Tech Support Forum - View Single Post - Need help

tovasyl · 01-23-2008, 09:43 PM

Hi again, just to let you know...when I ran it the first time, after the combofix was done it tried to restart my computer and it got stuck. After a long while I restarted my computer. then I created new CFScript.txt file, dropped it into combofix.exe and ran it again. I just though that something went wrong the first time. Hope I didn't do anything wrong.

The log file from the second run below:
Thanks.
----------------------------------------------------------

ComboFix 08-01-23.2 - Mirek 2008-01-23 23:29:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -5:00]
Running from: C:\Documents and Settings\Mirek\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mirek\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ipylsmxo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\alrcvnxj.dll
C:\WINDOWS\system32\bnwvmsal.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\grumwxhj.dll
C:\WINDOWS\system32\gwovqhoq.dll
C:\WINDOWS\system32\hmqhxmxu.ini
C:\WINDOWS\system32\ipylsmxo.ini
C:\WINDOWS\system32\jhxwmurg.ini
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\jxnvcrla.ini
C:\WINDOWS\system32\lasmvwnb.ini
C:\WINDOWS\system32\qohqvowg.ini
C:\WINDOWS\system32\rqrrsst.dll
C:\WINDOWS\system32\uxmxhqmh.dll
C:\WINDOWS\system32\winrzc32.dll
C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\system32\yyadd.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 21:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 21:17 . 2006-01-25 00:23 211 -rahs---- C:\BOOT.BAK
2008-01-23 21:16 . 2004-08-04 07:00 260,272 -r-hs---- C:\cmldr
2008-01-19 13:03 . 2008-01-19 13:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 20:01 . 2008-01-18 20:01 <DIR> d-------- C:\Deckard
2008-01-18 18:59 . 2008-01-18 18:59 <DIR> d-------- C:\ie-spyad_zo
2008-01-18 18:36 . 2008-01-18 18:51 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-18 04:03 . 2008-01-23 23:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 04:03 . 2008-01-21 04:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 22:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-17 22:57 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\scnkyxjhkvuf.sys
2008-01-17 22:33 . 2008-01-18 00:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 22:33 . 2008-01-17 22:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-17 22:33 . 2008-01-17 22:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-17 22:33 . 2008-01-17 22:33 1,406 --a------ C:\WINDOWS\system32\Help.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 03:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-24 03:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-24 03:52 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-24 03:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-24 03:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-24 03:52 --------- d-----w C:\Program Files\Symantec
2008-01-24 02:23 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-21 09:02 --------- d-----w C:\Program Files\iTunes
2008-01-18 04:52 --------- d-----w C:\Program Files\PrintKey2000
2008-01-18 02:59 --------- d-----w C:\Program Files\QuickTime
2008-01-18 02:58 --------- d-----w C:\Program Files\BitComet
2008-01-11 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 01:58 --------- d-----w C:\Program Files\TVAnts
2008-01-11 01:54 --------- d-----w C:\Program Files\Google
2008-01-11 01:53 --------- d-----w C:\Program Files\Gadu-Gadu
2008-01-11 01:53 --------- d-----w C:\Program Files\DivX
2008-01-11 01:51 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-11 01:51 --------- d-----w C:\Program Files\Winamp
2008-01-11 01:51 --------- d-----w C:\Program Files\Rogers
2008-01-11 01:51 --------- d-----w C:\Program Files\ICOO Loader
2008-01-11 01:51 --------- d-----w C:\Program Files\eMule
2008-01-11 01:51 --------- d-----w C:\Program Files\Azureus
2008-01-11 01:50 --------- d-----w C:\Program Files\Dell
2008-01-11 01:50 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-23 23:15 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-23 16:31 --------- d-----w C:\Program Files\Sierra
2007-12-23 04:07 --------- d-----w C:\Program Files\SmartDVDCreator
2007-12-23 01:45 --------- d-----w C:\Program Files\Xilisoft
2007-12-22 00:19 --------- d-----w C:\Program Files\Microsoft Games
2007-12-07 01:59 --------- d-----w C:\Program Files\Java
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-28 02:20 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\SET412.tmp
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 10:04 350,720 ----a-w C:\WINDOWS\system32\SET806.tmp
2007-10-29 10:04 350,720 ----a-w C:\WINDOWS\system32\SET785.tmp
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\SET49C.tmp
