|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-08-2007, 09:23 PM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Possible virus -- changed windows background (not desktop background)
Hi, any help will be appreciated..
When I open my C:\WINDOWS window on My Computer, I get this weird picture of a manga-ish samurai (which I'm positive I've never intentionally downloaded) as the window background. Other folders window background are unaffected. I've tried changing Window schemes, etc but no change. My PC still works fine, everything functions (except for iTunes & quicktime, but I think its unrelated) so it's merely annoyance really, but I'm worried if it is a virus, it might spread. I've tried scanning with Ad-Aware and Avast but no virus were found. Wanted to try the online Panda scanner but took too long (I'm connecting from Indonesia) Here's my DSS main.txt: Deckard's System Scanner v20070807.62 Run by Admin on 2007-08-09 at 10:54:29 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 27: 2007-08-09 03:54:35 UTC - RP28 - Deckard's System Scanner Restore Point 26: 2007-08-09 02:58:43 UTC - RP27 - Installed Nokia Multimedia Factory 25: 2007-08-09 02:54:41 UTC - RP26 - Installed Nokia PC Suite 24: 2007-08-09 02:43:19 UTC - RP25 - Installed iTunes 23: 2007-08-09 02:42:05 UTC - RP24 - Removed Apple Mobile Device Support -- First Restore Point -- 1: 2007-07-23 06:05:47 UTC - RP2 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-08-09 10:56:42 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\explorer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\DOCUME~1\Admin\LOCALS~1\Temp\windxp.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Nokia\Nokia PC Suite 6\SeUpdateDb.exe C:\Documents and Settings\Admin\My Documents\Downloads\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F0 - system.ini: Shell=Explorer.exe "c:\windows\Explore.exe" F2 - REG:system.ini: Shell=Explorer.exe "c:\windows\Explore.exe" O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [def] C:\WINDOWS\Temp\Vel.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [SysRestore] c:\windows\system32\Restoration.msd O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKEY_LOCAL_MACHINE\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray O4 - HKEY_LOCAL_MACHINE\..\RunOnce: [DAP Cleanup] C:\DOCUME~1\Admin\LOCALS~1\Temp\DAPREMOVE.EXE /CLEANUP /DIR="C:\PROGRA~1\DAP" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\RunOnce: [Delete temporary setup file] cmd /Q /D /C del "C:\DOCUME~1\Admin\LOCALS~1\Temp\{79630253-F7C3-49C3-B1C7-A34665890553}\{6536688C-24C5-4023-B404-BEE850ED4312}\setup.exe" O4 - Startup: AdobeGama.pif O4 - Global Startup: AdobeGama.pif O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra 'Tools' menuitem: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: (no name) - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\ O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe -- File Associations ----------------------------------------------------------- .scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 ALCXSENS (Service for WDM 3D Audio Driver) - c:\windows\system32\drivers\alcxsens.sys <Not Verified; Sensaura Ltd; > R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service> R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-08-09 10:00:32 350 --a------ C:\WINDOWS\Tasks\At35.job 2007-08-09 10:00:32 350 --a------ C:\WINDOWS\Tasks\At11.job 2007-08-09 02:00:32 350 --a------ C:\WINDOWS\Tasks\At3.job 2007-08-09 02:00:32 350 --a------ C:\WINDOWS\Tasks\At27.job 2007-08-09 01:00:32 350 --a------ C:\WINDOWS\Tasks\At26.job 2007-08-09 01:00:32 350 --a------ C:\WINDOWS\Tasks\At2.job 2007-08-09 00:00:32 350 --a------ C:\WINDOWS\Tasks\At25.job 2007-08-09 00:00:32 350 --a------ C:\WINDOWS\Tasks\At1.job 2007-08-08 23:00:40 350 --a------ C:\WINDOWS\Tasks\At48.job 2007-08-08 23:00:40 350 --a------ C:\WINDOWS\Tasks\At24.job 2007-08-08 22:00:32 350 --a------ C:\WINDOWS\Tasks\At47.job 2007-08-08 22:00:32 350 --a------ C:\WINDOWS\Tasks\At23.job 2007-08-08 21:00:32 350 --a------ C:\WINDOWS\Tasks\At46.job 2007-08-08 21:00:32 350 --a------ C:\WINDOWS\Tasks\At22.job 2007-08-08 20:00:32 350 --a------ C:\WINDOWS\Tasks\At45.job 2007-08-08 20:00:32 350 --a------ C:\WINDOWS\Tasks\At21.job 2007-08-08 19:00:32 350 --a------ C:\WINDOWS\Tasks\At44.job 2007-08-08 19:00:32 350 --a------ C:\WINDOWS\Tasks\At20.job 2007-08-08 18:00:32 350 --a------ C:\WINDOWS\Tasks\At43.job 2007-08-08 18:00:32 350 --a------ C:\WINDOWS\Tasks\At19.job 2007-08-08 17:00:32 350 --a------ C:\WINDOWS\Tasks\At42.job 2007-08-08 17:00:32 350 --a------ C:\WINDOWS\Tasks\At18.job 2007-08-08 16:00:32 350 --a------ C:\WINDOWS\Tasks\At41.job 2007-08-08 16:00:32 350 --a------ C:\WINDOWS\Tasks\At17.job 2007-08-08 15:00:32 350 --a------ C:\WINDOWS\Tasks\At40.job 2007-08-08 15:00:32 350 --a------ C:\WINDOWS\Tasks\At16.job 2007-08-08 14:00:32 350 --a------ C:\WINDOWS\Tasks\At39.job 2007-08-08 14:00:32 350 --a------ C:\WINDOWS\Tasks\At15.job 2007-08-08 13:00:32 350 --a------ C:\WINDOWS\Tasks\At38.job 2007-08-08 13:00:32 350 --a------ C:\WINDOWS\Tasks\At14.job 2007-08-08 12:00:32 350 --a------ C:\WINDOWS\Tasks\At37.job 2007-08-08 12:00:32 350 --a------ C:\WINDOWS\Tasks\At13.job 2007-08-07 11:01:40 350 --a------ C:\WINDOWS\Tasks\At12.job 2007-08-07 11:00:32 350 --a------ C:\WINDOWS\Tasks\At36.job 2007-08-02 09:00:32 350 --a------ C:\WINDOWS\Tasks\At34.job 2007-08-02 09:00:02 350 --a------ C:\WINDOWS\Tasks\At10.job 2007-07-31 18:48:32 350 --a------ C:\WINDOWS\Tasks\At33.job 2007-07-31 18:48:32 350 --a------ C:\WINDOWS\Tasks\At32.job 2007-07-31 18:48:32 350 --a------ C:\WINDOWS\Tasks\At31.job 2007-07-31 18:48:32 350 --a------ C:\WINDOWS\Tasks\At30.job 2007-07-31 18:48:32 350 --a------ C:\WINDOWS\Tasks\At29.job 2007-07-31 18:48:32 350 --a------ C:\WINDOWS\Tasks\At28.job 2007-07-31 07:00:02 350 --a------ C:\WINDOWS\Tasks\At8.job 2007-07-28 04:00:32 350 --a------ C:\WINDOWS\Tasks\At5.job 2007-07-28 03:00:32 350 --a------ C:\WINDOWS\Tasks\At4.job 2007-07-27 16:57:36 350 --a------ C:\WINDOWS\Tasks\At9.job 2007-07-27 16:57:36 350 --a------ C:\WINDOWS\Tasks\At7.job 2007-07-27 16:57:36 350 --a------ C:\WINDOWS\Tasks\At6.job -- Files created between 2007-07-09 and 2007-08-09 ----------------------------- 2007-08-09 10:17:08 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-08-09 09:59:00 0 d-------- C:\Documents and Settings\Admin\Application Data\Datalayer 2007-08-09 09:58:57 0 d-------- C:\Documents and Settings\Admin\Phone Browser 2007-08-09 09:56:51 0 d-------- C:\Documents and Settings\Admin\Application Data\Nokia 2007-08-09 09:55:29 0 d-------- C:\WINDOWS\LastGood 2007-08-09 09:55:18 0 d-------- C:\Documents and Settings\Admin\Application Data\PC Suite 2007-08-09 09:54:46 0 d-------- C:\Program Files\Common Files\Nokia 2007-08-09 09:54:45 0 d-------- C:\Program Files\Nokia 2007-08-09 09:54:45 0 d-------- C:\Program Files\Common Files\PCSuite 2007-08-09 09:43:44 0 d-------- C:\Program Files\iPod 2007-08-09 09:43:42 0 d-------- C:\Program Files\iTunes 2007-08-09 09:42:44 0 d-------- C:\Program Files\QuickTime 2007-08-09 09:42:31 0 d-------- C:\Program Files\Apple Software Update 2007-08-08 13:31:17 0 d-------- C:\Program Files\LimeWire 2007-08-08 12:32:50 0 d-------- C:\Documents and Settings\Admin\Incomplete 2007-08-08 12:31:22 0 d-------- C:\Documents and Settings\Admin\.limewire 2007-08-07 13:57:48 0 d-------- C:\Program Files\Lavasoft 2007-08-07 13:57:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-08-07 13:55:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-07 11:33:57 0 d-------- C:\WINDOWS\Sun 2007-08-07 11:33:56 0 d-------- C:\Documents and Settings\Admin\Application Data\Sun 2007-08-07 10:56:02 25664 --a------ C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-03 12:45:15 0 d-------- C:\Program Files\Alwil Software 2007-08-02 16:24:46 0 d-------- C:\Documents and Settings\Admin\Application Data\PC Tools 2007-08-02 15:00:46 0 d-------- C:\Program Files\ToniArts 2007-08-02 15:00:40 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller> 2007-08-02 15:00:36 0 d-------- C:\Documents and Settings\Admin\WINDOWS 2007-08-02 14:42:53 0 d-------- C:\Program Files\ElcomSoft 2007-08-02 08:45:02 0 d-------- C:\Documents and Settings\All Users\Application Data\JollyBear 2007-08-01 19:29:28 0 d-------- C:\Documents and Settings\Admin\Saved Games 2007-08-01 16:36:48 0 d-------- C:\Documents and Settings\Admin\Application Data\AdobeUM 2007-08-01 14:01:56 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin 2007-08-01 14:01:56 0 d-------- C:\Documents and Settings\Admin\Application Data\iWin 2007-08-01 13:15:08 0 d-------- C:\Program Files\PMStitch20 2007-08-01 13:07:44 0 d-------- C:\Program Files\Veo Digital Studio 2007-08-01 13:07:30 40960 --a------ C:\WINDOWS\system32\PicEng.dll <Not Verified; Xirlink, Inc; PicEng> 2007-08-01 13:07:30 61440 --a------ C:\WINDOWS\system32\camiodll.dll <Not Verified; Xirlink; Xirlink camiodll> 2007-08-01 13:07:30 49152 --a------ C:\WINDOWS\system32\CamCapEx.dll <Not Verified; Xirlink, Inc; Xirlink USB Camera API> 2007-08-01 13:07:27 86016 --a------ C:\WINDOWS\system32\xl_x263dec.dll <Not Verified; Xirlink, Inc.; Visionlink> 2007-08-01 13:07:18 0 d-------- C:\Program Files\Veo Connect 2007-08-01 11:27:07 0 d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9 2007-08-01 11:26:56 0 d-------- C:\Documents and Settings\Admin\Application Data\GameHouse 2007-08-01 11:26:54 0 d-------- C:\Program Files\GameHouse 2007-08-01 11:11:28 0 d-------- C:\Program Files\Windows Installer Clean Up 2007-08-01 11:10:44 0 d-------- C:\Program Files\MSECACHE 2007-07-31 20:11:18 0 d-------- C:\Documents and Settings\Admin\Application Data\Help 2007-07-31 18:48:29 23617 --a------ C:\WINDOWS\system32\Y12d0Vn5.exe 2007-07-31 06:51:55 84992 --a------ C:\WINDOWS\WebAssist.dll <Not Verified; ; WebAssist> 2007-07-30 10:55:37 0 d-------- C:\Documents and Settings\Admin\Application Data\Genie-Soft 2007-07-30 10:54:37 0 d-------- C:\Program Files\Genie-Soft 2007-07-30 09:36:19 0 d-------- C:\Documents and Settings\Admin\Application Data\IsolatedStorage 2007-07-28 17:36:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Escape From Paradise 2007-07-28 17:35:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2007-07-28 17:08:56 126976 --a------ C:\WINDOWS\xhelper.dll 2007-07-28 16:15:28 0 d-------- C:\WINDOWS\system32\appmgmt 2007-07-27 23:07:40 0 d-------- C:\Program Files\VirtualVillagers_at 2007-07-27 22:45:05 0 d-------- C:\Program Files\Java 2007-07-27 22:45:04 0 d-------- C:\Program Files\Common Files\Java 2007-07-27 22:40:55 0 d-------- C:\Program Files\DAP 2007-07-27 18:52:47 0 d-------- C:\Program Files\PizzaFrenzy_at 2007-07-27 13:35:42 4096 --a------ C:\WINDOWS\d3dx.dat 2007-07-27 12:17:51 0 d-------- C:\Documents and Settings\Admin\Application Data\Gaijin Ent 2007-07-27 10:07:40 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst 2007-07-27 10:07:40 0 d-------- C:\Documents and Settings\Admin\Application Data\PlayFirst 2007-07-27 10:01:54 0 d---s---- C:\Documents and Settings\Admin\UserData 2007-07-26 19:17:23 0 d-------- C:\Documents and Settings\Admin\Application Data\Sandlot Games 2007-07-26 19:17:21 0 d--hs---- C:\WINDOWS\ftpcache 2007-07-26 15:29:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Oberon Games 2007-07-26 14:42:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games 2007-07-26 13:49:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2007-07-26 13:49:12 0 d-------- C:\Documents and Settings\Admin\Application Data\Yahoo! 