Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help
Reload this Page Virus, Please Help!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 04-18-2009, 10:45 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Virus, Please Help!
Thanks in advance! Log files attached.


DDS (Ver_09-03-16.01) - NTFSx86
Run by 0 at 12:32:24.37 on Sat 04/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.igoogle.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-FPLBG.exe" /REG
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\0\applic~1\mozilla\firefox\profiles\2lgxtq6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com
FF - plugin: c:\documents and settings\0\application data\mozilla\firefox\profiles\2lgxtq6e.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\0\application data\mozilla\firefox\profiles\2lgxtq6e.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll
FF - plugin: c:\documents and settings\0\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\0\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\documents and settings\0\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_900\npoctoshape.dll
FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-17 16:54 687,104 a------- c:\windows\is-FPLBG.exe
2009-04-17 16:54 10,498 a------- c:\windows\is-FPLBG.msg
2009-04-17 16:54 370 a------- c:\windows\is-FPLBG.lst
2009-04-17 16:08 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-17 16:08 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-17 16:08 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-17 16:07 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-17 16:07 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-17 16:07 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-17 16:07 <DIR> --d----- c:\docume~1\0\applic~1\PC Tools
2009-04-15 21:24 72,592 a------- c:\windows\zllsputility.exe
2009-04-15 21:23 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-04-15 21:23 <DIR> --d----- c:\program files\Zone Labs
2009-04-15 21:23 349,222 a------- c:\windows\system32\vsconfig.xml
2009-04-15 20:19 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-15 11:05 <DIR> --d----- C:\d0dfdc18738fc58073
2009-04-14 19:22 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 19:22 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 19:22 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 19:21 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:21 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:21 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 19:21 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:21 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:21 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:21 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:21 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:21 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-01 21:59 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-30 09:54 <DIR> --d----- c:\program files\NaturalSoft
2009-03-30 09:53 <DIR> --d----- c:\windows\Downloaded Installations
2009-03-22 12:57 <DIR> --d----- C:\b7a6167273382851e0534efaccd0829b

==================== Find3M ====================

2009-04-17 16:44 2,161,184 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-17 16:44 17,964 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-15 21:24 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-15 20:56 294,944 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-15 20:56 2,088 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 14:19 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-03-03 14:19 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-03-03 14:19 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-03-03 14:19 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 16:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2008-12-04 02:03 14,618,605 a------- c:\docume~1\alluse~1\applic~1\vlc-0.9.6-win32.exe
2008-10-23 00:24 80 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 12:33:01.26 ===============
Attached Files
File Type: zip Attach.zip (3.3 KB, 8 views)
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-18-2009, 10:26 PM   #2 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
Let's do some repairs, then check after.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

One exception to those steps is to make sure you rename ComboFix.exe as you download it (don't download and then rename after). Right click the download link and select Save Target/File As, then as you save the file rename it to combi.com

Then click that to start ComboFix.[/quote]
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-20-2009, 10:20 AM   #3 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
Thanks, Jintan. I've attached the Combofix log here. Since the virus has blocked my internet connection, I could not install system restore. I am doing everything using my friend's computer and transferring files back + forth via flash drive.


ComboFix 09-04-19.01 - 0 04/20/2009 12:03.2 - NTFSx86
Running from: E:\combi.com

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-17 20:08 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-17 20:08 . 2009-03-06 20:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-17 20:08 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-17 20:07 . 2009-04-17 20:08 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-17 20:07 . 2008-12-10 16:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-17 20:07 . 2009-04-17 20:08 -------- d-----w c:\program files\Spyware Doctor
2009-04-17 20:07 . 2009-04-17 20:07 -------- d-----w c:\documents and settings\0\Application Data\PC Tools
2009-04-16 01:24 . 2008-08-22 00:41 72592 ----a-w c:\windows\zllsputility.exe
2009-04-16 01:23 . 2009-04-16 01:23 -------- d-----w c:\program files\Zone Labs
2009-04-16 01:23 . 2008-08-22 00:41 1221008 ----a-w c:\windows\system32\zpeng25.dll
2009-04-16 01:23 . 2009-04-16 01:24 349222 ----a-w c:\windows\system32\vsconfig.xml
2009-04-16 00:19 . 2009-04-16 00:19 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-15 15:05 . 2009-04-15 15:08 -------- d-----w C:\d0dfdc18738fc58073
2009-04-14 23:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 23:22 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 23:22 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 23:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 23:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 23:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 23:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 23:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-02 01:59 . 2009-04-02 01:59 -------- d-----w c:\program files\MSXML 4.0
2009-03-30 13:54 . 2009-03-30 13:54 -------- d-----w c:\program files\NaturalSoft
2009-03-30 13:53 . 2009-03-30 13:53 -------- d-----w c:\windows\Downloaded Installations
2009-03-22 16:57 . 2009-03-22 17:00 -------- d-----w C:\b7a6167273382851e0534efaccd0829b

