Click 'Yes to all' if it asks if you want to cure/move the file.
8. When the scan has finished, look if you can click next icon next to the files found:
9. If so, click it and then click the next icon right below and select Move incurable.
10. This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
11. After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the report to your desktop. The report will be called DrWeb.csv
12. Close Dr.Web Cureit.
13. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
14. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.


Report •

#16
March 11, 2009 at 22:46:39
Dr. Web CureIt Log

Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0018256.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP10;Probably
BATCH.Virus;Incurable.Moved.;
A0018274.EXE;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP10;Program.PsExec.170;Incurable.Moved
.;
A0021206.msi/stream001\File25;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP12\A0021206.msi/stream001;Probably
BACKDOOR.Trojan;;
stream001;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP12;Archive contains infected objects;;
A0021206.msi;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP12;Archive contains infected
objects;Moved.;
A0021210.exe/dldsetup.msi/stream001\File25;C:\System
Volume Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP12\A0021210.exe/dldsetup.msi/stream00
1;Probably BACKDOOR.Trojan;;
stream001;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP12;Archive contains infected objects;;
dldsetup.msi;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP12;Archive contains infected objects;;
A0021210.exe;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP12;Archive contains infected
objects;Moved.;
A0021223.rbf;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP13;Probably
BACKDOOR.Trojan;Incurable.Moved.;
A0023254.exe;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP13;Tool.Prockill;Incurable.Moved.;
A0023404.exe\SDFix\apps\Process.exe;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP13\A0023404.exe;Tool.Prockill;;
A0023404.exe;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP13;Archive contains infected
objects;Moved.;
A0023491.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP14;Probably
BATCH.Virus;Incurable.Moved.;
A0023580.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP15;Probably
BATCH.Virus;Incurable.Moved.;
A0023660.EXE;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP15;Program.PsExec.170;Incurable.Moved
.;
A0000026.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP2;Probably
BATCH.Virus;Incurable.Moved.;
A0001026.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP2;Probably
BATCH.Virus;Incurable.Moved.;
A0004102.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP3;Probably
BATCH.Virus;Incurable.Moved.;
A0004169.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP3;Probably
BATCH.Virus;Incurable.Moved.;
A0011974.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP5;Probably
BATCH.Virus;Incurable.Moved.;
A0012044.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP6;Probably
BATCH.Virus;Incurable.Moved.;
A0012112.dll;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP6;Win32.HLLW.Autoruner.5555;Deleted.;
A0012113.dll;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP6;Probably
Trojan.Packed.191;Incurable.Moved.;
A0012128.exe/data002\32788R22FWJFW\c.bat;C:\System
Volume Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP6\A0012128.exe/data002;Probably
BATCH.Virus;;
A0012128.exe/data002\32788R22FWJFW\psexec.cfexe;C:\S
ystem Volume Information\_restore{2F4E24AE-9D95-41BB-
BD3E-
9DD0F3D714B5}\RP6\A0012128.exe/data002;Program.PsExe
c.171;;
data002;C:\System Volume Information\_restore{2F4E24AE-
9D95-41BB-BD3E-9DD0F3D714B5}\RP6;Archive contains
infected objects;;
A0012128.exe;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP6;Container contains infected
objects;Moved.;
A0012130.exe/data002\32788R22FWJFW\c.bat;C:\System
Volume Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP6\A0012130.exe/data002;Probably
BATCH.Virus;;
A0012130.exe/data002\32788R22FWJFW\psexec.cfexe;C:\S
ystem Volume Information\_restore{2F4E24AE-9D95-41BB-
BD3E-