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\SET805.tmp
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\SET784.tmp
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-26 03:34 8,460,288 ------w C:\WINDOWS\system32\dllcache\SET807.tmp
2007-10-26 03:34 8,460,288 ------w C:\WINDOWS\system32\dllcache\SET786.tmp
2006-11-14 01:35 2,570,761 -c--a-w C:\Program Files\PPStream_1.0.4.538_English.zip
2006-04-10 18:24 26,922 -c--a-w C:\Program Files\moviepass Terms.html
2006-11-19 21:38 104 --sh--r C:\WINDOWS\system32\E9ECC6876F.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_22.03.44.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 02:42:24 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 04:29:16 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 02:42:24 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 04:29:16 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 02:42:24 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 04:29:16 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 02:42:24 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 04:29:17 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 02:42:25 10,129,408 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 04:29:19 10,129,408 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-24 02:42:25 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 04:29:19 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-02-12 22:22:16 12,944 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
+ 2007-10-01 19:48:56 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
- 2007-02-12 22:22:20 110,736 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
+ 2007-10-01 19:49:04 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
- 2007-02-12 22:22:30 31,888 ----a-w C:\WINDOWS\system32\drivers\symids.sys
+ 2007-10-01 19:49:16 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
- 2007-02-12 22:22:26 28,304 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
+ 2007-10-01 19:49:10 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
- 2007-02-12 22:22:36 24,720 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
+ 2007-10-01 19:49:20 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
- 2007-02-12 22:22:40 196,752 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
+ 2007-10-01 19:49:26 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
- 2007-02-12 22:22:48 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll
+ 2007-10-01 19:49:38 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
- 2007-02-12 22:22:46 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll
+ 2007-10-01 19:49:36 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [ ]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [ ]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [ ]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DJSNetCN"="C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe" [2006-02-02 17:54 54976]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-12 21:43:43 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2006-02-05 12:23:06 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 19:49 24672 C:\WINDOWS\system32\ckpNotify.dll

R2 FreezeScreenSaver;FreezeScreenSaver;C:\WINDOWS\system32\FreezeScreenSaver.exe [2005-09-29 14:55]
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2005-03-01 19:49]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-03-01 19:49]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-03-01 19:49]
S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00]
S3 Lpai2ocf;Lpai2ocf;C:\WINDOWS\system32\drivers\intelppm.sys [2004-08-04 06:00]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2005-03-01 19:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3152274c-4de2-11dc-a100-001320be943e}]
\Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-19 16:05:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-22 00:33:16 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Mirek.job"
- C:\PROGRA~1\Yahoo!\NAV\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 23:34:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

01-23-2008, 09:43 PM	#7 (permalink)