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 16:06 . 2009-02-04 02:34 5623840 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-20 16:01 . 2009-02-01 02:30 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-20 15:58 . 2009-02-04 02:34 52172 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-20 15:47 . 2009-02-02 07:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 20:07 . 2009-02-01 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 14:28 . 2008-08-05 20:56 -------- d-----w c:\documents and settings\0\Application Data\Apple Computer
2009-04-16 01:24 . 2009-02-01 03:48 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-16 00:56 . 2009-02-04 02:34 294944 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-16 00:56 . 2009-02-04 02:34 2088 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-16 00:27 . 2009-02-03 05:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-16 00:20 . 2008-08-06 05:05 -------- d-----w c:\documents and settings\0\Application Data\FrostWire
2009-04-15 15:14 . 2009-01-29 04:16 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-04-15 15:04 . 2008-08-14 07:51 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-09 00:17 . 2008-10-18 19:29 -------- d-----w c:\program files\NoAdware5.0
2009-04-06 19:32 . 2009-02-02 07:00 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-02 07:01 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 05:44 . 2008-08-14 07:48 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 04:12 . 2008-10-23 03:34 -------- d-----w c:\documents and settings\0\Application Data\Skype
2009-03-24 04:09 . 2008-10-23 03:38 -------- d-----w c:\documents and settings\0\Application Data\skypePM
2009-03-21 23:08 . 2008-11-01 20:14 -------- d-----w c:\program files\GmoteServer
2009-03-21 20:11 . 2008-08-09 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-20 20:13 . 2008-12-06 20:26 -------- d-----w c:\program files\Winamp
2009-03-19 02:13 . 2009-02-06 21:52 -------- d-----w c:\program files\Steam
2009-03-11 15:27 . 2008-08-14 04:17 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 15:27 . 2009-02-01 02:30 -------- d-----w c:\program files\ThreatFire
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 18:19 . 2009-02-01 02:30 39184 ----a-w c:\windows\system32\drivers\TfSysMon.sys
2009-03-03 18:19 . 2009-02-01 02:30 33040 ----a-w c:\windows\system32\drivers\TfNetMon.sys
2009-03-03 18:19 . 2009-02-01 02:30 12560 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2009-03-03 18:19 . 2009-02-01 02:30 51472 ----a-w c:\windows\system32\drivers\TfFsMon.sys
2009-02-28 10:33 . 2009-02-28 10:33 -------- d-----w c:\program files\Common Files\NSV
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 20:51 . 2009-02-06 20:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-10-28 01:47 . 2008-08-04 03:26 95048 ----a-w c:\documents and settings\0\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-06-16 00:2008-10-23 04:24 33:58 . c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 22:2008-10-23 04:24 43:32 . c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 18:2008-10-23 04:24 41:38 . c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 17:2008-10-23 04:24 10:42 . c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 16:2008-10-23 04:23 19:12 . c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 22:2008-10-23 04:24 35:38 . c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 15:2008-10-23 04:23 10:06 . c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 15:2008-10-23 04:23 42:52 . c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 15:2008-10-23 04:23 22:00 . c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 15:2008-10-23 04:23 21:44 . c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2008-10-23 04:24 . 2008-10-23 04:24 80 --sh--r c:\windows\CT4CET.bin
.

------- Sigcheck -------

[-] 2004-08-04 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2004-08-04 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[-] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2004-08-04 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$NtUninstallKB953838$\wininet.dll
[-] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\ie7\wininet.dll
[-] 2007-08-13 22:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
[-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3qfe\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\dllcache\wininet.dll

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2004-08-04 12:00 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-13 18:31 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2004-08-04 12:00 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-04 12:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2004-08-04 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2004-08-04 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2004-08-04 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll
[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3qfe\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll

[-] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2004-08-04 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-02-06 20:51 34816 ----a-w c:\program files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-02-06 20:54 73728 ----a-w c:\program files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-15 7573504]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"= "c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll" [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2008-12-20 233472]
"WPDShServiceObj"= {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll [2006-10-19 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^0^Start Menu^Programs^Startup^Gmote Server.lnk]
path=c:\documents and settings\0\Start Menu\Programs\Startup\Gmote Server.lnk
backup=c:\windows\pss\Gmote Server.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^0^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\0\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\0\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Documents and Settings\\0\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\NoAdware5.0\\NoAdware5.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lalakers\\counter-strike\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 b4e6e280;b4e6e280;c:\windows\System32\drivers\b4e6e280.sys [2009-02-01 0]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-07-09 26488]
R2 SSPORT;SSPORT; [x]
R2 threatfire;threatfire; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
R3 tfnetmon;tfnetmon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-03 33040]
R3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\DRIVERS\V0410Afx.sys [2007-06-11 142656]
R3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\DRIVERS\V0410Aud.sys [2007-02-14 94720]
R3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\DRIVERS\V0410Dev.sys [2007-07-04 244672]
R3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\DRIVERS\V0410Vfx.sys [2006-12-05 7168]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-02-08 33808]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S0 tffsmon;tffsmon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-03 51472]
S0 tfsysmon;tfsysmon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-03 39184]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2007-01-15 31616]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - giveio
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - klbg
*Deregistered* - KLIF
*Deregistered* - klim5
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LightScribeService
*Deregistered* - LmHosts
*Deregistered* - mchInjDrv
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - PCTCore
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RLDesignVirtualAudioCableWdm
*Deregistered* - sdAuxService
*Deregistered* - sdCoreService
*Deregistered* - seclogon
*Deregistered* - speedfan
*Deregistered* - sr
*Deregistered* - srescan
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - tffsmon
*Deregistered* - tfsysmon
*Deregistered* - Themes
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsdatant
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wuauserv
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-09 04:07]