9DD0F3D714B5}\RP6\A0012130.exe/data002;Program.PsExe
c.171;;
data002;C:\System Volume Information\_restore{2F4E24AE-
9D95-41BB-BD3E-9DD0F3D714B5}\RP6;Archive contains
infected objects;;
A0012130.exe;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP6;Container contains infected
objects;Moved.;
A0014849.bat;C:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP7;Probably
BATCH.Virus;Incurable.Moved.;
SQL Backup
5.msi/stream006/sqbserversetup.exe\data003;C:\WINDOWS\
Downloaded Installations\{B0A5E724-4AB2-E8D2-6F14-
1DDD67D7DAE3}\SQL Backup
5.msi/stream006/sqbserversetup.exe;Probably
WIN.MAIL.WORM.Virus;;
sqbserversetup.exe;C:\WINDOWS\Downloaded
Installations\{B0A5E724-4AB2-E8D2-6F14-
1DDD67D7DAE3};Archive contains infected objects;;
stream006;C:\WINDOWS\Downloaded
Installations\{B0A5E724-4AB2-E8D2-6F14-
1DDD67D7DAE3};Archive contains infected objects;;
SQL Backup 5.msi;C:\WINDOWS\Downloaded
Installations\{B0A5E724-4AB2-E8D2-6F14-
1DDD67D7DAE3};Archive contains infected objects;Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;D:\Setups\Co
mboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;D:\S
etups\ComboFix.exe/data002;Program.PsExec.171;;
data002;D:\Setups;Archive contains infected objects;;
ComboFix.exe;D:\Setups;Container contains infected
objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;D:\Setups\SDFix.exe;To
ol.Prockill;;
SDFix.exe;D:\Setups;Archive contains infected
objects;Moved.;
daemon4122-
lite.exe/data007\data001;D:\Setups\Virtualization\daemon412
2-lite.exe/data007;Adware.Shopper;;
daemon4122-
lite.exe/data007\data002;D:\Setups\Virtualization\daemon412
2-lite.exe/data007;Adware.SaveNow.128;;
data007;D:\Setups\Virtualization;Container contains infected
objects;;
daemon4122-lite.exe;D:\Setups\Virtualization;Archive
contains infected objects;Moved.;
A0023403.exe\SDFix\apps\Process.exe;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP13\A0023403.exe;Tool.Prockill;;
A0023403.exe;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP13;Archive contains infected
objects;Moved.;
A0023483.exe/data002\32788R22FWJFW\c.bat;D:\System
Volume Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP14\A0023483.exe/data002;Probably
BATCH.Virus;;
A0023483.exe/data002\32788R22FWJFW\psexec.cfexe;D:\S
ystem Volume Information\_restore{2F4E24AE-9D95-41BB-
BD3E-
9DD0F3D714B5}\RP14\A0023483.exe/data002;Program.PsEx
ec.171;;
data002;D:\System Volume Information\_restore{2F4E24AE-
9D95-41BB-BD3E-9DD0F3D714B5}\RP14;Archive contains
infected objects;;
A0023483.exe;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP14;Container contains infected
objects;Moved.;
A0026752.exe/data002\32788R22FWJFW\c.bat;D:\System
Volume Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP18\A0026752.exe/data002;Probably
BATCH.Virus;;
A0026752.exe/data002\32788R22FWJFW\psexec.cfexe;D:\S
ystem Volume Information\_restore{2F4E24AE-9D95-41BB-
BD3E-
9DD0F3D714B5}\RP18\A0026752.exe/data002;Program.PsEx
ec.171;;
data002;D:\System Volume Information\_restore{2F4E24AE-
9D95-41BB-BD3E-9DD0F3D714B5}\RP18;Archive contains
infected objects;;
A0026752.exe;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP18;Container contains infected
objects;Moved.;
A0026753.exe\SDFix\apps\Process.exe;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP18\A0026753.exe;Tool.Prockill;;
A0026753.exe;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP18;Archive contains infected
objects;Moved.;
A0026754.exe/data007\data001;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP18\A0026754.exe/data007;Adware.Shopp
er;;
A0026754.exe/data007\data002;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP18\A0026754.exe/data007;Adware.SaveN
ow.128;;
data007;D:\System Volume Information\_restore{2F4E24AE-
9D95-41BB-BD3E-9DD0F3D714B5}\RP18;Container contains
infected objects;;
A0026754.exe;D:\System Volume
Information\_restore{2F4E24AE-9D95-41BB-BD3E-
9DD0F3D714B5}\RP18;Archive contains infected
objects;Moved.;
OReilly - Web Security Privacy & Commerce, 2nd
Ed.chm\websec2_snode74.html;F:\Books\OReilly - Web
Security Privacy & Commerce, 2nd Ed.chm;Modification of
VBS.Generic.405;;
OReilly - Web Security Privacy & Commerce, 2nd
Ed.chm;F:\Books;Container contains infected objects;Moved.;



Report •


Ask Question