tovasyl Registered User Join Date: Jan 2008 Posts: 11 OS: xp, service pack 2	Re: Need help - posting log file Hi again, just to let you know...when I ran it the first time, after the combofix was done it tried to restart my computer and it got stuck. After a long while I restarted my computer. then I created new CFScript.txt file, dropped it into combofix.exe and ran it again. I just though that something went wrong the first time. Hope I didn't do anything wrong. The log file from the second run below: Thanks. ---------------------------------------------------------- ComboFix 08-01-23.2 - Mirek 2008-01-23 23:29:27.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -5:00] Running from: C:\Documents and Settings\Mirek\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Mirek\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\ipylsmxo.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\WINDOWS\system32\_000005_.tmp.dll C:\WINDOWS\system32\_000006_.tmp.dll C:\WINDOWS\system32\alrcvnxj.dll C:\WINDOWS\system32\bnwvmsal.dll C:\WINDOWS\system32\ddayy.dll C:\WINDOWS\system32\grumwxhj.dll C:\WINDOWS\system32\gwovqhoq.dll C:\WINDOWS\system32\hmqhxmxu.ini C:\WINDOWS\system32\ipylsmxo.ini C:\WINDOWS\system32\jhxwmurg.ini C:\WINDOWS\system32\jkhhi.dll C:\WINDOWS\system32\jxnvcrla.ini C:\WINDOWS\system32\lasmvwnb.ini C:\WINDOWS\system32\qohqvowg.ini C:\WINDOWS\system32\rqrrsst.dll C:\WINDOWS\system32\uxmxhqmh.dll C:\WINDOWS\system32\winrzc32.dll C:\WINDOWS\system32\yyadd.ini C:\WINDOWS\system32\yyadd.ini2 . ((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 ))))))))))))))))))))))))))))))) . 2008-01-23 21:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 21:17 . 2006-01-25 00:23 211 -rahs---- C:\BOOT.BAK 2008-01-23 21:16 . 2004-08-04 07:00 260,272 -r-hs---- C:\cmldr 2008-01-19 13:03 . 2008-01-19 13:03 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-18 20:01 . 2008-01-18 20:01 <DIR> d-------- C:\Deckard 2008-01-18 18:59 . 2008-01-18 18:59 <DIR> d-------- C:\ie-spyad_zo 2008-01-18 18:36 . 2008-01-18 18:51 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-18 04:03 . 2008-01-23 23:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-18 04:03 . 2008-01-21 04:02 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-17 22:58 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-17 22:57 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\scnkyxjhkvuf.sys 2008-01-17 22:33 . 2008-01-18 00:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-17 22:33 . 2008-01-17 22:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-17 22:33 . 2008-01-17 22:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-17 22:33 . 2008-01-17 22:33 1,406 --a------ C:\WINDOWS\system32\Help.ico . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-24 03:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-24 03:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-01-24 03:52 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-01-24 03:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-01-24 03:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-01-24 03:52 --------- d-----w C:\Program Files\Symantec 2008-01-24 02:23 --------- d-----w C:\Program Files\Norton Security Scan 2008-01-21 09:02 --------- d-----w C:\Program Files\iTunes 2008-01-18 04:52 --------- d-----w C:\Program Files\PrintKey2000 2008-01-18 02:59 --------- d-----w C:\Program Files\QuickTime 2008-01-18 02:58 --------- d-----w C:\Program Files\BitComet 2008-01-11 02:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-11 01:58 --------- d-----w C:\Program Files\TVAnts 2008-01-11 01:54 --------- d-----w C:\Program Files\Google 2008-01-11 01:53 --------- d-----w C:\Program Files\Gadu-Gadu 2008-01-11 01:53 --------- d-----w C:\Program Files\DivX 2008-01-11 01:51 --------- d-----w C:\Program Files\WordPerfect Office 12 2008-01-11 01:51 --------- d-----w C:\Program Files\Winamp 2008-01-11 01:51 --------- d-----w C:\Program Files\Rogers 2008-01-11 01:51 --------- d-----w C:\Program Files\ICOO Loader 2008-01-11 01:51 --------- d-----w C:\Program Files\eMule 2008-01-11 01:51 --------- d-----w C:\Program Files\Azureus 2008-01-11 01:50 --------- d-----w C:\Program Files\Dell 2008-01-11 01:50 --------- d-----w C:\Program Files\Common Files\AOL 2007-12-23 23:15 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-12-23 16:31 --------- d-----w C:\Program Files\Sierra 2007-12-23 04:07 --------- d-----w C:\Program Files\SmartDVDCreator 2007-12-23 01:45 --------- d-----w C:\Program Files\Xilisoft 2007-12-22 00:19 --------- d-----w C:\Program Files\Microsoft Games 2007-12-07 01:59 --------- d-----w C:\Program Files\Java 2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-12-04 01:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-12-04 01:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll 2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-11-29 22:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-11-28 21:55 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-11-28 21:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-11-28 21:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-11-28 21:53 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-11-28 21:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-11-28 21:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-11-28 21:52 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-11-28 