2007-07-26 13:49:10 0 d-------- C:\Documents and Settings\Admin\Application Data\Google 2007-07-26 13:47:44 0 d-------- C:\Program Files\MostFun 2007-07-26 13:45:50 0 d-------- C:\Documents and Settings\Admin\Application Data\Apple Computer 2007-07-26 13:44:28 0 d-------- C:\WINDOWS\system32\DRVSTORE 2007-07-26 13:43:43 0 d-------- C:\Program Files\Common Files\Apple 2007-07-26 13:43:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple 2007-07-26 13:42:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-07-26 13:42:19 0 d-------- C:\Documents and Settings\Admin\Application Data\Skype 2007-07-26 13:42:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-07-26 13:42:10 0 d-------- C:\Program Files\Google 2007-07-26 13:42:03 0 d-------- C:\Program Files\Skype 2007-07-26 13:42:03 0 d-------- C:\Program Files\Common Files\Skype 2007-07-26 13:41:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype 2007-07-26 13:39:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2007-07-26 13:28:08 0 d-------- C:\Program Files\Yahoo! 2007-07-26 13:26:51 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2007-07-26 13:25:10 0 d-------- C:\Documents and Settings\Admin\Application Data\Macromedia 2007-07-26 13:25:08 0 d-------- C:\Program Files\MSN Games 2007-07-26 13:14:51 0 d-------- C:\WINDOWS\Aztech DSL600 USB Driver 2007-07-26 13:07:33 24 --a------ C:\WINDOWS\popcinfo.dat 2007-07-26 00:57:25 92546 --a------ C:\WINDOWS\system32\Windows 3D.scr <Not Verified; *; *> 2007-07-26 00:57:25 92546 --a------ C:\WINDOWS\system32\odbcad32.dll <Not Verified; *; *> 2007-07-26 00:57:25 92546 -r-hs---- C:\WINDOWS\explore.exe <Not Verified; *; *> 2007-07-23 12:24:49 0 d-------- C:\Small Business Tools 2007-07-20 16:40:01 700416 --a------ C:\STUBIN~1.EXE <Not Verified; LimeWire; LimeWire swarmed installer> 2007-07-20 16:40:01 0 --a------ C:\MSDOS.SYS 2007-07-20 16:40:01 27299 --a------ C:\MOVE.EXE 2007-07-20 16:40:01 0 --a------ C:\IO.SYS 2007-07-20 16:40:01 0 --a------ C:\CONFIG.SYS 2007-07-20 16:40:01 135168 --a------ C:\brownies.exe <Not Verified; www.Junkist.cc; AntiBrontok> 2007-07-20 16:40:01 0 --a------ C:\AUTOEXEC.BAT 2007-07-18 15:42:17 0 d-------- C:\WINDOWS\system32\NtmsData 2007-07-18 15:37:11 0 d-------- C:\Documents and Settings\Admin\Application Data\ACD Systems 2007-07-18 14:57:30 0 d-------- C:\OLD 2007-07-18 14:45:15 0 d-------- C:\Program Files\backburner 2 2007-07-18 14:45:12 0 d-------- C:\Program Files\JSR 2007-07-18 14:45:10 0 d-------- C:\Program Files\webdepot 2007-07-18 14:45:05 0 d-------- C:\Program Files\UI 2007-07-18 14:44:58 0 d-------- C:\Program Files\stdplugs 2007-07-18 14:44:58 0 d-------- C:\Program Files\renderpresets 2007-07-18 14:44:56 0 d-------- C:\Program Files\plugins 2007-07-18 14:44:55 0 d-------- C:\Program Files\plugcfg 2007-07-18 14:44:55 0 d-------- C:\Program Files\matlibs 2007-07-18 14:44:55 0 d-------- C:\Program Files\maps 2007-07-18 14:44:54 0 d-------- C:\Program Files\HardwareShaders 2007-07-18 14:44:54 0 d-------- C:\Program Files\drivers 2007-07-18 14:44:54 0 d-------- C:\Program Files\dlcomponents 2007-07-18 14:44:53 0 d-------- C:\Program Files\Defaults 2007-07-18 14:44:41 0 d-------- C:\Program Files\web 2007-07-18 14:44:41 0 d-------- C:\Program Files\vpost 2007-07-18 14:44:41 0 d-------- C:\Program Files\scripts 2007-07-18 14:44:40 0 d-------- C:\Program Files\sounds 2007-07-18 14:44:40 0 d-------- C:\Program Files\scenes 2007-07-18 14:44:40 0 d-------- C:\Program Files\previews 2007-07-18 14:44:40 0 d-------- C:\Program Files\network 2007-07-18 14:44:40 0 d-------- C:\Program Files\meshes 2007-07-18 14:44:40 0 d-------- C:\Program Files\mentalray 2007-07-18 14:44:40 0 d-------- C:\Program Files\images 2007-07-18 14:44:40 0 d-------- C:\Program Files\html 2007-07-18 14:44:40 0 d-------- C:\Program Files\help 2007-07-18 14:44:40 0 d-------- C:\Program Files\fonts 2007-07-18 14:44:40 0 d-------- C:\Program Files\express 2007-07-18 14:44:40 0 d-------- C:\Program Files\downloads 2007-07-18 14:44:40 0 d-------- C:\Program Files\autoback 2007-07-18 14:44:40 0 d-------- C:\Program Files\animations 2007-07-18 13:41:43 0 d-------- C:\Program Files\AnswerWorks 4.0 2007-07-18 13:38:10 0 d-------- C:\Program Files\AutoCAD 2006 2007-07-18 13:38:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Autodesk 2007-07-18 13:38:10 0 d-------- C:\Documents and Settings\Admin\Application Data\Autodesk 2007-07-18 13:37:04 0 d-------- C:\Program Files\Common Files\Autodesk Shared 2007-07-18 13:37:01 0 d-------- C:\Program Files\Autodesk 2007-07-18 13:34:36 0 d-------- C:\WINDOWS\system32\URTTemp 2007-07-18 13:27:48 89184 -ra------ C:\WINDOWS\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE> 2007-07-18 13:26:57 38912 -ra------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS> 2007-07-18 13:26:53 544768 -ra------ C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress> 2007-07-18 13:26:53 569344 -ra------ C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress> 2007-07-18 13:26:48 155648 -ra------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck> 2007-07-18 13:26:48 0 d-------- C:\Program Files\Common Files\Ahead 2007-07-18 13:26:43 0 d-------- C:\Program Files\Ahead 2007-07-18 13:12:52 0 d-------- C:\Documents and Settings\Admin\Application Data\Adobe 2007-07-18 13  52 0 d-------- C:\WINDOWS\RegisteredPackages2007-07-18 13 42 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec2007-07-18 12:40:35 720896 -ra------ C:\WINDOWS\system32\Audio3D.dll <Not Verified; Sensaura Ltd; Sensaura> 2007-07-18 12:40:35 720896 -ra------ C:\WINDOWS\system32\a3d.dll <Not Verified; Sensaura Ltd; Sensaura> 2007-07-18 12:40:20 765952 -ra------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA> 2007-07-18 12:39:49 57344 -ra------ C:\WINDOWS\SOUNDMAN.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek Sound Manager> 2007-07-18 12:39:41 460864 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS <Not Verified; Realtek Semiconductor Corp.; Windows (R) WDM driver for Realtek AC'97 Audio> 2007-07-18 12:39:41 404608 -ra------ C:\WINDOWS\system32\drivers\ALCXSENS.SYS <Not Verified; Sensaura Ltd; > 2007-07-18 12:34:55 0 d-------- C:\WINDOWS\pss 2007-07-18 12:33:08 0 d-------- C:\Documents and Settings\All Users\Application Data\QuickTime 2007-07-18 12:32:49 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2007-07-18 12:32:47 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-07-18 12:32:47 0 d-------- C:\Program Files\CyberLink 2007-07-18 12:32:37 0 d-------- C:\Program Files\Common Files\InstallShield 2007-07-18 12:31:28 0 d-------- C:\Program Files\Winamp 2007-07-18 12:29:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2007-07-18 12:26:54 0 d-------- C:\Program Files\Common Files\Adobe 2007-07-18 12:26:27 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller> 2007-07-18 12:25:53 0 d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems 2007-07-18 12:25:52 9856 --a------ C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> 2007-07-18 12:25:52 0 d-------- C:\Program Files\Common Files\ACD Systems 2007-07-18 12:25:52 0 d-------- C:\Program Files\ACD Systems 2007-07-18 12:25:17 0 d-------- C:\WINDOWS\Downloaded Installations 2007-07-18 12:00:56 0 d-------- C:\Program Files\Common Files\L&H 2007-07-18 12:00:28 0 d-------- C:\Program Files\Microsoft.NET 2007-07-18 11:59:57 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-07-18 11:58:30 0 d-------- C:\Program Files\Microsoft Works 2007-07-18 11:57:13 0 d-------- C:\WINDOWS\SHELLNEW 2007-07-18 11:54:39 0 d-------- C:\Documents and Settings\Admin\Application Data\Identities 2007-07-18 11:54:27 0 d--h----- C:\Documents and Settings\Admin\Templates 2007-07-18 11:54:27 0 dr------- C:\Documents and Settings\Admin\Start Menu 2007-07-18 11:54:27 0 dr-h----- C:\Documents and Settings\Admin\SendTo 2007-07-18 11:54:27 0 dr-h----- C:\Documents and Settings\Admin\Recent 2007-07-18 11:54:27 0 d--h----- C:\Documents and Settings\Admin\PrintHood 2007-07-18 11:54:27 0 d--h----- C:\Documents and Settings\Admin\NetHood 2007-07-18 11:54:27 0 dr------- C:\Documents and Settings\Admin\My Documents 2007-07-18 11:54:27 0 dr------- C:\Documents and Settings\Admin\Favorites 2007-07-18 11:54:27 0 d-------- C:\Documents and Settings\Admin\Desktop 2007-07-18 11:54:27 0 d---s---- C:\Documents and Settings\Admin\Cookies 2007-07-18 11:54:27 0 dr-h----- C:\Documents and Settings\Admin\Application Data 2007-07-18 11:54:26 2883584 --ah----- C:\Documents and Settings\Admin\NTUSER.DAT 2007-07-18 11:54:26 0 d--h----- C:\Documents and Settings\Admin\Local Settings 2007-07-18 11:53:43 0 d-------- C:\WINDOWS\SoftwareDistribution 2007-07-18 11:53:41 0 d---s---- C:\WINDOWS\system32\Microsoft 2007-07-18 11:53:41 0 d-------- C:\WINDOWS\Prefetch 2007-07-18 11:53:40 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT 2007-07-18 11:53:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings 2007-07-18 11:53:40 0 d---s---- C:\Documents and Settings\LocalService\Cookies 2007-07-18 11:53:40 0 d-------- C:\Documents and Settings\LocalService\Application Data 2007-07-18 11:53:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft 2007-07-18 11:42:54 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT 2007-07-18 11:42:54 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings 2007-07-18 11:42:54 0 d---s---- C:\Documents and Settings\NetworkService\Cookies 2007-07-18 11:42:54 0 d-------- C:\Documents and Settings\NetworkService\Application Data 2007-07-18 11:42:54 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft 2007-07-18 11:38:02 0 d-------- C:\WINDOWS\system32\xircom 2007-07-18 11:38:02 0 d-------- C:\Program Files\microsoft frontpage 2007-07-18 11:37:50 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT 2007-07-18 11:36:00 0 d-------- C:\WINDOWS\system32\PreInstall 2007-07-18 11:35:59 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-07-18 11:34:51 0 d--hs---- C:\Documents and Settings\All Users\DRM 2007-07-18 11:34:42 0 dr------- C:\WINDOWS\Offline Web Pages 2007-07-18 11:34:42 0 d---s---- C:\WINDOWS\Downloaded Program Files 2007-07-18 11:34:32 0 d--h----- C:\Program Files\WindowsUpdate 2007-07-18 11:34:17 0 d-------- C:\WINDOWS\system32\DirectX 2007-07-18 11:33:52 0 d---s---- C:\WINDOWS\Tasks 2007-07-18 11:33:52 0 d-------- C:\Program Files\Common Files\MSSoap 2007-07-18 11:33:49 0 d-------- C:\WINDOWS\srchasst 2007-07-18 11:33:48 0 d-------- C:\WINDOWS\system32\Macromed 2007-07-18 11:33:42 0 d-------- C:\Program Files\Movie Maker 2007-07-18 11:33:36 0 d-------- C:\WINDOWS\system32\Restore 2007-07-18 11:32:53 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-07-18 11:32:24 0 d-------- C:\WINDOWS\Registration 2007-07-18 11:32:18 0 d-------- C:\Program Files\Online Services 2007-07-18 11:32:11 0 d-------- C:\Program Files\Messenger 2007-07-18 11:32:09 0 d-------- C:\Program Files\MSN Gaming Zone 2007-07-18 11:31:40 0 d-------- C:\Program Files\Windows NT 2007-07-18 11:31:38 0 d-------- C:\WINDOWS\system32\MsDtc 2007-07-18 11:31:37 0 d-------- C:\WINDOWS\system32\Com 2007-07-18 11:22:00 0 d--hs---- C:\WINDOWS\Installer 2007-07-18 11:21:59 0 d-------- C:\Program Files\Common Files\ODBC 2007-07-18 11:21:56 0 dr------- C:\Program Files 2007-07-18 11:21:56 0 d-------- C:\Program Files\Common Files 2007-07-18 11:21:56 0 d-------- C:\Program Files\Common Files\SpeechEngines 2007-07-18 11:21:37 0 d--h----- C:\Documents and Settings\Default User\Templates 2007-07-18 11:21:37 0 dr------- C:\Documents and Settings\Default User\Start Menu 2007-07-18 11:21:37 0 dr-h----- C:\Documents and Settings\Default User\SendTo 2007-07-18 11:21:37 0 d--h----- C:\Documents and Settings\Default User\Recent 2007-07-18 11:21:37 0 d--h----- C:\Documents and Settings\Default User\PrintHood 2007-07-18 11:21:37 0 d--h----- C:\Documents and Settings\Default User\NetHood 2007-07-18 11:21:37 0 d-------- C:\Documents and Settings\Default User\My Documents 2007-07-18 11:21:37 0 dr-h----- C:\Documents and Settings\Default User\Local Settings 2007-07-18 11:21:37 0 d-------- C:\Documents and Settings\Default User\Favorites 2007-07-18 11:21:37 0 d-------- C:\Documents and Settings\Default User\Desktop 2007-07-18 11:21:37 0 d---s---- C:\Documents and Settings\Default User\Cookies 2007-07-18 11:21:37 0 d--h----- C:\Documents and Settings\All Users\Templates 2007-07-18 11:21:37 0 dr------- C:\Documents and Settings\All Users\Start Menu 2007-07-18 11:21:37 0 d-------- C:\Documents and Settings\All Users\Favorites 2007-07-18 11:21:37 0 dr------- C:\Documents and Settings\All Users\Documents <DOCUME~1> 2007-07-18 11:21:37 0 d-------- C:\Documents and Settings\All Users\Desktop 2007-07-18 11:21:21 0 d-------- C:\WINDOWS\system32\CatRoot2 2007-07-18 11:21:21 0 d-------- C:\WINDOWS\system32\CatRoot 2007-07-18 11:21:15 0 dr-h----- C:\Documents and Settings\Default User\Application Data 2007-07-18 11:21:15 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft 2007-07-18 11:21:15 0 dr-h----- C:\Documents and Settings\All Users\Application Data 2007-07-18 11:21:15 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft 2007-07-18 11:20:55 0 d-------- C:\Documents and Settings 2007-07-18 11:14:04 0 dr--s---- C:\WINDOWS 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\WinSxS 2007-07-18 11:14:04 0 dr------- C:\WINDOWS\Web 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\twain_32 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\wins 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\wbem 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\usmt 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\spool 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\ShellExt 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\Setup 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\ras 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\oobe 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\npp 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\mui 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\inetsrv 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\IME 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\icsxml 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\ias 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\export 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\drivers 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\drivers\etc 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\drivers\disdn 2007-07-18 11:14:04 0 dr-hs---- C:\WINDOWS\system32\dllcache 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\dhcp 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\config 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\3com_dmi 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\3076 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\2052 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1054 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1042 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1041 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1037 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1033 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1031 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1028 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system32\1025 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\system 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\security 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Resources 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\repair 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Provisioning 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\PeerNet 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\pchealth 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\mui 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\msapps 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\msagent 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Media 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\java 2007-07-18 11:14:04 0 d--h----- C:\WINDOWS\inf 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\ime 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Help 2007-07-18 11:14:04 0 dr--s---- C:\WINDOWS\Fonts 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\ehome 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Driver Cache 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Debug 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Cursors 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Connection Wizard 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\Config 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\AppPatch 2007-07-18 11:14:04 0 d-------- C:\WINDOWS\addins -- Find3M Report --------------------------------------------------------------- 2007-07-31 10:41:34 2644 --a------ C:\Program Files\3dsmax.ini 2007-07-31 10:41:32 64 --a------ C:\Program Files\maxscrpt.dsk 2007-07-31 10:41:30 0 --a------ C:\Program Files\RtDxStdMtl2.log 2007-07-18 14:45:20 114 --a------ C:\Program Files\plugin.ini 2007-07-18 11:21:38 62 --ahs---- C:\Documents and Settings\Admin\Application Data\desktop.ini 2007-06-21 23:51:24 74240 --a------ C:\a.exe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}] 07/31/2007 06:51 AM 84992 --a------ C:\WINDOWS\WebAssist.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [08/05/2003 12:59 PM C:\WINDOWS\SOUNDMAN.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [03/04/2005 03:36 AM] "def"="C:\WINDOWS\Temp\Vel.exe" [] "SysRestore"="c:\windows\system32\Restoration.msd" [07/26/2007 12:57 AM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/28/2007 05:03 AM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/31/2007 06:44 PM] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [12/13/2005 08:49 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [01/07/2005 12:00 AM] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [11/30/2005 04:56 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "Delete temporary setup file"=cmd /Q /D /C del "C:\DOCUME~1\Admin\LOCALS~1\Temp\{79630253-F7C3-49C3-B1C7-A34665890553}\{6536688C-24C5-4023-B404-BEE850ED4312}\setup.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "DAP Cleanup"=C:\DOCUME~1\Admin\LOCALS~1\Temp\DAPREMOVE.EXE /CLEANUP /DIR="C:\PROGRA~1\DAP" C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ AdobeGama.pif [7/26/2007 12:57:26 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ AdobeGama.pif [7/26/2007 12:57:26 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe \"c:\windows\Explore.exe\"" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd5b172-3ef7-11dc-8490-f679e301c7a4}] AutoRun\command- F:\Copy*of*Desktop.ini explore\Command- F:\Copy*of*Desktop.ini open\Command- F:\Copy*of*Desktop.ini *Newly Created Service* - IPOD_SERVICE -- End of Deckard's System Scanner: finished at 2007-08-09 at 10:57:46 ------- Thanks, Gita |
|
     |
| Sponsored Links |
|
08-10-2007, 10:40 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
Hello
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) -------------------------------------------------------------------- Download Combofix and save it to your desktop. **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Double click on combofix.exe & follow the prompts.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script.
Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt C:\SDFix\Report.txt New HijackThis log |
|
|
|
|
08-12-2007, 09:29 PM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Re: Possible virus -- changed windows background (not desktop background)
Hi, I've done all of the listed steps above. Here's my........
Combofix.txt ComboFix 07-08-13.3 - "Admin" 2007-08-13 10:48:29.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.637 [GMT 7:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\a.exe C:\WINDOWS\system32\Y12d0Vn5.exe C:\WINDOWS\Tasks.\At25.job C:\WINDOWS\Tasks.\At26.job C:\WINDOWS\Tasks.\At27.job C:\WINDOWS\Tasks.\At28.job C:\WINDOWS\Tasks.\At29.job C:\WINDOWS\Tasks.\At30.job C:\WINDOWS\Tasks.\At31.job C:\WINDOWS\Tasks.\At32.job C:\WINDOWS\Tasks.\At33.job C:\WINDOWS\Tasks.\At34.job C:\WINDOWS\Tasks.\At35.job C:\WINDOWS\Tasks.\At36.job C:\WINDOWS\Tasks.\At37.job C:\WINDOWS\Tasks.\At38.job C:\WINDOWS\Tasks.\At39.job C:\WINDOWS\Tasks.\At40.job C:\WINDOWS\Tasks.\At41.job C:\WINDOWS\Tasks.\At42.job C:\WINDOWS\Tasks.\At43.job C:\WINDOWS\Tasks.\At44.job C:\WINDOWS\Tasks.\At45.job C:\WINDOWS\Tasks.\At46.job C:\WINDOWS\Tasks.\At47.job C:\WINDOWS\Tasks.\At48.job C:\WINDOWS\WebAssist.dll C:\WINDOWS\xhelper.dll ((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 ))))))))))))))))))))))))))))))) 2007-08-13 10:47 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-10 18:00 <DIR> d-------- C:\Program Files\iTunes 2007-08-10 18:00 <DIR> d-------- C:\Program Files\iPod 2007-08-10 17:59 <DIR> d-------- C:\Program Files\QuickTime 2007-08-09 11:25 <DIR> d-------- C:\Program Files\CCleaner 2007-08-09 10:54 <DIR> d-------- C:\Deckard 2007-08-09 10:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-09 09:59 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Datalayer 2007-08-09 09:58 <DIR> d-------- C:\DOCUME~1\Admin\Phone Browser 2007-08-09 09:56 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Nokia 2007-08-09 09:55 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\PC Suite 2007-08-09 09:54 <DIR> d-------- C:\Program Files\Nokia 2007-08-09 09:54 <DIR> d-------- C:\Program Files\Common Files\PCSuite 2007-08-09 09:54 <DIR> d-------- C:\Program Files\Common Files\Nokia 2007-08-09 09:42 <DIR> d-------- C:\Program Files\Apple Software Update 2007-08-08 13:31 <DIR> d-------- C:\Program Files\LimeWire 2007-08-08 12:32 <DIR> d-------- C:\DOCUME~1\Admin\Incomplete 2007-08-08 12:31 <DIR> d-------- C:\DOCUME~1\Admin\.limewire 2007-08-07 13:57 <DIR> d-------- C:\Program Files\Lavasoft 2007-08-07 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-07 13:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-07 10:56 26,176 --a------ C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-03 12:45 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-08-03 12:45 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-08-03 12:45 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-08-03 12:45 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-08-03 12:45 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-08-03 12:45 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-08-03 12:45 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-08-03 12:45 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2007-08-03 12:45 <DIR> d-------- C:\Program Files\Alwil Software 2007-08-02 16:24 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\PC Tools 2007-08-02 15:00 299,520 --a------ C:\WINDOWS\uninst.exe 2007-08-02 15:00 <DIR> d-------- C:\Program Files\ToniArts 2007-08-02 15:00 <DIR> d-------- C:\DOCUME~1\Admin\WINDOWS 2007-08-02 14:42 <DIR> d-------- C:\Program Files\ElcomSoft 2007-08-02 08:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear 2007-08-01 19:29 <DIR> d-------- C:\DOCUME~1\Admin\Saved Games 2007-08-01 16:36 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\AdobeUM 2007-08-01 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iWin 2007-08-01 14:01 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\iWin 2007-08-01 13:15 <DIR> d-------- C:\Program Files\PMStitch20 2007-08-01 13:07 86,016 --a------ C:\WINDOWS\system32\xl_x263dec.dll 2007-08-01 13:07 61,440 --a------ C:\WINDOWS\system32\camiodll.dll 2007-08-01 13:07 49,152 --a------ C:\WINDOWS\system32\CamCapEx.dll 2007-08-01 13:07 40,960 --a------ C:\WINDOWS\system32\PicEng.dll 2007-08-01 13:07 <DIR> d-------- C:\Program Files\Veo Digital Studio 2007-08-01 13:07 <DIR> d-------- C:\Program Files\Veo Connect 2007-08-01 13:02 899,884 -ra------ C:\WINDOWS\system32\drivers\ucdnt.sys 2007-08-01 13:02 86,016 --a------ C:\WINDOWS\system32\ucdintf.dll 2007-08-01 13:02 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys 2007-08-01 13:02 85,376 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\xl_yv12.dll 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\xl_yuy2.dll 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\xl_uyvy.dll 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\Xl_I420.dll 2007-08-01 13:02 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-08-01 13:02 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll 2007-08-01 13:02 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys 2007-08-01 13:02 5,504 --a------ C:\WINDOWS\system32\dllcache\mstee.sys 2007-08-01 13:02 286,720 --a------ C:\WINDOWS\system32\CamFC.dll 2007-08-01 13:02 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS 2007-08-01 13:02 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys 2007-08-01 13:02 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys 2007-08-01 13:02 17,024 --a------ C:\WINDOWS\system32\dllcache\ccdecode.sys 2007-08-01 13:02 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys 2007-08-01 13:02 15,360 --a------ C:\WINDOWS\system32\dllcache\streamip.sys 2007-08-01 13:02 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys 2007-08-01 13:02 11,136 --a------ C:\WINDOWS\system32\dllcache\slip.sys 2007-08-01 13:02 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys 2007-08-01 13:02 10,880 --a------ C:\WINDOWS\system32\dllcache\ndisip.sys 2007-08-01 11:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9 2007-08-01 11:26 <DIR> d-------- C:\Program Files\GameHouse 2007-08-01 11:26 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\GameHouse 2007-08-01 11:11 <DIR> d-------- C:\Program Files\Windows Installer Clean Up 2007-08-01 11:10 <DIR> d-------- C:\Program Files\MSECACHE 2007-07-31 20:11 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Help 2007-07-30 10:55 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Genie-Soft 2007-07-30 10:54 <DIR> d-------- C:\Program Files\Genie-Soft 2007-07-30 09:36 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\IsolatedStorage 2007-07-28 17:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Escape From Paradise 2007-07-28 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia 2007-07-28 16:15 <DIR> d-------- C:\WINDOWS\system32\appmgmt 2007-07-27 23:07 <DIR> d-------- C:\Program Files\VirtualVillagers_at 2007-07-27 18:52 <DIR> d-------- C:\Program Files\PizzaFrenzy_at 2007-07-27 13:35 4,096 --a------ C:\WINDOWS\d3dx.dat 2007-07-27 12:17 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Gaijin Ent 2007-07-27 10:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst 2007-07-27 10:07 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\PlayFirst 2007-07-27 10:01 <DIR> d---s---- C:\DOCUME~1\Admin\UserData 2007-07-26 19:17 <DIR> d--hs---- C:\WINDOWS\ftpcache 2007-07-26 19:17 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Sandlot Games 2007-07-26 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games 2007-07-26 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games 2007-07-26 13:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-07-26 13:49 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Yahoo! 2007-07-26 13:49 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Google 2007-07-26 13:47 <DIR> d-------- C:\Program Files\MostFun 2007-07-26 13:45 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Apple Computer 2007-07-26 13:44 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-31 10:41 64 --a------ C:\Program Files\maxscrpt.dsk 2007-07-31 10:41 2644 --a------ C:\Program Files\3dsmax.ini 2007-07-31 10:41 0 --a------ C:\Program Files\RtDxStdMtl2.log 2007-07-23 13:21 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin 2007-07-23 13:20 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin 2007-07-18 14:45 114 --a------ C:\Program Files\plugin.ini 2004-10-05 16:12 138430 -ra------ C:\Program Files\Readme.rtf 2004-10-04 18:23 7168 --a------ C:\Program Files\viewfile.dll 2004-10-04 18:23 36864 --a------ C:\Program Files\zlibdll.dll 2004-10-04 18:23 271872 --a------ C:\Program Files\viz.dll 2004-10-04 18:23 17408 --a------ C:\Program Files\UIControls.dll 2004-10-04 18:23 151552 --a------ C:\Program Files\unzip32.dll 2004-10-04 18:23 131072 --a------ C:\Program Files\zip32.dll 2004-10-04 18:23 10752 --a------ C:\Program Files\undomgr.dll 2004-10-04 18:23 10240 --a------ C:\Program Files\UndoBody.dll 2004-10-04 18:22 97792 --a------ C:\Program Files\maxnet.dll 2004-10-04 18:22 974848 --a------ C:\Program Files\mfc70.dll 2004-10-04 18:22 97280 --a------ C:\Program Files\res2.dll 2004-10-04 18:22 97280 --a------ C:\Program Files\lsrd.dll 2004-10-04 18:22 97280 --a------ C:\Program Files\libDLcomponentManager.dll 2004-10-04 18:22 9728 --a------ C:\Program Files\helpsys.dll 2004-10-04 18:22 96256 --a------ C:\Program Files\Poly.dll 2004-10-04 18:22 92160 --a------ C:\Program Files\lpwrt.dll 2004-10-04 18:22 92160 --a------ C:\Program Files\CustDlg.dll 2004-10-04 18:22 89088 --a------ C:\Program Files\oglgfx.drv 2004-10-04 18:22 8704 --a------ C:\Program Files\resmgr.dll 2004-10-04 18:22 85504 --a------ C:\Program Files\hrigfx.drv 2004-10-04 18:22 84992 --a------ C:\Program Files\Atl70.dll 2004-10-04 18:22 843776 --a------ C:\Program Files\libpdx.dll 2004-10-04 18:22 83968 --a------ C:\Program Files\ParticleFlow.dll 2004-10-04 18:22 837632 --a------ C:\Program Files\d3dgfx.drv 2004-10-04 18:22 78968 --a------ C:\Program Files\iejfifrd80.dll 2004-10-04 18:22 78968 --a------ C:\Program Files\adlmres.dll 2004-10-04 18:22 770048 --a------ C:\Program Files\libDLbase.dll 2004-10-04 18:22 7680 --a------ C:\Program Files\rct_registry.dll 2004-10-04 18:22 74240 --a------ C:\Program Files\imageViewers.dll 2004-10-04 18:22 73216 --a------ C:\Program Files\res1.dll 2004-10-04 18:22 71680 --a------ C:\Program Files\MenuMan.dll 2004-10-04 18:22 7168 --a------ C:\Program Files\res10.dll 2004-10-04 18:22 69632 --a------ C:\Program Files\CdaLCDlg.dll 2004-10-04 18:22 68608 --a------ C:\Program Files\ManipSys.dll 2004-10-04 18:22 681472 --a------ C:\Program Files\mesh.dll 2004-10-04 18:22 66680 --a------ C:\Program Files\iepngrd80.dll 2004-10-04 18:22 65024 --a------ C:\Program Files\libDLltutility.dll 2004-10-04 18:22 649728 --a------ C:\Program Files\MNMath.dll 2004-10-04 18:22 63488 --a------ C:\Program Files\menus.dll 2004-10-04 18:22 62464 --a------ C:\Program Files\rtmax.dll 2004-10-04 18:22 6144 --a------ C:\Program Files\tessint.dll 2004-10-04 18:22 6144 --a------ C:\Program Files\res8.dll 2004-10-04 18:22 6144 --a------ C:\Program Files\libDLltutilityRes.dll 2004-10-04 18:22 610 --a------ C:\Program Files\hotkeyMap.html 2004-10-04 18:22 59904 --a------ C:\Program Files\max.task 2004-10-04 18:22 57344 --a------ C:\Program Files\libDLltgeometry.dll 2004-10-04 18:22 55808 --a------ C:\Program Files\MAXComponents.dll 2004-10-04 18:22 557568 --a------ C:\Program Files\splash.dll 2004-10-04 18:22 54904 --a------ C:\Program Files\iejfifwr80.dll 2004-10-04 18:22 54784 --a------ C:\Program Files\msvci70.dll 2004-10-04 18:22 54392 --a------ C:\Program Files\iepngwr80.dll 2004-10-04 18:22 534016 --a------ C:\Program Files\d3d81gfx.drv 2004-10-04 18:22 5264896 --a------ C:\Program Files\core.dll 2004-10-04 18:22 5129728 --a------ C:\Program Files\3dsmax.exe 2004-10-04 18:22 5104640 --a------ C:\Program Files\Maxscrpt.dll 2004-10-04 18:22 499712 --a------ C:\Program Files\msvcp71.dll 2004-10-04 18:22 495376 --a------ C:\Program Files\msxml.dll 2004-10-04 18:22 487424 --a------ C:\Program Files\msvcp70.dll 2004-10-04 18:22 486400 --a------ C:\Program Files\dbghelp.dll 2004-10-04 18:22 4853760 --a------ C:\Program Files\libiges.dll 2004-10-04 18:22 46080 --a------ C:\Program Files\geomimp.dll 2004-10-04 18:22 4608 --a------ C:\Program Files\libDLltgeometryRes.dll 2004-10-04 18:22 4590 --a------ C:\Program Files\max.tres 2004-10-04 18:22 45568 --a------ C:\Program Files\ParamRollup.dll 2004-10-04 18:22 454656 --a------ C:\Program Files\libDLprimitives.dll 2004-10-04 18:22 44032 --a------ C:\Program Files\res5.dll 2004-10-04 18:22 4096 --a------ C:\Program Files\minidumpVer.dll 2004-10-04 18:22 4096 --a------ C:\Program Files\MaxIges.msx 2004-10-04 18:22 398456 --a------ C:\Program Files\ie80.dll 2004-10-04 18:22 36352 --a------ C:\Program Files\expr.dll 2004-10-04 18:22 3604480 --a------ C:\Program Files\Ashli.dll 2004-10-04 18:22 3592192 --a------ C:\Program Files\libray.dll 2004-10-04 18:22 35840 --a------ C:\Program Files\res6.dll 2004-10-04 18:22 35448 --a------ C:\Program Files\ieproxy16.dll 2004-10-04 18:22 35328 --a------ C:\Program Files\res4.dll 2004-10-04 18:22 35328 --a------ C:\Program Files\maxutil.dll 2004-10-04 18:22 352256 --a------ C:\Program Files\liblint.dll 2004-10-04 18:22 349392 --a------ C:\Program Files\addflow4.ocx 2004-10-04 18:22 348160 --a------ C:\Program Files\msvcr71.dll 2004-10-04 18:22 344064 --a------ C:\Program Files\msvcr70.dll 2004-10-04 18:22 33280 --a------ C:\Program Files\acap.dll 2004-10-04 18:22 32819 --a------ C:\Program Files\mtl7.dll 2004-10-04 18:22 32447 --a------ C:\Program Files\AdlmLog.xml 2004-10-04 18:22 30840 --a------ C:\Program Files\ietiffrd80.dll 2004-10-04 18:22 30328 --a------ C:\Program Files\ietiffwr80.dll 2004-10-04 18:22 30208 --a------ C:\Program Files\particle.dll 2004-10-04 18:22 300544 --a------ C:\Program Files\Amodeler.dll 2004-10-04 18:22 2896896 --a------ C:\Program Files\gmi.dll 2004-10-04 18:22 28727 --a------ C:\Program Files\texture7.dll 2004-10-04 18:22 281208 --a------ C:\Program Files\Ereg.dll 2004-10-04 18:22 281088 --a------ C:\Program Files\AdskScInst.dll 2004-10-04 18:22 27648 --a------ C:\Program Files\gfx.dll 2004-10-04 18:22 26624 --a------ C:\Program Files\gcomm2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2003-08-05 12:59 C:\WINDOWS\SOUNDMAN.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 03:36] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 05:03] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 00:00] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 07:00] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe R3 EL2000;3Com 3C2000x EtherLink XL Adapter;C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dd5b172-3ef7-11dc-8490-f679e301c7a4}] AutoRun\command- F:\Copy*of*Desktop.ini explore\Command- F:\Copy*of*Desktop.ini open\Command- F:\Copy*of*Desktop.ini Contents of the 'Scheduled Tasks' folder 2007-08-12 17:01:02 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 18:01:02 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 19:01:02 C:\WINDOWS\Tasks\At3.job 2007-08-12 20:01:02 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 21:01:02 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 22:01:02 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 23:01:02 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-13 00:01:02 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-13 01:01:02 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-13 02:01:02 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-13 03:01:02 C:\WINDOWS\Tasks\At11.job 2007-08-10 04:01:02 C:\WINDOWS\Tasks\At12.job 2007-08-11 05:03:02 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-11 06:03:02 C:\WINDOWS\Tasks\At14.job 2007-08-11 07:03:02 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 08:01:02 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 09:01:02 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 10:01:02 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 11:01:02 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 12:01:02 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 13:01:02 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 14:01:02 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 15:01:02 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\bTbVnD0J.exe 2007-08-12 16:01:02 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\bTbVnD0J.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-13 10:51:33 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-13 10:52:39 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-13 10:52 --- E O F --- SDFix report DFix: Version 1.98 Run by Admin on Mon 08/13/2007 at 11:00 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\OLD\D\Admin\Local Settings\Temp\5.dllb - Deleted C:\OLD\D\NetworkService\Local Settings\Temp\v5xd2.g3ame - Deleted C:\OLD\D\NetworkService\Local Settings\Temp\v6xdt4.game - Deleted C:\OLD\D\LocalService\Local Settings\Temp\v5xd2.g3ame - Deleted C:\OLD\D\LocalService\Local Settings\Temp\v6xdt4.game - Deleted C:\OLD\D\NetworkService\Local Settings\Temp\vx1dt3.game - Deleted C:\OLD\D\LocalService\Local Settings\Temp\vx1dt3.game - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL3732.tmp C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL4072.tmp C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL2522.tmp C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL1742.tmp C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL0954.tmp C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL1663.tmp C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL2600.tmp C:\Documents and Settings\Admin\My Documents\My Work\BOB\DRILLING\RIG 750\~WRL1627.tmp C:\OLD\D\Admin\Local Settings\Temp\BITF.tmp C:\OLD\W\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\BIT3F.tmp C:\OLD\W\SoftwareDistribution\Download\7b94d041c29d0b8d724c97ae0005e71b\BIT40.tmp C:\OLD\W\SoftwareDistribution\Download\4596f4b9d8a4b5253ee760a58a45bcfb\BIT44.tmp C:\OLD\W\SoftwareDistribution\Download\109fef93c24da62cf8f31668d6ba9060\BIT45.tmp C:\OLD\W\SoftwareDistribution\Download\6f0fd10fc234123bcdf54ebca4b84cbd\BIT48.tmp C:\OLD\W\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\BIT62.tmp C:\OLD\W\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\BIT41.tmp C:\OLD\W\SoftwareDistribution\Download\52d0bad96d671744fec5c77caa4cdf4d\BIT42.tmp C:\OLD\W\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\BIT96.tmp C:\OLD\W\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT6F.tmp C:\OLD\W\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\BIT3B.tmp C:\OLD\W\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\BIT3C.tmp C:\OLD\W\SoftwareDistribution\Download\587d85e782ae94381c309d8add64e1a0\BIT3D.tmp C:\OLD\W\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\BIT3E.tmp Finished HijackThis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:16:30 AM, on 8/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 6023 bytes Thanks again, Gita |
|
|
|
|
08-13-2007, 06:50 AM
|
#4 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
Hello Gita,
Upload this file C:\WINDOWS\system32\bTbVnD0J.exe to http://virusscan.jotti.org and report back what it found. At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the blue text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html ------------------------------------------------------- *Important* One or more of the identified infections is a backdoor trojan. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords to your accounts from that clean machine. It would also be wise to contact those same financial institutions to apprise them of your situation. Do NOT change passwords or do any transactions from this computer until we've finished cleaning it. ------------------------------------------------------------ Please include the following in your next reply: jotti results What is your F drive--is it a flash drive? |
|
|
|
|
08-13-2007, 07:33 PM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Re: Possible virus -- changed windows background (not desktop background)
Hi Reid,
My Jotti result: Scan taken on 14 Aug 2007 02:20:40 (GMT) A-Squared Found nothing AntiVir Found TR/Crypt.ULPM.Gen ArcaVir Found Trojan.Agent.Ark Avast Found nothing AVG Antivirus Found BackDoor.Agent.LDH BitDefender Found GenPack:Generic.Malware.Sdld.C061D411 (probable variant) ClamAV Found nothing CPsecure Found BackDoor.W32.Agent.ark Dr.Web Found Trojan.DownLoader.29692 F-Prot Antivirus Found nothing F-Secure Anti-Virus Found Backdoor.Win32.Agent.ark Fortinet Found W32/Agent.ARK!tr.bdr Kaspersky Anti-Virus Found Backdoor.Win32.Agent.ark NOD32 Found a variant of Win32/Agent.ARK Norman Virus Control Found W32/Agent.BYKE Panda Antivirus Found W32/ZLFake.A.drp Rising Antivirus Found nothing Sophos Antivirus Found Mal/HckPk-A VirusBuster Found nothing VBA32 Found Backdoor.Win32.Agent.ark Last file scanned at least one scanner reported something about: ykeepmain.dll (MD5: c3d10ad29844275cd97563f5e6d6b294, size: 36280 bytes), detected by: AntiVir TR/Spy.CNSMin Yes, F drive is a flash drive. I suspected my PC was infected through my husband's USB Flash stick, his laptop has the same window-changing virus. Thanks again, Gita |
|
|
|
|
08-13-2007, 10:26 PM
|
#6 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
Thank you.
 Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Insert your flash drive --------------------------------------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan
* Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Panda results New HijackThis log Update on system behavior We'll need to clean your husband's laptop as well. Please begin a new thread for his machine, entitle it Ried-Laptop. Run dss.exe (Deckard's System Scanner) on his laptop and post the main.txt and extra.txt |
|
|
|
|
|
08-15-2007, 02:07 AM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Re: Possible virus -- changed windows background (not desktop background)
Hi Reid,
Panda ActiveScan found no virus on my PC, strangely enough.. The unwanted window background is still there however.. Here's my ComboFix.txt: ComboFix 07-08-13.3 - "Admin" 2007-08-14 21:18:50.2 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.658 [GMT 7:00] Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\bTbVnD0J.exe C:\WINDOWS\Tasks\At1.job C:\WINDOWS\Tasks\At2.job C:\WINDOWS\Tasks\At3.job C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At5.job C:\WINDOWS\Tasks\At6.job C:\WINDOWS\Tasks\At7.job C:\WINDOWS\Tasks\At8.job C:\WINDOWS\Tasks\At9.job C:\WINDOWS\Tasks\At10.job C:\WINDOWS\Tasks\At11.job C:\WINDOWS\Tasks\At12.job C:\WINDOWS\Tasks\At13.job C:\WINDOWS\Tasks\At14.job C:\WINDOWS\Tasks\At15.job C:\WINDOWS\Tasks\At16.job C:\WINDOWS\Tasks\At17.job C:\WINDOWS\Tasks\At18.job C:\WINDOWS\Tasks\At19.job C:\WINDOWS\Tasks\At20.job C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At22.job C:\WINDOWS\Tasks\At23.job C:\WINDOWS\Tasks\At24.job ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\bTbVnD0J.exe C:\WINDOWS\Tasks\At1.job C:\WINDOWS\Tasks\At10.job C:\WINDOWS\Tasks\At11.job C:\WINDOWS\Tasks\At12.job C:\WINDOWS\Tasks\At13.job C:\WINDOWS\Tasks\At14.job C:\WINDOWS\Tasks\At15.job C:\WINDOWS\Tasks\At16.job C:\WINDOWS\Tasks\At17.job C:\WINDOWS\Tasks\At18.job C:\WINDOWS\Tasks\At19.job C:\WINDOWS\Tasks\At2.job C:\WINDOWS\Tasks\At20.job C:\WINDOWS\Tasks\At21.job C:\WINDOWS\Tasks\At22.job C:\WINDOWS\Tasks\At23.job C:\WINDOWS\Tasks\At24.job C:\WINDOWS\Tasks\At3.job C:\WINDOWS\Tasks\At4.job C:\WINDOWS\Tasks\At5.job C:\WINDOWS\Tasks\At6.job C:\WINDOWS\Tasks\At7.job C:\WINDOWS\Tasks\At8.job C:\WINDOWS\Tasks\At9.job ((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 ))))))))))))))))))))))))))))))) 2007-08-13 11:15 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-13 10:59 <DIR> d-------- C:\WINDOWS\ERUNT 2007-08-13 10:47 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-10 18:00 <DIR> d-------- C:\Program Files\iTunes 2007-08-10 18:00 <DIR> d-------- C:\Program Files\iPod 2007-08-10 17:59 <DIR> d-------- C:\Program Files\QuickTime 2007-08-09 11:25 <DIR> d-------- C:\Program Files\CCleaner 2007-08-09 10:54 <DIR> d-------- C:\Deckard 2007-08-09 10:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-09 09:59 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Datalayer 2007-08-09 09:58 <DIR> d-------- C:\DOCUME~1\Admin\Phone Browser 2007-08-09 09:56 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Nokia 2007-08-09 09:55 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\PC Suite 2007-08-09 09:54 <DIR> d-------- C:\Program Files\Nokia 2007-08-09 09:54 <DIR> d-------- C:\Program Files\Common Files\PCSuite 2007-08-09 09:54 <DIR> d-------- C:\Program Files\Common Files\Nokia 2007-08-09 09:42 <DIR> d-------- C:\Program Files\Apple Software Update 2007-08-08 13:31 <DIR> d-------- C:\Program Files\LimeWire 2007-08-08 12:32 <DIR> d-------- C:\DOCUME~1\Admin\Incomplete 2007-08-08 12:31 <DIR> d-------- C:\DOCUME~1\Admin\.limewire 2007-08-07 13:57 <DIR> d-------- C:\Program Files\Lavasoft 2007-08-07 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-07 13:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-03 12:45 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-08-03 12:45 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-08-03 12:45 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-08-03 12:45 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-08-03 12:45 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-08-03 12:45 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-08-03 12:45 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-08-03 12:45 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2007-08-03 12:45 <DIR> d-------- C:\Program Files\Alwil Software 2007-08-02 16:24 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\PC Tools 2007-08-02 15:00 299,520 --a------ C:\WINDOWS\uninst.exe 2007-08-02 15:00 <DIR> d-------- C:\Program Files\ToniArts 2007-08-02 15:00 <DIR> d-------- C:\DOCUME~1\Admin\WINDOWS 2007-08-02 14:42 <DIR> d-------- C:\Program Files\ElcomSoft 2007-08-02 08:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear 2007-08-01 19:29 <DIR> d-------- C:\DOCUME~1\Admin\Saved Games 2007-08-01 16:36 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\AdobeUM 2007-08-01 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iWin 2007-08-01 14:01 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\iWin 2007-08-01 13:15 <DIR> d-------- C:\Program Files\PMStitch20 2007-08-01 13:07 86,016 --a------ C:\WINDOWS\system32\xl_x263dec.dll 2007-08-01 13:07 61,440 --a------ C:\WINDOWS\system32\camiodll.dll 2007-08-01 13:07 49,152 --a------ C:\WINDOWS\system32\CamCapEx.dll 2007-08-01 13:07 40,960 --a------ C:\WINDOWS\system32\PicEng.dll 2007-08-01 13:07 <DIR> d-------- C:\Program Files\Veo Digital Studio 2007-08-01 13:07 <DIR> d-------- C:\Program Files\Veo Connect 2007-08-01 13:02 899,884 -ra------ C:\WINDOWS\system32\drivers\ucdnt.sys 2007-08-01 13:02 86,016 --a------ C:\WINDOWS\system32\ucdintf.dll 2007-08-01 13:02 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys 2007-08-01 13:02 85,376 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\xl_yv12.dll 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\xl_yuy2.dll 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\xl_uyvy.dll 2007-08-01 13:02 57,344 --a------ C:\WINDOWS\system32\Xl_I420.dll 2007-08-01 13:02 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-08-01 13:02 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll 2007-08-01 13:02 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys 2007-08-01 13:02 5,504 --a------ C:\WINDOWS\system32\dllcache\mstee.sys 2007-08-01 13:02 286,720 --a------ C:\WINDOWS\system32\CamFC.dll 2007-08-01 13:02 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS 2007-08-01 13:02 19,328 --a------ C:\WINDOWS\system32\dllcache\wstcodec.sys 2007-08-01 13:02 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys 2007-08-01 13:02 17,024 --a------ C:\WINDOWS\system32\dllcache\ccdecode.sys 2007-08-01 13:02 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys 2007-08-01 13:02 15,360 --a------ C:\WINDOWS\system32\dllcache\streamip.sys 2007-08-01 13:02 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys 2007-08-01 13:02 11,136 --a------ C:\WINDOWS\system32\dllcache\slip.sys 2007-08-01 13:02 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys 2007-08-01 13:02 10,880 --a------ C:\WINDOWS\system32\dllcache\ndisip.sys 2007-08-01 11:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9 2007-08-01 11:26 <DIR> d-------- C:\Program Files\GameHouse 2007-08-01 11:26 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\GameHouse 2007-08-01 11:11 <DIR> d-------- C:\Program Files\Windows Installer Clean Up 2007-08-01 11:10 <DIR> d-------- C:\Program Files\MSECACHE 2007-07-31 20:11 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Help 2007-07-30 10:55 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Genie-Soft 2007-07-30 10:54 <DIR> d-------- C:\Program Files\Genie-Soft 2007-07-30 09:36 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\IsolatedStorage 2007-07-28 17:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Escape From Paradise 2007-07-28 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia 2007-07-28 16:15 <DIR> d-------- C:\WINDOWS\system32\appmgmt 2007-07-27 23:07 <DIR> d-------- C:\Program Files\VirtualVillagers_at 2007-07-27 18:52 <DIR> d-------- C:\Program Files\PizzaFrenzy_at 2007-07-27 13:35 4,096 --a------ C:\WINDOWS\d3dx.dat 2007-07-27 12:17 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Gaijin Ent 2007-07-27 10:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst 2007-07-27 10:07 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\PlayFirst 2007-07-27 10:01 <DIR> d---s---- C:\DOCUME~1\Admin\UserData 2007-07-26 19:17 <DIR> d--hs---- C:\WINDOWS\ftpcache 2007-07-26 19:17 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Sandlot Games 2007-07-26 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games 2007-07-26 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games 2007-07-26 13:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-07-26 13:49 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Yahoo! 2007-07-26 13:49 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Google 2007-07-26 13:47 <DIR> d-------- C:\Program Files\MostFun 2007-07-26 13:45 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Apple Computer (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-31 10:41 64 --a------ C:\Program Files\maxscrpt.dsk 2007-07-31 10:41 2644 --a------ C:\Program Files\3dsmax.ini 2007-07-31 10:41 0 --a------ C:\Program Files\RtDxStdMtl2.log 2007-07-23 13:21 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin 2007-07-23 13:20 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin 2007-07-18 14:45 114 --a------ C:\Program Files\plugin.ini 2004-10-05 16:12 138430 -ra------ C:\Program Files\Readme.rtf 2004-10-04 18:23 7168 --a------ C:\Program Files\viewfile.dll 2004-10-04 18:23 36864 --a------ C:\Program Files\zlibdll.dll 2004-10-04 18:23 271872 --a------ C:\Program Files\viz.dll 2004-10-04 18:23 17408 --a------ C:\Program Files\UIControls.dll 2004-10-04 18:23 151552 --a------ C:\Program Files\unzip32.dll 2004-10-04 18:23 131072 --a------ C:\Program Files\zip32.dll 2004-10-04 18:23 10752 --a------ C:\Program Files\undomgr.dll 2004-10-04 18:23 10240 --a------ C:\Program Files\UndoBody.dll 2004-10-04 18:22 97792 --a------ C:\Program Files\maxnet.dll 2004-10-04 18:22 974848 --a------ C:\Program Files\mfc70.dll 2004-10-04 18:22 97280 --a------ C:\Program Files\res2.dll 2004-10-04 18:22 97280 --a------ C:\Program Files\lsrd.dll 2004-10-04 18:22 97280 --a------ C:\Program Files\libDLcomponentManager.dll 2004-10-04 18:22 9728 --a------ C:\Program Files\helpsys.dll 2004-10-04 18:22 96256 --a------ C:\Program Files\Poly.dll 2004-10-04 18:22 92160 --a------ C:\Program Files\lpwrt.dll 2004-10-04 18:22 92160 --a------ C:\Program Files\CustDlg.dll 2004-10-04 18:22 89088 --a------ C:\Program Files\oglgfx.drv 2004-10-04 18:22 8704 --a------ C:\Program Files\resmgr.dll 2004-10-04 18:22 85504 --a------ C:\Program Files\hrigfx.drv 2004-10-04 18:22 84992 --a------ C:\Program Files\Atl70.dll 2004-10-04 18:22 843776 --a------ C:\Program Files\libpdx.dll 2004-10-04 18:22 83968 --a------ C:\Program Files\ParticleFlow.dll 2004-10-04 18:22 837632 --a------ C:\Program Files\d3dgfx.drv 2004-10-04 18:22 78968 --a------ C:\Program Files\iejfifrd80.dll 2004-10-04 18:22 78968 --a------ C:\Program Files\adlmres.dll 2004-10-04 18:22 770048 --a------ C:\Program Files\libDLbase.dll 2004-10-04 18:22 7680 --a------ C:\Program Files\rct_registry.dll 2004-10-04 18:22 74240 --a------ C:\Program Files\imageViewers.dll 2004-10-04 18:22 73216 --a------ C:\Program Files\res1.dll 2004-10-04 18:22 71680 --a------ C:\Program Files\MenuMan.dll 2004-10-04 18:22 7168 --a------ C:\Program Files\res10.dll 2004-10-04 18:22 69632 --a------ C:\Program Files\CdaLCDlg.dll 2004-10-04 18:22 68608 --a------ C:\Program Files\ManipSys.dll 2004-10-04 18:22 681472 --a------ C:\Program Files\mesh.dll 2004-10-04 18:22 66680 --a------ C:\Program Files\iepngrd80.dll 2004-10-04 18:22 65024 --a------ C:\Program Files\libDLltutility.dll 2004-10-04 18:22 649728 --a------ C:\Program Files\MNMath.dll 2004-10-04 18:22 63488 --a------ C:\Program Files\menus.dll 2004-10-04 18:22 62464 --a------ C:\Program Files\rtmax.dll 2004-10-04 18:22 6144 --a------ C:\Program Files\tessint.dll 2004-10-04 18:22 6144 --a------ C:\Program Files\res8.dll 2004-10-04 18:22 6144 --a------ C:\Program Files\libDLltutilityRes.dll 2004-10-04 18:22 610 --a------ C:\Program Files\hotkeyMap.html 2004-10-04 18:22 59904 --a------ C:\Program Files\max.task 2004-10-04 18:22 57344 --a------ C:\Program Files\libDLltgeometry.dll 2004-10-04 18:22 55808 --a------ C:\Program Files\MAXComponents.dll 2004-10-04 18:22 557568 --a------ C:\Program Files\splash.dll 2004-10-04 18:22 54904 --a------ C:\Program Files\iejfifwr80.dll 2004-10-04 18:22 54784 --a------ C:\Program Files\msvci70.dll 2004-10-04 18:22 54392 --a------ C:\Program Files\iepngwr80.dll 2004-10-04 18:22 534016 --a------ C:\Program Files\d3d81gfx.drv 2004-10-04 18:22 5264896 --a------ C:\Program Files\core.dll 2004-10-04 18:22 5129728 --a------ C:\Program Files\3dsmax.exe 2004-10-04 18:22 5104640 --a------ C:\Program Files\Maxscrpt.dll 2004-10-04 18:22 499712 --a------ C:\Program Files\msvcp71.dll 2004-10-04 18:22 495376 --a------ C:\Program Files\msxml.dll 2004-10-04 18:22 487424 --a------ C:\Program Files\msvcp70.dll 2004-10-04 18:22 486400 --a------ C:\Program Files\dbghelp.dll 2004-10-04 18:22 4853760 --a------ C:\Program Files\libiges.dll 2004-10-04 18:22 46080 --a------ C:\Program Files\geomimp.dll 2004-10-04 18:22 4608 --a------ C:\Program Files\libDLltgeometryRes.dll 2004-10-04 18:22 4590 --a------ C:\Program Files\max.tres 2004-10-04 18:22 45568 --a------ C:\Program Files\ParamRollup.dll 2004-10-04 18:22 454656 --a------ C:\Program Files\libDLprimitives.dll 2004-10-04 18:22 44032 --a------ C:\Program Files\res5.dll 2004-10-04 18:22 4096 --a------ C:\Program Files\minidumpVer.dll 2004-10-04 18:22 4096 --a------ C:\Program Files\MaxIges.msx 2004-10-04 18:22 398456 --a------ C:\Program Files\ie80.dll 2004-10-04 18:22 36352 --a------ C:\Program Files\expr.dll 2004-10-04 18:22 3604480 --a------ C:\Program Files\Ashli.dll 2004-10-04 18:22 3592192 --a------ C:\Program Files\libray.dll 2004-10-04 18:22 35840 --a------ C:\Program Files\res6.dll 2004-10-04 18:22 35448 --a------ C:\Program Files\ieproxy16.dll 2004-10-04 18:22 35328 --a------ C:\Program Files\res4.dll 2004-10-04 18:22 35328 --a------ C:\Program Files\maxutil.dll 2004-10-04 18:22 352256 --a------ C:\Program Files\liblint.dll 2004-10-04 18:22 349392 --a------ C:\Program Files\addflow4.ocx 2004-10-04 18:22 348160 --a------ C:\Program Files\msvcr71.dll 2004-10-04 18:22 344064 --a------ C:\Program Files\msvcr70.dll 2004-10-04 18:22 33280 --a------ C:\Program Files\acap.dll 2004-10-04 18:22 32819 --a------ C:\Program Files\mtl7.dll 2004-10-04 18:22 32447 --a------ C:\Program Files\AdlmLog.xml 2004-10-04 18:22 30840 --a------ C:\Program Files\ietiffrd80.dll 2004-10-04 18:22 30328 --a------ C:\Program Files\ietiffwr80.dll 2004-10-04 18:22 30208 --a------ C:\Program Files\particle.dll 2004-10-04 18:22 300544 --a------ C:\Program Files\Amodeler.dll 2004-10-04 18:22 2896896 --a------ C:\Program Files\gmi.dll 2004-10-04 18:22 28727 --a------ C:\Program Files\texture7.dll 2004-10-04 18:22 281208 --a------ C:\Program Files\Ereg.dll 2004-10-04 18:22 281088 --a------ C:\Program Files\AdskScInst.dll 2004-10-04 18:22 27648 --a------ C:\Program Files\gfx.dll 2004-10-04 18:22 26624 --a------ C:\Program Files\gcomm2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2003-08-05 12:59 C:\WINDOWS\SOUNDMAN.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 03:36] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 05:03] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-07 00:00] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-01-07 07:00] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe R3 EL2000;3Com 3C2000x EtherLink XL Adapter;C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys S3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-14 21:20:25 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-14 21:20:54 C:\ComboFix-quarantined-files.txt ... 2007-08-14 21:20 C:\ComboFix2.txt ... 2007-08-13 10:52 New HijackThis report: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4 22 PM, on 8/15/2007Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 5653 bytes Thanks, Gita |
|
|
|
|
08-15-2007, 07:56 AM
|
#8 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
Let's see if this scanner picks up anything:
Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component.
---------------------------------------------------------------- Please download SREng. **You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through. 1. Extract it to Desktop & double click SREng.exe to run it 2. Select 'Smart Scan' & tick "Verify Digital Signatures" 3. Click on the [Scan] button 4. When finished, click on the [Save Reports] button & save the log to Desktop 5. Copy/paste the Kaspersky results directly into the reply. 5. Attach the SREng log in your next reply. Dont post it. You may have to rename SREngLOG.log to SREngLOG.txt to upload it. |
|
|
|
|
08-16-2007, 04:28 AM
|
#9 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Re: Possible virus -- changed windows background (not desktop background)
Kaspersky Results:
------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, August 16, 2007 12:23:21 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 16/08/2007 Kaspersky Anti-Virus database records: 381715 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 79407 Number of viruses found: 23 Number of infected objects: 56 Number of suspicious objects: 0 Duration of the scan process: 00:56:19 Infected Object Name / Virus Name / Last Action C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe Infected: Trojan.Win32.Patched.af skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP5\A0003968.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP5\A0003968.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP5\A0003968.exe RarSFX: infected - 2 skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0005328.rbf Infected: Trojan.Win32.Patched.af skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006461.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006462.exe Infected: Virus.Win32.Virut.f skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006463.exe Infected: Virus.Win32.Virut.f skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006464.exe Infected: Virus.Win32.Virut.f skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006465.exe Infected: Virus.Win32.Virut.f skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006466.dll Infected: Backdoor.Win32.Agent.adr skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006467.dll Infected: Backdoor.Win32.Agent.adr skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006468.dll Infected: Backdoor.Win32.Agent.adr skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006469.dll Infected: Backdoor.Win32.Agent.adr skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006470.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006470.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006470.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006470.exe NSIS: infected - 3 skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006470.exe CryptFF: infected - 3 skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006471.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006472.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006473.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.i skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006474.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.i skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0006525.exe Infected: not-a-virus:AdWare.Win32.Agent.db skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP40\A0015008.exe Infected: Trojan-Spy.Win32.BZub.js skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP40\A0015009.exe Infected: not-a-virus:AdWare.Win32.Agent.db skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP40\A0015010.dll Infected: not-a-virus:AdWare.Win32.Agent.db skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP40\A0015011.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP42\A0015240.exe Infected: Backdoor.Win32.Agent.ark skipped C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP43\change.log Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012007081620070817\index.dat Object is locked skipped C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Admin\Local Settings\Temp\~DFD68.tmp Object is locked skipped C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped C:\OLD\D\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Z8Y8IL7J\20509[1].exe Infected: Trojan.Win32.Qhost.it skipped C:\OLD\D\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CY8WVAN6\ztool4[1] Infected: Packed.Win32.Tibs.ar skipped C:\OLD\D\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IJA5MFQR\n2_11_07_07_1[1].exe Infected: Trojan.Win32.Obfuscated.gp skipped C:\OLD\D\LocalService\Local Settings\Temporary Internet Files\Content.IE5\7967IHMR\ztool4[1] Infected: Packed.Win32.Tibs.ar skipped C:\OLD\D\Admin\Local Settings\Temp\win9E.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped C:\OLD\D\Admin\Local Settings\Temporary Internet Files\Content.IE5\WNAUFXU9\20509[1].exe Infected: Trojan.Win32.Qhost.it skipped C:\OLD\D\Admin\Local Settings\Temporary Internet Files\Content.IE5\IBAPN88M\antzom[1].exe Infected: Trojan.Win32.Dialer.qn skipped C:\OLD\W\smsys.dat Infected: Trojan-Proxy.Win32.Agent.mx skipped C:\OLD\W\explorer.exe Infected: Trojan.Win32.Patched.aa skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\rvshost.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\runer.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\userint.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\windxp.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\winzipt.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\system31.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\Ngsys.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\Vel.exe Infected: Trojan-Downloader.Win32.VB.aza skipped C:\SDFix\backups\backups.zip/backups/5.dllb Infected: Email-Worm.Win32.Zhelatin.fr skipped C:\SDFix\backups\backups.zip/backups/v5xd2.g3ame Infected: Trojan-Downloader.Win32.Small.ehu skipped C:\SDFix\backups\backups.zip/backups/v6xdt4.game Infected: Packed.Win32.Tibs.ar skipped C:\SDFix\backups\backups.zip/backups/vx1dt3.game Infected: Email-Worm.Win32.Zhelatin.gm skipped C:\SDFix\backups\backups.zip ZIP: infected - 4 skipped C:\QooBox\Quarantine\C\a.exe.vir Infected: Trojan-Spy.Win32.BZub.js skipped C:\QooBox\Quarantine\C\WINDOWS\system32\Y12d0Vn5.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.db skipped C:\QooBox\Quarantine\C\WINDOWS\system32\bTbVnD0J.exe.vir Infected: Backdoor.Win32.Agent.ark skipped C:\QooBox\Quarantine\C\WINDOWS\xhelper.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.db skipped C:\QooBox\Quarantine\C\WINDOWS\WebAssist.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cz skipped Scan process completed. Attached is SRE Log.. Thanks Again, Gita |
|
|
|
|
08-16-2007, 08:23 AM
|
#10 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
1. Download FindAWF
2. Download AVG Anti Spyware Install AVG Anti Spyware
3. When you have finished updating, run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
4. Delete the following files if they still exist: C:\OLD\W\ smsys.dat C:\OLD\W\ explorer.exe 5. Run FindAWF.exe. When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here along with the AVG A-S results. Last edited by Ried; 08-16-2007 at 08:25 AM. |
|
|
|
|
08-17-2007, 06:12 AM
|
#11 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Re: Possible virus -- changed windows background (not desktop background)
Hi,
AVG report: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 8:03:01 PM 8/17/2007 + Scan result: C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0005493.dll -> Adware.Dap : No action taken. C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP8\A0005496.dll -> Adware.Dap : No action taken. C:\SDFix\backups\backups.zip/backups/5.dllb -> Downloader.Small : No action taken. C:\SDFix\backups\backups.zip/backups/v5xd2.g3ame -> Downloader.Small.ehu : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\Ngsys.exe -> Downloader.VB.aza : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\Vel.exe -> Downloader.VB.aza : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\runer.exe -> Downloader.VB.aza : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\rvshost.exe -> Downloader.VB.aza : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\system31.exe -> Downloader.VB.aza : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\userint.exe -> Downloader.VB.aza : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\windxp.exe -> Downloader.VB.aza : No action taken. C:\Deckard\System Scanner\20070813110755\backup\DOCUME~1\Admin\LOCALS~1\Temp\winzipt.exe -> Downloader.VB.aza : No action taken. C:\RECYCLED\Dc3.dat -> Proxy.Agent.mx : No action taken. C:\SDFix\backups\backups.zip/backups/vx1dt3.game -> Proxy.Agent.mx : No action taken. C:\Documents and Settings\Admin\Cookies\admin@2o7[2].txt -> TrackingCookie.2o7 : No action taken. C:\Documents and Settings\Admin\Cookies\admin@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken. C:\OLD\D\Admin\Cookies\admin@2o7[2].txt -> TrackingCookie.2o7 : No action taken. C:\OLD\D\Admin\Cookies\admin@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@2o7[1].txt -> TrackingCookie.2o7 : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@maxim.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken. C:\Documents and Settings\Admin\Cookies\admin@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken. C:\Documents and Settings\Admin\Cookies\admin@ads.adbrite[1].txt -> TrackingCookie.Adbrite : No action taken. C:\OLD\D\Admin\Cookies\admin@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken. C:\OLD\D\Admin\Cookies\admin@ads.adbrite[1].txt -> TrackingCookie.Adbrite : No action taken. C:\OLD\D\Admin\Cookies\admin@advertising[2].txt -> TrackingCookie.Advertising : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@advertising[2].txt -> TrackingCookie.Advertising : No action taken. C:\Documents and Settings\Admin\Cookies\admin@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken. C:\OLD\D\Admin\Cookies\admin@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken. C:\OLD\D\Admin\Cookies\admin@com[1].txt -> TrackingCookie.Com : No action taken. C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken. C:\OLD\D\Admin\Cookies\admin@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@as-us.falkag[1].txt -> TrackingCookie.Falkag : No action taken. C:\Documents and Settings\Admin\Cookies\admin@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken. C:\OLD\D\Admin\Cookies\admin@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken. C:\OLD\D\Admin\Cookies\admin@media.fastclick[1].txt -> TrackingCookie.Fastclick : No action taken. C:\OLD\D\Admin\Cookies\admin@goclick[2].txt -> TrackingCookie.Goclick : No action taken. C:\Documents and Settings\Admin\Cookies\admin@search.live[2].txt -> TrackingCookie.Live : No action taken. C:\OLD\D\Admin\Cookies\admin@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken. C:\Documents and Settings\Admin\Cookies\admin@auto.search.msn[1].txt -> TrackingCookie.Msn : No action taken. C:\Documents and Settings\Admin\Cookies\admin@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken. C:\Documents and Settings\Admin\Cookies\admin@overture[1].txt -> TrackingCookie.Overture : No action taken. C:\OLD\D\Admin\Cookies\admin@overture[1].txt -> TrackingCookie.Overture : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@overture[1].txt -> TrackingCookie.Overture : No action taken. C:\OLD\D\Admin\Cookies\admin@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken. C:\Documents and Settings\Admin\Cookies\admin@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken. C:\OLD\D\Admin\Cookies\admin@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken. C:\OLD\D\Admin\Cookies\admin@realmedia[2].txt -> TrackingCookie.Realmedia : No action taken. C:\OLD\D\Admin\Cookies\admin@revsci[2].txt -> TrackingCookie.Revsci : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@revsci[2].txt -> TrackingCookie.Revsci : No action taken. C:\Documents and Settings\Admin\Cookies\admin@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken. C:\Documents and Settings\Admin\Cookies\admin@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken. C:\OLD\D\Admin\Cookies\admin@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken. C:\OLD\D\Admin\Local Settings\Temp\Cookies\admin@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken. C:\OLD\D\Admin\Cookies\admin@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken. C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken. C:\OLD\D\Admin\Cookies\admin@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken. C:\OLD\D\Admin\Cookies\admin@zedo[2].txt -> TrackingCookie.Zedo : No action taken. C:\System Volume Information\_restore{3E4CA2C9-9B9A-4F58-B2B7-9B9066ED8CE8}\RP5\A0003968.exe/serial.exe -> Trojan.Dialer.qn : No action taken. ::Report end awf.txt contents: Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Fri 08/17/2007 The current time is: 20 14.39bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report Many Thanks, Gita |
|
|
|
|
08-17-2007, 11:14 AM
|
#12 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
Please ensure Hidden files and folders are viewable:
Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. *Also, make sure there is no checkmark beside Hide file extensions for known file types. * Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to C:\Windows\desktop.ini Please post the contents of the desktop.ini. If there is more than one, then post the contents of each--do not search for desktop.ini--we only want to see the one(s) in the Windows folder. |
|
|
|
|
08-18-2007, 04:12 AM
|
#13 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Re: Possible virus -- changed windows background (not desktop background)
Contents of Desktop.ini:
[ExtShellFolderViews] {BE098140-A513-11D0-A3A4-00C04FD706EC}={BE098140-A513-11D0-A3A4-00C04FD706EC} [{BE098140-A513-11D0-A3A4-00C04FD706EC}] Attributes = 1 IconArea_Image = c:\windows\system32\WindXP.ini [.ShellClassInfo] InfoTip=How are you Admin, nice to meet you! Gita |
|
|
|
|
08-18-2007, 09:56 AM
|
#14 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
Thanks.
Delete the following file: c:\windows\system32\ WindXP.ini ------------------------------------------- Is that image now gone from your Windows folder background? |
|
|
|
|
08-20-2007, 03:26 AM
|
#15 (permalink) |
|
Registered User
Join Date: Aug 2007
Posts: 8
OS: Win XP
|
Re: Possible virus -- changed windows background (not desktop background)
Hi Ried,
Deleted the file and the image is finally off my PC. Thanks so much!! Husband's laptop also clean once he deleted the same file... Can't thank you enough.. Gita |
|
|
|
|
08-20-2007, 08:01 AM
|
#16 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Possible virus -- changed windows background (not desktop background)
You're welcome, Gita.
Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Ensure Windows Auto Update is Enabled *Go to Start>Run - type wuaucpl.cpl *Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will flush out previous restore points (which contain the infections) and create a new restore point. ************************************************************************************** To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically.
|
|
|
|
| Thread Tools | |
|
|
located at the bottom of the page.
then click 