2009-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-412668190-725345543-1003.job
- c:\documents and settings\0\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-20 03:17 . 2008-11-20 03:17]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.igoogle.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: **{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: **{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: **{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\MICROS~3\Office12\REFIEBAR.DLL
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
FF - ProfilePath - c:\documents and settings\0\Application Data\Mozilla\Firefox\Profiles\2lgxtq6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com
FF - plugin: c:\documents and settings\0\Application Data\Mozilla\Firefox\Profiles\2lgxtq6e.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\0\Application Data\Mozilla\Firefox\Profiles\2lgxtq6e.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll
FF - plugin: c:\documents and settings\0\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\0\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\documents and settings\0\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_900\npoctoshape.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 12:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(432)
c:\program files\Spyware Doctor\pctgmhk.dll
.
Completion time: 2009-04-20 12:09
ComboFix-quarantined-files.txt 2009-04-20 16:09
ComboFix2.txt 2009-04-20 15:53

Pre-Run: 66,861,015,040 bytes free
Post-Run: 66,841,956,352 bytes free

426 --- E O F --- 2009-04-15 15:06
Attached Files
File Type: txt ComboFix.txt (32.4 KB, 5 views)
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-20-2009, 03:45 PM   #4 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
Big caution about using a usb/flash/thumb drive to transfer files. These later malware tend to include autorun worm infections that are capable of being transferred from the infected pc through a flash drive to other pc's. Either email back and forth as attachments, or burn to CD's for now to avoid spreading infection. One likely malware driver showing right now, and the earlier Gmer log showed one as well, though I am unsure why ComboFx did not pick it up.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
Driver::
b4e6e280
TDSSserv.sys

File::
c:\windows\System32\drivers\b4e6e280.sys
c:\windows\System32\drivers\TDSSmhlt.sys
Save this to your desktop as CFScript.txt

You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

----------

Then assuming those removals allowed net access, and transfer and run the following if you do not have it,


Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------------

Run a new DDS scan and post that main log along with the C:\ComboFix.txt log and the Malwarebytes log please.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-20-2009, 08:18 PM   #5 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
Thanks again for getting back to me. Unfortunately I have one problem preventing me from following your steps- the virus has disabled dragging icons. I'm unable to move any files anywhere, not only desktop. Do you know of another way to do it? Or possibly a way to enable dragging?
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-20-2009, 09:51 PM   #6 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
The ComboFix log actually shows that renamed ComboFix (combi.com) on the E drive. We can try the following but I am not sure it will fly this first round - might have to do some changes and moves to get it right. Make sure the cfscript.txt is directly on the desktop though.

Go to Start - Run, type the following and then press OK:

"E:\combi.com" "%userprofile%\Desktop\cfscript.txt"

If that works ComboFix should open like it did the first time (or first few times - looks like it was run more than once so far). Then follow the steps previously posted please.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-21-2009, 05:50 PM   #7 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
I ran combofix again using those instructions and my computer doesnt seem any different... My network connections are still all non-existent, my taskbar is still hidden and locked, windows firewall is inaccessible, etc. I have attached the new log, hopefully it has some new info to show you.
Attached Files
File Type: txt log2.txt (33.1 KB, 2 views)
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-21-2009, 07:12 PM   #8 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
That CFScript removal step didn't take - the log only shows a new normal run of ComboFix. Make sure to have all security software disabled when doing these steps. That last ComboFix log showed Spyware Doctor running a process while the scan was completing. Right click that taskbar icon and Exit Spyware Doctor - might want to just leave it that way for now.


Download The Avenger by Swandog from here.

Then unzip that, so it will create an avenger folder and an avenger.exe file.

Rename the avenger.exe file avvy.com then click that to run Avenger.


Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.


Code:
Begin copying here:
Drivers to delete:
b4e6e280
TDSSserv.sys
Files to delete:
c:\windows\System32\drivers\b4e6e280.sys
c:\windows\System32\drivers\TDSSmhlt.sys
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

----------

Then see if you can follow the previous steps for the Malwarebytes install and scan, and post that log here along with the C:\avenger.txt log and a new DDS log please.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-22-2009, 09:28 PM   #9 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
First, I got rid of spyware doctor and ran Combofix again, it seemed to do something differently because it rebooted after scanning. Here are the results:

ComboFix 09-04-19.01 - 0 04/22/2009 18:51.5 - NTFSx86
Running from: E:\combi.com
Command switches used :: c:\documents and settings\0\Desktop\cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\System32\drivers\b4e6e280.sys
c:\windows\System32\drivers\TDSSmhlt.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\b4e6e280.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_b4e6e280


((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-16 01:24 . 2008-08-22 00:41 72592 ----a-w c:\windows\zllsputility.exe
2009-04-16 01:23 . 2009-04-16 01:23 -------- d-----w c:\program files\Zone Labs
2009-04-16 01:23 . 2008-08-22 00:41 1221008 ----a-w c:\windows\system32\zpeng25.dll
2009-04-16 01:23 . 2009-04-16 01:24 349222 ----a-w c:\windows\system32\vsconfig.xml
2009-04-16 00:19 . 2009-04-16 00:19 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-15 15:05 . 2009-04-15 15:08 -------- d-----w C:\d0dfdc18738fc58073
2009-04-14 23:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 23:22 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 23:22 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 23:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 23:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 23:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 23:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 23:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-02 01:59 . 2009-04-02 01:59 -------- d-----w c:\program files\MSXML 4.0
2009-03-30 13:54 . 2009-03-30 13:54 -------- d-----w c:\program files\NaturalSoft
2009-03-30 13:53 . 2009-03-30 13:53 -------- d-----w c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 22:57 . 2009-02-04 02:34 10614816 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-22 22:53 . 2009-02-04 02:34 124628 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-22 22:27 . 2009-02-01 02:30 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-20 15:47 . 2009-02-02 07:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 20:07 . 2009-02-01 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 14:28 . 2008-08-05 20:56 -------- d-----w c:\documents and settings\0\Application Data\Apple Computer
2009-04-16 01:24 . 2009-02-01 03:48 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-16 00:56 . 2009-02-04 02:34 294944 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-16 00:56 . 2009-02-04 02:34 2088 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-16 00:27 . 2009-02-03 05:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-16 00:20 . 2008-08-06 05:05 -------- d-----w c:\documents and settings\0\Application Data\FrostWire
2009-04-15 15:14 . 2009-01-29 04:16 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-04-15 15:04 . 2008-08-14 07:51 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-09 00:17 . 2008-10-18 19:29 -------- d-----w c:\program files\NoAdware5.0
2009-04-06 19:32 . 2009-02-02 07:00 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-02 07:01 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 05:44 . 2008-08-14 07:48 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 04:12 . 2008-10-23 03:34 -------- d-----w c:\documents and settings\0\Application Data\Skype
2009-03-24 04:09 . 2008-10-23 03:38 -------- d-----w c:\documents and settings\0\Application Data\skypePM
2009-03-21 23:08 . 2008-11-01 20:14 -------- d-----w c:\program files\GmoteServer
2009-03-21 20:11 . 2008-08-09 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-20 20:13 . 2008-12-06 20:26 -------- d-----w c:\program files\Winamp
2009-03-19 02:13 . 2009-02-06 21:52 -------- d-----w c:\program files\Steam
2009-03-11 15:27 . 2008-08-14 04:17 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 15:27 . 2009-02-01 02:30 -------- d-----w c:\program files\ThreatFire
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 18:19 . 2009-02-01 02:30 39184 ----a-w c:\windows\system32\drivers\TfSysMon.sys
2009-03-03 18:19 . 2009-02-01 02:30 33040 ----a-w c:\windows\system32\drivers\TfNetMon.sys
2009-03-03 18:19 . 2009-02-01 02:30 12560 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2009-03-03 18:19 . 2009-02-01 02:30 51472 ----a-w c:\windows\system32\drivers\TfFsMon.sys
2009-02-28 10:33 . 2009-02-28 10:33 -------- d-----w c:\program files\Common Files\NSV
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 20:51 . 2009-02-06 20:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-10-28 01:47 . 2008-08-04 03:26 95048 ----a-w c:\documents and settings\0\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-06-16 00:2008-10-23 04:24 33:58 . c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 22:2008-10-23 04:24 43:32 . c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 18:2008-10-23 04:24 41:38 . c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 17:2008-10-23 04:24 10:42 . c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 16:2008-10-23 04:23 19:12 . c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 22:2008-10-23 04:24 35:38 . c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 15:2008-10-23 04:23 10:06 . c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 15:2008-10-23 04:23 42:52 . c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 15:2008-10-23 04:23 22:00 . c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 15:2008-10-23 04:23 21:44 . c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2008-10-23 04:24 . 2008-10-23 04:24 80 --sh--r c:\windows\CT4CET.bin
.

------- Sigcheck -------

[-] 2004-08-04 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2004-08-04 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[-] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2004-08-04 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$NtUninstallKB953838$\wininet.dll
[-] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\ie7\wininet.dll
[-] 2007-08-13 22:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\wininet.dll
[-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3qfe\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\system32\dllcache\wininet.dll

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2004-08-04 12:00 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-13 18:31 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[-] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2004-08-04 12:00 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-13 19:24 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-04 12:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2004-08-04 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2004-08-04 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2004-08-04 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll
[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3qfe\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll

[-] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2004-08-04 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-15 7573504]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^0^Start Menu^Programs^Startup^Gmote Server.lnk]
path=c:\documents and settings\0\Start Menu\Programs\Startup\Gmote Server.lnk
backup=c:\windows\pss\Gmote Server.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^0^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\0\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\0\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Documents and Settings\\0\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\NoAdware5.0\\NoAdware5.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lalakers\\counter-strike\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-07-09 26488]
R2 SSPORT;SSPORT; [x]
R2 threatfire;threatfire; [x]
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
R3 tfnetmon;tfnetmon;c:\windows\system32\drivers\TfNetMon.sys [2009-03-03 33040]
R3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\DRIVERS\V0410Afx.sys [2007-06-11 142656]
R3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\DRIVERS\V0410Aud.sys [2007-02-14 94720]
R3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\DRIVERS\V0410Dev.sys [2007-07-04 244672]
R3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\DRIVERS\V0410Vfx.sys [2006-12-05 7168]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-02-08 33808]
S0 tffsmon;tffsmon;c:\windows\system32\drivers\TfFsMon.sys [2009-03-03 51472]
S0 tfsysmon;tfsysmon;c:\windows\system32\drivers\TfSysMon.sys [2009-03-03 39184]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2007-01-15 31616]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - giveio
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - klbg
*Deregistered* - KLIF
*Deregistered* - klim5
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LightScribeService
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RLDesignVirtualAudioCableWdm
*Deregistered* - seclogon
*Deregistered* - speedfan
*Deregistered* - sr
*Deregistered* - srescan
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - tffsmon
*Deregistered* - tfsysmon
*Deregistered* - Themes
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsdatant
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wuauserv
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-09 04:07]

2009-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-412668190-725345543-1003.job
- c:\documents and settings\0\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-20 03:17 . 2008-11-20 03:17]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.igoogle.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} - hxxp://nba.tom.com/video/tcastV1.cab
FF - ProfilePath - c:\documents and settings\0\Application Data\Mozilla\Firefox\Profiles\2lgxtq6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com
FF - plugin: c:\documents and settings\0\Application Data\Mozilla\Firefox\Profiles\2lgxtq6e.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\0\Application Data\Mozilla\Firefox\Profiles\2lgxtq6e.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll
FF - plugin: c:\documents and settings\0\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\0\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\documents and settings\0\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_900\npoctoshape.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 18:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\b4e6e280]
"ImagePath"="\SystemRoot\System32\drivers\b4e6e280.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-04-22 18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 22:59
ComboFix2.txt 2009-04-22 22:41
ComboFix3.txt 2009-04-21 13:43
ComboFix4.txt 2009-04-20 16:09
ComboFix5.txt 2009-04-22 22:51

Pre-Run: 66,872,782,848 bytes free
Post-Run: 66,855,608,320 bytes free

405 --- E O F --- 2009-04-15 15:06


Next, I ran avenger and here are the results:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Apr 22 19:07:15 2009

19:07:15: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\b4e6e280" not found!
Deletion of driver "b4e6e280" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.sys" not found!
Deletion of driver "TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\System32\drivers\b4e6e280.sys" not found!
Deletion of file "c:\windows\System32\drivers\b4e6e280.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\System32\drivers\TDSSmhlt.sys" not found!
Deletion of file "c:\windows\System32\drivers\TDSSmhlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Next, I tried to run malwarebytes and it still does the same thing as before. I dont see any noticeable changes in the functionality of the computer (no internet, etc).
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-22-2009, 09:46 PM   #10 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
Avenger would have been johnny-come-lately as far as a kill goes, but does serve to verify those items are now removed. Some other bogey still there though.

Delete any existing copies of Gmer and Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

I will want you to do two different scans with that for now please.

Click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

----------------

Also right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


We apparently are in different time zones, as it is very late where I am. I will check your results tomorrow first chance I get.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-24-2009, 10:06 AM   #11 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
Results from first scan:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-24 11:52:54
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xECC996D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xECCA64C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xECC99C60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xECCA6D40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xECCA6AF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xECCA7260]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xECCA72E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xECC99AC0]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF750BCF4]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xECCA79A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xECCA7400]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xECCA77F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xECC99E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xECCA6830]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xF750D79E]

---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Results from second scan:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-24 12:03:41
Windows 5.1.2600 Service Pack 3


---- Modules - GMER 1.0.15 ----

Module nvata.sys (NVIDIA® nForce(TM) IDE Performance Driver/NVIDIA Corporation) F72D1000-F72EA000 (102400 bytes)
Module klbg.sys (KLBG Mini-Filter/Kaspersky Lab) F74F7000-F7502000 (45056 bytes)
Module TfSysMon.sys (ThreatFire System Monitor/PC Tools) F7507000-F7514000 (53248 bytes)
Module TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools) F728E000-F729F000 (69632 bytes)
Module PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) F7517000-F7520000 (36864 bytes)
Module srescan.sys F71A9000-F71BD000 (81920 bytes)
Module speedfan.sys (SpeedFan Device Driver/Windows (R) 2000 DDK provider) F798D000-F798F000 (8192 bytes)
Module giveio.sys F7A51000-F7A52000 (4096 bytes)
Module \SystemRoot\system32\DRIVERS\AmdK8.sys (AMD Processor Driver/Advanced Micro Devices) F7587000-F7595000 (57344 bytes)
Module \SystemRoot\system32\DRIVERS\bcmwl5.sys (Broadcom 802.11 Network Adapter wireless driver/Broadcom Corporation) F67D0000-F6864000 (606208 bytes)
Module \SystemRoot\system32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 84.87 /NVIDIA Corporation) F6452000-F67D0000 (3661824 bytes)
Module \SystemRoot\system32\DRIVERS\nvsmu.sys (NVIDIA® nForce(TM) SMU Microcontroller Driver/NVIDIA Corporation) F6EAB000-F6EAE000 (12288 bytes)
Module \SystemRoot\System32\Drivers\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) F6EA7000-F6EAA000 (12288 bytes)
Module \SystemRoot\system32\DRIVERS\rimmptsk.sys (RICOH MMC Driver/REDC) F7777000-F777F000 (32768 bytes)
Module \SystemRoot\system32\DRIVERS\rimsptsk.sys (RICOH MS Driver/REDC) F75D7000-F75E4000 (53248 bytes)
Module \SystemRoot\system32\DRIVERS\rixdptsk.sys (RICOH XD SM Driver/REDC) F6397000-F63E3000 (311296 bytes)
Module \SystemRoot\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) F636F000-F6397000 (163840 bytes)
Module \SystemRoot\system32\DRIVERS\nvnetbus.sys (NVIDIA Networking Bus Driver./NVIDIA Corporation) F6E93000-F6E97000 (16384 bytes)
Module \SystemRoot\system32\DRIVERS\NVNRM.SYS (NVIDIA Network Resource Manager./NVIDIA Corporation) F6324000-F636F000 (307200 bytes)
Module \SystemRoot\system32\DRIVERS\NVSNPU.SYS (NVIDIA Networking Soft-NPU Driver./NVIDIA Corporation) F62ED000-F6324000 (225280 bytes)
Module \SystemRoot\System32\Drivers\TfKbMon.sys (ThreatFire Keyboard Monitor/PC Tools) F777F000-F7787000 (32768 bytes)
Module \SystemRoot\system32\DRIVERS\SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) F62BB000-F62ED000 (204800 bytes)
Module \SystemRoot\system32\DRIVERS\klim5.sys (Kaspersky Lab Intermediate Network Driver/Kaspersky Lab) F7797000-F779F000 (32768 bytes)
Module \SystemRoot\system32\DRIVERS\livecamv.sys F779F000-F77A7000 (32768 bytes)
Module \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) F77B7000-F77BC000 (20480 bytes)
Module \SystemRoot\system32\DRIVERS\NVENETFD.sys (NVIDIA Networking Function Driver./NVIDIA Corporation) F5EA1000-F5EAA000 (36864 bytes)
Module \SystemRoot\system32\drivers\CHDAud.sys (High Definition Audio Function Driver/Conexant Systems Inc.) EFEB6000-EFF4F000 (626688 bytes)
Module \SystemRoot\system32\DRIVERS\HSFHWAZL.sys (HSF_HWAZL WDM driver/Conexant Systems, Inc.) EFE82000-EFEB6000 (212992 bytes)
Module \SystemRoot\system32\DRIVERS\HSF_DPV.sys (HSF_DP driver/Conexant Systems, Inc.) EFD90000-EFE82000 (991232 bytes)
Module \SystemRoot\system32\DRIVERS\HSF_CNXT.sys (HSF_CNXT driver/Conexant Systems, Inc.) EFCDD000-EFD90000 (733184 bytes)
Module \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter/Kaspersky Lab) ECDA7000-ECDCF000 (163840 bytes)
Module \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ECC62000-ECCCD000 (438272 bytes)
Module \SystemRoot\System32\nv4_disp.dll (NVIDIA Compatible Windows 2000 Display driver, Version 84.87 /NVIDIA Corporation) BF9D5000-BFDA0000 (3977216 bytes)
Module \SystemRoot\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface x86 Driver/Conexant) BA530000-BA534000 (16384 bytes)
Module \??\C:\DOCUME~1\0\LOCALS~1\Temp\aujasnkj.sys (GMER) BA45A000-BA46E000 (81920 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation) 432
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes' Anti-Malware/Malwarebytes Corporation) 0x10000000
Library C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll (zlavscan shell extension/Check Point Software Technologies LTD) 0x62190000
Library C:\Program Files\WinRAR\rarext.dll 0x02C90000
Library C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ShellEx.dll (Windows Shell Extension/Kaspersky Lab) 0x6D910000
Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (PDF Shell Extension/Adobe Systems, Inc.) 0x034E0000
Library C:\WINDOWS\system32\nvcpl.dll (NVIDIA Display Properties Extension/NVIDIA Corporation) 0x03630000
Library C:\WINDOWS\system32\nvshell.dll 0x03D80000

Process C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics TouchPad Enhancements/Synaptics, Inc.) 540
Library C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics TouchPad Enhancements/Synaptics, Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\SynCOM.dll (SynCOM/Synaptics, Inc.) 0x10000000
Library C:\WINDOWS\system32\SynTPAPI.dll (SynTPAPI/Synaptics, Inc.) 0x63010000

Process C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe (Quick Launch Buttons/ Hewlett-Packard Development Company, L.P.) 548
Library C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe (Quick Launch Buttons/ Hewlett-Packard Development Company, L.P.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBSERVICE.DLL (QLB Database Handler/Hewlett-Packard Development Company, L.P.) 0x10000000
Library C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\hpqExec.DLL (Action Dll/Hewlett-Packard Company) 0x00A10000

Process C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 644
Library C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company) 664
Library C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company) 0x00400000
Library C:\Program Files\Common Files\LightScribe\LSSProxy.dll (Hewlett-Packard Company) 0x67000000
Library C:\Program Files\Common Files\LightScribe\LSLog.dll (Hewlett-Packard Company) 0x68000000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 84.87/NVIDIA Corporation) 704
Library C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 84.87/NVIDIA Corporation) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process E:\mcqhluul.exe 1060
Library E:\mcqhluul.exe 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 1556
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 1580
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\klogon.dll (Logon Visualizer/Kaspersky Lab) 0x6D4D0000

Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 1624
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 1636
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1784
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1840
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 2000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\DRIVERS\AmdK8.sys (AMD Processor Driver/Advanced Micro Devices) [SYSTEM] AmdK8
Service C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [AUTO] Apple Mobile Device
Service C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (Kaspersky Anti-Virus/Kaspersky Lab) [MANUAL] AVP
Service C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom 802.11 Network Adapter wireless driver/Broadcom Corporation) [MANUAL] BCM43XX
Service C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) [AUTO] Bonjour Service
Service C:\DOCUME~1\0\LOCALS~1\Temp\catchme.sys [MANUAL] catchme
Service C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [AUTO] ccevtmgr
Service C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [AUTO] ccsetmgr
Service C:\WINDOWS\system32\Drivers\DgiVecp.sys (Windows NT 4.0 IEEE-1284 parallel class driver for ECP, Byte, and Nibble modes/DeviceGuys, Inc.) [AUTO] DgiVecp
Service C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) [MANUAL] GEARAspiWDM
Service C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (getPlus(R) Helper/NOS Microsystems Ltd.) [MANUAL] getPlus(R) Helper
Service C:\WINDOWS\system32\giveio.sys [BOOT] giveio
Service C:\WINDOWS\system32\drivers\CHDAud.sys (High Definition Audio Function Driver/Conexant Systems Inc.) [MANUAL] HdAudAddService
Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) [MANUAL] HDAudBus
Service C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (hpqwmiex Module/Hewlett-Packard Development Company, L.P.) [AUTO] hpqwmiex
Service C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys (HSF_HWAZL WDM driver/Conexant Systems, Inc.) [MANUAL] HSFHWAZL
Service C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (HSF_DP driver/Conexant Systems, Inc.) [MANUAL] HSF_DPV
Service C:\Program Files\iPod\bin\iPodService.exe (iPodService Module/Apple Inc.) [MANUAL] iPod Service
Service C:\Program Files\Java\jre6\bin\jqs.exe [AUTO] JavaQuickStarterService
Service system32\drivers\kl1.sys [BOOT] kl1
Service C:\WINDOWS\system32\drivers\klbg.sys (KLBG Mini-Filter/Kaspersky Lab) [BOOT] klbg
Service C:\WINDOWS\system32\DRIVERS\klif.sys (Klif Mini-Filter/Kaspersky Lab) [SYSTEM] KLIF
Service C:\WINDOWS\system32\DRIVERS\klim5.sys (Kaspersky Lab Intermediate Network Driver/Kaspersky Lab) [MANUAL] klim5
Service C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company) [AUTO] LightScribeService
Service C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface x86 Driver/Conexant) [AUTO] mdmxsdk
Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 84.87 /NVIDIA Corporation) [MANUAL] nv
Service C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA® nForce(TM) IDE Performance Driver/NVIDIA Corporation) [BOOT] nvata
Service C:\WINDOWS\system32\DRIVERS\NVENETFD.sys (NVIDIA Networking Function Driver./NVIDIA Corporation) [MANUAL] NVENETFD
Service C:\WINDOWS\system32\DRIVERS\nvnetbus.sys (NVIDIA Networking Bus Driver./NVIDIA Corporation) [MANUAL] nvnetbus
Service C:\WINDOWS\system32\DRIVERS\nvsmu.sys (NVIDIA® nForce(TM) SMU Microcontroller Driver/NVIDIA Corporation) [MANUAL] nvsmu
Service C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 84.87/NVIDIA Corporation) [AUTO] NVSvc
Service Outlook
Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink
Service C:\WINDOWS\System32\Drivers\PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) [BOOT] PxHelp20
Service C:\WINDOWS\system32\DRIVERS\rimmptsk.sys (RICOH MMC Driver/REDC) [MANUAL] rimmptsk
Service C:\WINDOWS\system32\DRIVERS\rimsptsk.sys (RICOH MS Driver/REDC) [MANUAL] rimsptsk
Service C:\WINDOWS\system32\DRIVERS\rixdptsk.sys (RICOH XD SM Driver/REDC) [MANUAL] rismxdp
Service C:\WINDOWS\system32\DRIVERS\livecamv.sys [MANUAL] RLDesignVirtualAudioCableWdm
Service RpcSs
Service C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [MANUAL] Secdrv
Service C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [AUTO] smcservice
Service SnacNp
Service C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [MANUAL] spbbcdrv
Service C:\WINDOWS\system32\speedfan.sys (SpeedFan Device Driver/Windows (R) 2000 DDK provider) [BOOT] speedfan
Service C:\WINDOWS\system32\ZoneLabs\srescan.sys (Check Point Anti-Spyware driver/Check Point Software Technologies LTD) [BOOT] srescan
Service C:\WINDOWS\system32\Drivers\SSPORT.sys [AUTO] SSPORT
Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys (Microsoft IP Test Driver/Microsoft Corporation) [MANUAL] streamip
Service C:\WINDOWS\system32\DRIVERS\SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) [MANUAL] SynTP
Service C:\WINDOWS\system32\drivers\TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools) [BOOT] tffsmon
Service C:\WINDOWS\System32\Drivers\TfKbMon.sys (ThreatFire Keyboard Monitor/PC Tools) [MANUAL] tfkbmon
Service C:\WINDOWS\system32\drivers\TfNetMon.sys (ThreatFire Network Monitor/PC Tools) [MANUAL] tfnetmon
Service C:\WINDOWS\system32\drivers\TfSysMon.sys (ThreatFire System Monitor/PC Tools) [BOOT] tfsysmon
Service C:\Program [AUTO] threatfire
Service system32\DRIVERS\UIUSYS.SYS [MANUAL] UIUSys
Service C:\WINDOWS\system32\DRIVERS\V0410Afx.sys (Advanced Audio FX Driver/Creative Technology Ltd.) [MANUAL] V0410Afx
Service C:\WINDOWS\system32\DRIVERS\V0410Aud.sys (Audio filter driver/Creative Technology Ltd.) [MANUAL] V0410Aud
Service C:\WINDOWS\system32\DRIVERS\V0410Dev.sys (Video Capture Device Driver/Creative Technology Ltd.) [MANUAL] V0410Dev
Service C:\WINDOWS\system32\DRIVERS\V0410Vfx.sys (Advanced Video FX Filter
Driver (Win2K based)/EyePower Games Pte. Ltd.) [MANUAL] V0410Vfx
Service C:\WINDOWS\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) [SYSTEM] vsdatant
Service C:\WINDOWS\system32\ZoneLabs\vsmon.exe (TrueVector Service/Check Point Software Technologies LTD) [AUTO] vsmon
Service C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (HSF_CNXT driver/Conexant Systems, Inc.) [MANUAL] winachsf

---- EOF - GMER 1.0.15 ----



Thanks alot!
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-24-2009, 11:08 AM   #12 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
Two items of note to ask on before we opt on what to do next there.

The logs show a Uniscribe function related to this loading with certain processes there. Are you using a test or other language translater software there?

Also this file on the E drive - do you recognize it? Right click it if not and select Properties, and see if Version info is there to check.

E:\mcqhluul.exe

As you have been running tools from a different drive I am assuming this is a renamed file from one of them.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-24-2009, 03:53 PM   #13 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
I haven't been using any type of language translation, only english on my computer. About E:\mcqhluul.exe, that was a file for GMER that I ran from my flash drive. I run everything from the flash drive because I'm prevented from moving files onto my computer unless I make a new copy using "Save As" for documents.

Thanks again.
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-24-2009, 08:46 PM   #14 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
The logs show you have many services stopped or disabled there, including some that seem to be system essential. Any chance you just randomly disabled many using something like msconfig? This may also be involved in not being able to copy files across correctly.


Let's assume for now USP10.dll is up to no good, hooking into all the process there.

Download and run Process Explorer from here. Click on View and check "Show processes from all users", "show fractional CPU" and "Show unnamed handles".

Then on the keyboard press Ctrl + H (the letter H). A lower pane should appear, where each process' "handle" list will show. One at a time click on each process in the upper pane to hilight it, then in the lower pane see if you can locate the following in each:

USP10.dll

If so, right click on any of those showing and select "Close Handle". Iffy if this will succeed but one way to close out those questionable hooks.


Then try to install and run Malwarebytes, doing whatever method you nmeed to to transfer it over and run it.
__________________
Last edited by Jintan; 04-24-2009 at 08:47 PM.
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-25-2009, 04:25 PM   #15 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
I followed all of your instructions just as you said, but I didnt find any handles containing "USP10.dll." I know this problem is hard to figure out, I'm convinced it's a virus because all of my anti-virus/malware/spyware programs are blocked, yet my normal programs can still run. The problem began with Threatfire saying it had detected a problem and fixed it and that it needed to reboot. Once it rebooted, the computer had all of these problems.

With regard to MBAM, needless to say I could not run it. By the way, I have had the MBAM program all along, I've used it in the past and it used to work just fine until my computer got the virus, presumable preventing it from running. When I try to open the program, i get an error message saying "Failed to load control 'vbalGrid' from vbalsgrid6.ocx..."

I appreciate your help as always.
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-25-2009, 10:38 PM   #16 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
Let's switch scans.

Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

!!!Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it.

That log will be pretty large so go ahead and zip a copy of that and attach it to your next reply please.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-26-2009, 06:55 PM   #17 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
Radix scan log attached, thanks.
Attached Files
File Type: zip radix log.zip (15.6 KB, 6 views)
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-27-2009, 05:38 PM   #18 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
Trying to come up to speed on the methods here as a new helper, so somewhat getting the cart before the horse. Radix does not reflect the active malware right now known for these access blocks, but there has been something afoot with what seems ("seems") like malware altering existing security software to do it's job. But your mention of Threatfire, with Kaspersky and Zone Alarm and other same-function security softwares showing suggests we address those right now. At some point you will need to uninstall all of them, as by now they have corrupted each other, regardless of malware (and there has been malware active there).

Also the logs show NoAdware, which is a fake and flake security software that should have been uninstalled already.

Open Hijackthis.
Click Config - Misc Tools - Open Uninstall Manager.
A list of the entries in Add/Remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents back here for review.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-28-2009, 12:03 AM   #19 (permalink)
Registered User
 
Join Date: Apr 2009
Posts: 14
OS: Windows XP SP3


Re: Virus, Please Help!
Uninstall list attached here, thanks.
Attached Files
File Type: txt uninstall_list.txt (7.2 KB, 2 views)
chabs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 04-28-2009, 09:50 PM   #20 (permalink)
Analyst, Security Team
 
Join Date: Feb 2006
Posts: 222
OS: 2K


Re: Virus, Please Help!
I don't see Threatfire as installed - did you just uninstall that or are these services and other entries hang-ons from a partial uninstall. Norton remnants showing as well, and these have blocked normal net access on systems I have worked on. And you have both Kaspersky and ZoneAlarm Security Suite, and although you might have not applied the antivirus portion of Zone Alarm it installs that in part anyway, so would be a duplicated security software there.

Temp disable all that security software, then go to Add/Remove Programs and uninstall NoAdware v5.0.

Then choose between Kaspersky and Zone Alarm and uninstall one of those. Actually, with all these installed at one time likely the one you keep will have also been partially corrupted by the other softwares.


Then Go here and download the Norton Removal Tool that is appropriate for your version. Then close all open windows and disable all protective software, and click the downloaded file to completely remove Norton from your system. If the removal does not cause a reboot reboot after the tool has completed the removal. Be sure to save all registration keys before running the tool if you plan to reinstall Norton later.

If you do not recall the version that is okay - the same tool is used for most versions.


One reason you are having issues is some incorrect or incomplete change related to userinit.exe or the settings that load that, but I will need a different view to check those. For things like not being able to transfer files etc. most of your services are disabled, so barely anything, including anything running in a svchost.exe process, will not be available. Might need to do a repair install to correct all that. Do you have access to a CD you can use for that?

Do this scan so I will be on more familiar ground to help you better here.

Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Just close that for now.
__________________
Jintan is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:51 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85