02:20 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\SET412.tmp 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2007-10-29 10:04 350,720 ----a-w C:\WINDOWS\system32\SET806.tmp 2007-10-29 10:04 350,720 ----a-w C:\WINDOWS\system32\SET785.tmp 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\SET49C.tmp 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\SET805.tmp 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\SET784.tmp 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-26 03:34 8,460,288 ------w C:\WINDOWS\system32\dllcache\SET807.tmp 2007-10-26 03:34 8,460,288 ------w C:\WINDOWS\system32\dllcache\SET786.tmp 2006-11-14 01:35 2,570,761 -c--a-w C:\Program Files\PPStream_1.0.4.538_English.zip 2006-04-10 18:24 26,922 -c--a-w C:\Program Files\moviepass Terms.html 2006-11-19 21:38 104 --sh--r C:\WINDOWS\system32\E9ECC6876F.sys . ((((((((((((((((((((((((((((( snapshot@2008-01-23_22.03.44.46 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-24 02:42:24 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-24 04:29:16 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-24 02:42:24 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-24 04:29:16 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-24 02:42:24 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-24 04:29:16 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-24 02:42:24 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-24 04:29:17 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-24 02:42:25 10,129,408 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT + 2008-01-24 04:29:19 10,129,408 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT - 2008-01-24 02:42:25 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-24 04:29:19 176,128 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat - 2007-02-12 22:22:16 12,944 ----a-w C:\WINDOWS\system32\drivers\symdns.sys + 2007-10-01 19:48:56 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys - 2007-02-12 22:22:20 110,736 ----a-w C:\WINDOWS\system32\drivers\symfw.sys + 2007-10-01 19:49:04 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys - 2007-02-12 22:22:30 31,888 ----a-w C:\WINDOWS\system32\drivers\symids.sys + 2007-10-01 19:49:16 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys - 2007-02-12 22:22:26 28,304 ----a-w C:\WINDOWS\system32\drivers\symndis.sys + 2007-10-01 19:49:10 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys - 2007-02-12 22:22:36 24,720 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys + 2007-10-01 19:49:20 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys - 2007-02-12 22:22:40 196,752 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys + 2007-10-01 19:49:26 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys - 2007-02-12 22:22:48 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll + 2007-10-01 19:49:38 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll - 2007-02-12 22:22:46 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll + 2007-10-01 19:49:36 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [ ] "Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [ ] "RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [ ] "BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [ ] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ] "LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "DJSNetCN"="C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe" [2006-02-02 17:54 54976] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-12 21:43:43 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2006-02-05 12:23:06 869376] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] ckpNotify.dll 2005-03-01 19:49 24672 C:\WINDOWS\system32\ckpNotify.dll R2 FreezeScreenSaver;FreezeScreenSaver;C:\WINDOWS\system32\FreezeScreenSaver.exe [2005-09-29 14:55] R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2005-03-01 19:49] R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-03-01 19:49] R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-03-01 19:49] S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00] S3 Lpai2ocf;Lpai2ocf;C:\WINDOWS\system32\drivers\intelppm.sys [2004-08-04 06:00] S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2005-03-01 19:49] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3152274c-4de2-11dc-a100-001320be943e}] \Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe . Contents of the 'Scheduled Tasks' folder "2008-01-19 16:05:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-22 00:33:16 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Mirek.job" - C:\PROGRA~1\Yahoo!\NAV\Navw32.exeh/TASK: . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-23 23:34:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ .