|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-02-2008, 09:36 AM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 10
OS: xp
|
Infected by trojans in pseudo-codec
Hi,
A couple of days ago I clicked on a .wmv file I had downloaded on my laptop and installed a supposedly missing codec that windows media player supposedly found. This triggered a bunch of trojans hidden in a .avi file that I had downloaded together with the .wmv file. I think that what happened to me is exactly what is described in this threat expert report: http://www.threatexpert.com/report.a...c-ba5c9defd72d. Unfortunately, I urgently needed my computer to work with and I had to try to do some cleaning on my own. My computer looks ok but I want to make sure that it is safe. I am posting below details about my system, symptoms, threats identified by various scanners and fresh gmer and rsit logs. My system: it is a vaio with pre-installed windows xp home, now SP3 with all critical updates installed, with two partitions c: and d:. When I was attacked, there were also two virtual drives f: and g: and I there was also a removable drive i: connected to my laptop. My router firewall was enabled, as well as norton internet security 2009 firewall and auto-protect. The symptoms: Two "programs" were installed named hdtv or something and sexvid. As soon as that happened, NIS notified me of new threats that it detected and removed. In the quarantine section I found c:\windows\temp\tempo-df7.tmp and c:\elurfpk.exe detected by SONAR and w32.SillyDC detected by Auto-Protect. I think that the first two files point at vundo and downloader. Also, there were hidden dirs named "resycled" in all three hard drives (c,d,and i). When I opened IE, I got a "system shutdown" message (in 60s) initiated by user NT due to an error in lsass (status 1073741819). Finally, when I restarted (in safe mode) I got a "found new hardware" message which I ignored. Actions: Went in safe mode w/network and did a full scan with NIS. Found nothing. Dowloaded a few freeware and shareware antimalware programs and performed scans. Unfortunately, I had disconnected my removable HD and it took some time to disable system restore. Spyware doctor found Trojan-Downloader.Popuper and Trojan-Downloader.NUS. Avira AntiVir free found and quarantined TR/Crypt.PEPM.Gen Trojan in file C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHCC6.tmp (is this a file quarantined by norton?), TR/Dldr.Small.DDT.4 in C:\Documents and Settings\User\Local Settings\Temp\codec.exe, and TR/Passcrack.B Trojan in C:\WINDOWS\Temp\tmpBC.tmp. Malwarebytes' Anti-malware found and removed Trojan.Vundo, Rootkit.Agent, and Malware.Trace from the registry and it also found and deleted Trojan.DNSChanger in C:\resycled\boot.com, and Trojan.Vundo, Rootkit.Agent, Trojan.Agent, Trojan.DNSChanger and Trojan.FakeAlert in 9 files in windows, windows\temp, windows\system32, and in temporary internet files. After that, I got rid of the 60s shutdown message but I still had the hidden "resycled" dirs in d: and in i: (which I plugged back in). Subsequently, I ran ComboFix, SDFix and Flash_Disinfector. ComboFix deleted system32 files acfiPqss.ini, acfiPqss.ini2, and mdm.exe, as well as C:\WINDOWS\winhelp.ini and two Autorun.inf files from d: and i:. After running this tools, I did not have "resycled" folders any more. These were replaced by "autorun.inf" hidden folders (I think by Flash_Disinfector). Finally I went to system devices and manually removed the "new hardware" entry. I am very worried about all these trojans found and I absolutely have no idea whether my computer is now safe or not. Could you please help me on that? I am attaching fresh gmer and rsit logs. Thank you very very much Logfile of random's system information tool 1.04 (written by random/random) Run by User at 2008-11-02 17:36:40 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 18 GB (47%) free of 38 GB Total RAM: 2046 MB (69% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:36:43, on 2/11/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Sony\VAIO Event Service\VESMgr.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\ICO.EXE C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe C:\Program Files\Conexant\AccessRunner ADSL USB\CnxDslTb.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\totalcmd\TOTALCMD.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\User\Επιφάνεια εργασίας\RSIT.exe C:\Program Files\trend micro\User.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [VAIO Update 4] "C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe" /Stationary O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL USB\CnxDslTb.exe" "Conexant\AccessRunner ADSL USB" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/ O15 - Trusted Zone: *.sony-europe.com O15 - Trusted Zone: *.sonystyle-europe.com O15 - Trusted Zone: *.vaio-link.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1150570523546 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- End of file - 13211 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job C:\WINDOWS\tasks\Temp.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] Symantec NCO BHO - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll [2008-10-20 340848] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] Symantec Intrusion Prevention - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL [2008-10-20 107896] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-02 320920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-09-02 737776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-02 34816] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-02 73728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {E0E899AB-F487-11D5-8D29-0050BA6940E3} {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384] {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll [2008-10-20 340848] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe [2005-09-27 81920] "SonyPowerCfg"=C:\Program Files\Sony\VAIO Power Management\SPMgr.exe [2005-10-19 184320] "RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-06-29 14720000] "Persistence"=C:\WINDOWS\system32\igfxpers.exe [2005-06-29 114688] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-06-09 6746112] "Mouse Suite 98 Daemon"=C:\WINDOWS\system32\ICO.EXE [2002-03-14 45056] "ISBMgr.exe"=C:\Program Files\Sony\ISB Utility\ISBMgr.exe [2004-02-20 32768] "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-06-29 94208] "HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-06-29 77824] "basicsmssmenu"=C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe [2007-10-09 169328] "AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2005-04-29 45056] "Apoint"=C:\Program Files\Apoint\Apoint.exe [2003-11-07 114688] "VAIO Update 4"=C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe [2008-08-24 870240] "CnxDslTaskBar"=C:\Program Files\Conexant\AccessRunner ADSL USB\CnxDslTb.exe [2005-05-30 278528] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-02 136600] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-02-01 21898024] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-30 68856] "MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232] C:\Documents and Settings\User\Start Menu\Προγράμματα\Εκκίνηση Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2005-06-29 131072] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VESWinlogon] C:\WINDOWS\system32\VESWinlogon.dll [2005-05-20 73728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDrives"=0 "NoDriveAutoRun"=FFFFFFFF "NoDriveTypeAutoRun"=36 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"= "NoDrives"= "NoDriveAutoRun"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger" "C:\Program Files\Sony\VAIO Media 5.0\Vc.exe"="C:\Program Files\Sony\VAIO Media 5.0\Vc.exe:*:Disabled:[VAIO Media] VAIO Media" "C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire" "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype" "C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Disabled:Football Manager 2008" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] shell\AutoRun\command - I:\Launch.exe /run [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449f9ca1-434c-11dc-bda2-00166f651be2}] shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a67c38a0-e51e-11db-bd39-94b187069962}] shell\AutoRun\command - H:\setupSNK.exe ======List of files/folders created in the last 1 months====== 2008-11-02 17:36:40 ----D---- C:\rsit 2008-11-02 16:53:18 ----SHD---- C:\Config.Msi 2008-11-02 16:46:26 ----D---- C:\Documents and Settings\All Users\Application Data\NOS 2008-11-02 16:46:25 ----D---- C:\Program Files\NOS 2008-11-02 16:17:26 ----A---- C:\WINDOWS\system32\javaws.exe 2008-11-02 16:17:26 ----A---- C:\WINDOWS\system32\javaw.exe 2008-11-02 16:17:26 ----A---- C:\WINDOWS\system32\java.exe 2008-11-02 16:17:26 ----A---- C:\WINDOWS\system32\deploytk.dll 2008-11-02 16:17:02 ----D---- C:\Program Files\Java 2008-11-02 12:31:07 ----A---- C:\WINDOWS\gmer.ini 2008-11-02 12:31:05 ----A---- C:\WINDOWS\gmer_uninstall.cmd 2008-11-02 12:31:05 ----A---- C:\WINDOWS\gmer.exe 2008-11-02 12:31:05 ----A---- C:\WINDOWS\gmer.dll 2008-11-02 01  49 ----D---- C:\Program Files\Unlocker2008-11-01 23:38:41 ----D---- C:\Program Files\Common Files\BitDefender 2008-11-01 05:17:03 ----D---- C:\WINDOWS\ERUNT 2008-11-01 04:46:29 ----SHD---- C:\RECYCLER 2008-11-01 04:39:11 ----D---- C:\WINDOWS\temp 2008-11-01 04:39:09 ----A---- C:\ComboFix.txt 2008-11-01 04:27:53 ----A---- C:\WINDOWS\zip.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\VFIND.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\SWXCACLS.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\SWSC.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\SWREG.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\sed.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\NIRCMD.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\grep.exe 2008-11-01 04:27:53 ----A---- C:\WINDOWS\fdsv.exe 2008-11-01 04:27:48 ----D---- C:\WINDOWS\ERDNT 2008-11-01 03:58:11 ----A---- C:\WINDOWS\system32\tmp.txt 2008-11-01 03:58:01 ----A---- C:\rapport.txt 2008-11-01 01:05:24 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-11-01 00:56:19 ----D---- C:\Documents and Settings\User\Application Data\Uniblue 2008-10-31 23:55:28 ----D---- C:\Program Files\Spybot - Search & Destroy 2008-10-31 23:55:28 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-31 18:08:54 ----A---- C:\WINDOWS\system32\ztvunrar36.dll 2008-10-31 18:08:54 ----A---- C:\WINDOWS\system32\ztvunace26.dll 2008-10-31 18:08:54 ----A---- C:\WINDOWS\system32\ztvcabinet.dll 2008-10-31 18:08:54 ----A---- C:\WINDOWS\system32\unrar3.dll 2008-10-31 18:08:47 ----D---- C:\Documents and Settings\User\Application Data\Simply Super Software 2008-10-31 15:42:11 ----D---- C:\Program Files\Trend Micro 2008-10-31 12:41:05 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes 2008-10-31 12:41:00 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-31 12:25:16 ----D---- C:\Program Files\XoftSpySE 2008-10-28 23:28:23 ----D---- C:\Documents and Settings\User\Application Data\Elaborate Bytes 2008-10-27 23:34:08 ----D---- C:\Documents and Settings\User\Application Data\uTorrent 2008-10-26 16:53:08 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools 2008-10-25 08:38:59 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$ 2008-10-20 11:13:56 ----D---- C:\Program Files\Symantec 2008-10-20 11:13:56 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL 2008-10-20 11:13:20 ----D---- C:\Program Files\Windows Sidebar 2008-10-20 11:13:03 ----D---- C:\Program Files\NortonInstaller 2008-10-19 16:01:51 ----D---- C:\Documents and Settings\User\Application Data\EDrawings 2008-10-19 15:59:40 ----A---- C:\WINDOWS\eDrawingOfficeAutomator.INI 2008-10-19 15:59:35 ----D---- C:\Program Files\Common Files\SolidWorks Shared 2008-10-19 15:59:10 ----D---- C:\Program Files\Common Files\eDrawings2009 2008-10-19 13:24:37 ----D---- C:\Program Files\Conduit 2008-10-19 13:24:36 ----D---- C:\Program Files\Freecorder 2008-10-19 13:24:24 ----D---- C:\WINDOWS\Freecorder Toolbar 2008-10-16 11:14:30 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-16 11:14:21 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-16 11:14:13 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-16 11:11:30 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-16 11:11:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ ======List of files/folders modified in the last 1 months====== 2008-11-02 17:07:27 ----A---- C:\WINDOWS\wincmd.ini 2008-11-02 17:01:50 ----D---- C:\WINDOWS\system32\Lang 2008-11-02 17:01:46 ----D---- C:\WINDOWS\system32 2008-11-02 17:01:40 ----D---- C:\WINDOWS 2008-11-02 16:59:57 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-02 16:59:56 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-02 16:57:22 ----D---- C:\Program Files\totalcmd 2008-11-02 16:54:10 ----SHD---- C:\WINDOWS\Installer 2008-11-02 16:54:03 ----D---- C:\Program Files\Common Files\Adobe 2008-11-02 16:54:03 ----D---- C:\Program Files\Adobe 2008-11-02 16:53:19 ----D---- C:\Program Files\Common Files 2008-11-02 16:52:29 ----D---- C:\Documents and Settings\User\Application Data\Adobe 2008-11-02 16:49:40 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe 2008-11-02 16:46:27 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-11-02 16:46:25 ----RD---- C:\Program Files 2008-11-02 16:44:44 ----SHD---- C:\System Volume Information 2008-11-02 16:44:44 ----D---- C:\WINDOWS\system32\Restore 2008-11-02 16:03:16 ----D---- C:\WINDOWS\Prefetch 2008-11-02 15:39:58 ----RASH---- C:\boot.ini 2008-11-02 15:39:58 ----A---- C:\WINDOWS\win.ini 2008-11-02 15:39:58 ----A---- C:\WINDOWS\system.ini 2008-11-02 15:36:40 ----D---- C:\Program Files\FlashGet 2008-11-02 15:34:08 ----D---- C:\Program Files\ArrayVisualizer 2008-11-02 15:28:30 ----D---- C:\Program Files\WinRAR 2008-11-02 15:25:43 ----RSD---- C:\WINDOWS\Fonts 2008-11-02 15:23:49 ----D---- C:\Program Files\Soulseek 2008-11-02 15:22:22 ----D---- C:\Program Files\Ahead 2008-11-02 15:22:21 ----D---- C:\WINDOWS\system32\drivers 2008-11-02 15:21:37 ----D---- C:\Program Files\Offline Explorer Enterprise 2008-11-02 15:21:26 ----D---- C:\Program Files\MathType 2008-11-02 15:18:40 ----D---- C:\Program Files\FrostWire 2008-11-02 15:18:30 ----D---- C:\Program Files\GuitarVision 2008-11-02 13:43:53 ----D---- C:\Program Files\AspenTech 2008-11-02 13:42:17 ----D---- C:\Program Files\Common Files\AspenTech Shared 2008-11-02 13:41:00 ----D---- C:\Documents and Settings\All Users\Application Data\ACD Systems 2008-11-02 13:40:58 ----HD---- C:\WINDOWS\inf 2008-11-02 13:37:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2008-11-02 13:10:26 ----D---- C:\WINDOWS\WinSxS 2008-11-01 20:41:31 ----D---- C:\Documents and Settings\User\Application Data\Skype 2008-11-01 05:53:24 ----D---- C:\WINDOWS\BDOSCAN8 2008-11-01 05:21:43 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-11-01 04:32:45 ----D---- C:\WINDOWS\AppPatch 2008-11-01 04:07:50 ----SD---- C:\WINDOWS\Tasks 2008-11-01 00:38:26 ----A---- C:\WINDOWS\WININIT.INI 2008-11-01 00:38:18 ----D---- C:\Program Files\BearShare 2008-10-31 16:07:59 ----D---- C:\Documents and Settings\User\Application Data\skypePM 2008-10-31 13:03:02 ----D---- C:\WINDOWS\Debug 2008-10-31 03:41:31 ----A---- C:\WINDOWS\NeroDigital.ini 2008-10-30 17:29:19 ----D---- C:\Documents and Settings\User\Application Data\FrostWire 2008-10-30 13:33:53 ----A---- C:\WINDOWS\workshop.ini 2008-10-28 23:41:35 ----A---- C:\WINDOWS\Lexicon.ini 2008-10-26 15:58:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-25 08:38:23 ----HD---- C:\WINDOWS\$hf_mig$ 2008-10-20 17:22:01 ----D---- C:\Program Files\Common Files\Symantec Shared 2008-10-20 11:13:20 ----D---- C:\Program Files\Norton Internet Security 2008-10-20 11:13:20 ----D---- C:\Documents and Settings\All Users\Application Data\Norton 2008-10-20 08:35:25 ----HD---- C:\Program Files\InstallShield Installation Information 2008-10-20 08:35:25 ----D---- C:\Program Files\Sony 2008-10-20 08:17:18 ----D---- C:\Update 2008-10-16 11:26:57 ----D---- C:\WINDOWS\system32\wbem 2008-10-16 11:13:55 ----D---- C:\Program Files\Internet Explorer 2008-10-15 18:35:43 ----A---- C:\WINDOWS\system32\netapi32.dll 2008-10-11 01:41:26 ----D---- C:\WINDOWS\system32\LogFiles 2008-10-10 14:20:23 ----SD---- C:\Documents and Settings\User\Application Data\Microsoft 2008-10-07 21:19:40 ----A---- C:\WINDOWS\system32\MRT.exe 2008-10-07 10:13:22 ----D---- C:\WINDOWS\Help 2008-10-03 19:11:59 ----A---- C:\WINDOWS\system32\ieframe.dll ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 BHDrvx86;Symantec Heuristics Driver; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [] R1 ccHP;Symantec Hash Provider; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.sys [] R1 DMICall;Sony DMI Call service; C:\WINDOWS\system32\DRIVERS\DMICall.sys [2000-12-05 3952] R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [] R1 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081031.001\IDSxpx86.sys [] R1 intelppm;Οδηγός επεξεργαστή Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40832] R1 SRTSP;SRTSP; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SRTSP.SYS [] R1 SRTSPX;SRTSPX; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SRTSPX.SYS [] R1 SYMTDI;SYMTDI; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMTDI.SYS [] R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-11-30 17801] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059] R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2005-05-03 11354] R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys [] R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2003-09-29 94601] R3 CmBatt;Microsoft - Πρόγραμμα οδήγησης μπαταρίας μεθόδου ελέγχου ACPI; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952] R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-13 155648] R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [] R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-02 85969] R3 HDAudBus;Πρόγραμμα οδήγησης διαύλου Microsoft UAA για High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-05-23 1034752] R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-05-23 178048] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-06-29 3173888] R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081101.019\NAVENG.SYS [] R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081101.019\NAVEX15.SYS [] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-06-09 3192192] R3 SNC;Sony Notebook Control Device; C:\WINDOWS\System32\Drivers\SonyNC.sys [2000-11-09 48896] R3 SYMDNS;SYMDNS; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMDNS.SYS [] R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [] R3 SYMFW;SYMFW; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMFW.SYS [] R3 SYMIDS;SYMIDS; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMIDS.SYS [] R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-10-20 35888] R3 SYMNDIS;SYMNDIS; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMNDIS.SYS [] R3 SYMREDRV;SYMREDRV; \??\C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMREDRV.SYS [] R3 tifmsony;tifmsony; C:\WINDOWS\system32\drivers\tifmsony.sys [2005-08-11 77312] R3 usbehci;Πρόγραμμα οδήγησης USB 2.0-προηγμένου κεντρικού ελεγκτή Miniport της Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;Διανομέας με δυνατότητα USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 USBSTOR;Πρόγραμμα οδήγησης μαζικής αποθήκευσης USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] R3 usbuhci;Πρόγραμμα οδήγησης Miniport ενιαίου κεντρικού ελεγκτή Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608] R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-05-23 716288] S3 Arp1394;Πρωτόκολλο πελάτη ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800] S3 catchme;catchme; \??\C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys [] S3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver; C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2005-05-30 131072] S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver; C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2005-05-30 618112] S3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver; C:\WINDOWS\system32\DRIVERS\CnxTgNP.sys [2005-05-30 61952] S3 HidUsb;Πρόγραμμα οδήγησης HID της Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-06-29 1050140] S3 LEX_AS_NIC_SERVICE_YNOS;LAN-Express AS IEEE 802.11g Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ExpasAG.sys [2005-02-10 456448] S3 mouhid;Πρόγραμμα οδήγησης ποντικιού HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-11-26 12288] S3 NIC1394;Πρόγραμμα οδήγησης δικτύου 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824] S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys [] S3 pmxscan;USB ScanModule V5.0 Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104] S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys [] S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552] S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-10-20 35888] S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys [] S3 vaxscsi;vaxscsi; C:\WINDOWS\System32\Drivers\vaxscsi.sys [] S3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2005-04-30 3281408] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S4 WS2IFSL;Περιβάλλον υποστήριξης της υπηρεσίας παροχής Non-IFS για το Windows Socket 2.0; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-09-07 12032] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400] R2 Basics Service;Basics Service; C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 124280] R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2005-06-03 86016] R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-02 152984] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB; C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 7520337] R2 Norton Internet Security;Norton Internet Security; C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2008-10-20 115560] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-06-09 127044] R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2005-06-03 139264] R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2005-06-03 372809] R2 VAIO Event Service;VAIO Event Service; C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [2005-05-20 153600] R2 VzCdbSvc;VAIO Entertainment Database Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [2005-09-01 167936] R2 VzFw;VAIO Entertainment File Import Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [2005-09-01 135168] R3 Vcsw;VAIO Entertainment UPnP Client Adapter; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [2005-09-01 270336] S2 VCI;VAIO Cooporated Initialisation; C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe [2005-01-04 398336] S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-07-19 69632] S3 aspnet_state;Υπηρεσία κατάστασης ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-19 138168] S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment; C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-07-14 32768] S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2005-08-30 53337] S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2005-08-30 53337] S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-10-19 79360] S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2005-08-30 69718] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB; C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 311872] S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2005-09-27 69632] S3 usnjsvc;Υπηρεσία ανάγνωσης χρονικού USN κοινόχρηστων φακέλων του Messenger; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136] S3 VAIO Entertainment TV Device Arbitration Service;VAIO Entertainment TV Device Arbitration Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe [2005-10-06 73728] S3 VAIOMediaPlatform-IntegratedServer-AppServer;VAIO Media Integrated Server; C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe [2005-10-11 1982464] S3 VAIOMediaPlatform-IntegratedServer-HTTP;VAIO Media Integrated Server (HTTP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2005-10-11 57344] S3 VAIOMediaPlatform-IntegratedServer-UPnP;VAIO Media Integrated Server (UPnP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2005-10-11 770048] S3 VAIOMediaPlatform-Mobile-Gateway;VAIO Media Gateway Server; C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe [2005-10-11 188416] S3 WMPNetworkSvc;Υπηρεσία κοινής χρήσης δικτύου του Windows Media Player; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 922112] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] -----------------EOF----------------- |
|
     |
| Sponsored Links |
|
11-06-2008, 07:21 AM
|
#4 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 10
OS: xp
|
Re: Infected by trojans in pseudo-codec
Hello Ried,
Below you may find the requested logs. Please let me know if you need me to translate anything. Also note that I ran ComboFix without prior installation of the recovery console at that time. Thank you for your time!!! ComboFix log: ComboFix 08-10-30.13 - User 2008-11-01 4:29:33.1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1253.1.1032.18.1763 [GMT 2:00] Running from: C:\Documents and Settings\User\Επιφάνεια εργασίας\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\acfiPqss.ini C:\WINDOWS\system32\acfiPqss.ini2 C:\WINDOWS\system32\mdm.exe C:\WINDOWS\winhelp.ini D:\Autorun.inf I:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-10-01 to 2008-11-01 ))))))))))))))))))))))))))))))) . 2008-11-01 03:58 . 2008-11-01 03:58 3,360 --a------ C:\WINDOWS\system32\tmp.reg 2008-11-01 01:05 . 2008-11-01 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-11-01 00:56 . 2008-11-01 00:56 <DIR> d-------- C:\Documents and Settings\User\Application Data\Uniblue 2008-11-01 00:31 . 2008-11-01 00:31 <DIR> d-------- C:\VundoFix Backups 2008-10-31 23:55 . 2008-11-01 04:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-10-31 23:55 . 2008-11-01 04:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-31 23:41 . 2008-10-31 23:41 <DIR> d-------- C:\rsit 2008-10-31 18:08 . 2008-11-01 04:07 <DIR> d-------- C:\Documents and Settings\User\Application Data\Simply Super Software 2008-10-31 18:08 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2008-10-31 18:08 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll 2008-10-31 18:08 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2008-10-31 18:08 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2008-10-31 15:42 . 2008-10-31 15:42 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-31 12:41 . 2008-10-31 12:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-31 12:41 . 2008-10-31 12:41 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes 2008-10-31 12:41 . 2008-10-31 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-31 12:41 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-31 12:41 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-31 12:25 . 2008-11-01 04:07 <DIR> d-------- C:\Program Files\XoftSpySE 2008-10-31 02:43 . 2008-10-31 02:43 0 --a------ C:\1420136176 2008-10-31 02:42 . 2008-10-31 02:42 108,336 --a------ C:\WINDOWS\system32\mswinsck.ocx 2008-10-28 23:28 . 2008-10-28 23:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\Elaborate Bytes 2008-10-27 23:34 . 2008-10-27 23:34 <DIR> d-------- C:\Program Files\uTorrent 2008-10-27 23:34 . 2008-10-31 02:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\uTorrent 2008-10-26 16:53 . 2008-10-26 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools 2008-10-26 16:53 . 2008-10-26 16:52 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys 2008-10-26 16:50 . 2008-10-26 16:53 <DIR> d-------- C:\Program Files\Common Files\PC Tools 2008-10-26 16:45 . 2008-08-25 12:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-10-26 16:45 . 2008-08-25 12:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-10-26 16:45 . 2008-08-25 12:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-10-26 16:45 . 2008-06-02 16:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-10-26 16:44 . 2008-11-01 02:44 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-10-26 16:44 . 2008-10-26 16:44 <DIR> d-------- C:\Documents and Settings\User\Application Data\PC Tools 2008-10-24 13:09 . 2008-10-15 18:35 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll 2008-10-20 11:14 . 2008-10-20 11:13 35,888 -ra------ C:\WINDOWS\system32\drivers\SymIM.sys 2008-10-20 11:13 . 2008-10-20 11:13 <DIR> d-------- C:\WINDOWS\system32\drivers\NIS 2008-10-20 11:13 . 2008-10-20 11:13 <DIR> d-------- C:\Program Files\Windows Sidebar 2008-10-20 11:13 . 2008-10-20 11:13 <DIR> d-------- C:\Program Files\Symantec 2008-10-20 11:13 . 2008-10-20 11:13 <DIR> d-------- C:\Program Files\NortonInstaller 2008-10-20 11:13 . 2008-10-20 11:13 124,464 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-10-20 11:13 . 2008-10-20 11:13 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-10-20 11:13 . 2008-10-20 11:13 10,635 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-10-20 11:13 . 2008-10-20 11:13 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-10-20 11:10 . 2008-10-20 11:10 <DIR> d-------- C:\Program Files\Freecorder Toolbar 2008-10-19 16:01 . 2008-10-19 16:01 <DIR> d-------- C:\Documents and Settings\User\Application Data\EDrawings 2008-10-19 15:59 . 2008-10-19 15:59 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared 2008-10-19 15:59 . 2008-10-19 15:59 <DIR> d-------- C:\Program Files\Common Files\eDrawings2009 2008-10-19 15:59 . 2008-10-19 15:59 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI 2008-10-19 13:24 . 2008-10-19 13:24 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar 2008-10-19 13:24 . 2008-10-19 13:24 <DIR> d-------- C:\Program Files\Freecorder 2008-10-19 13:24 . 2008-10-19 13:24 <DIR> d-------- C:\Program Files\Conduit 2008-10-15 16:08 . 2008-08-14 15:23 2,196,224 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-15 16:08 . 2008-08-14 15:23 2,152,448 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-15 16:08 . 2008-08-14 15:23 2,073,088 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-15 16:08 . 2008-08-14 15:23 2,031,104 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-15 15:01 . 2008-09-15 17:25 1,846,656 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-15 14:57 . 2008-09-08 12:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-01 01:30 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-31 22:38 --------- d-----w C:\Program Files\BearShare 2008-10-31 15:52 --------- d-----w C:\Documents and Settings\User\Application Data\Skype 2008-10-31 14:07 --------- d-----w C:\Documents and Settings\User\Application Data\skypePM 2008-10-30 15:29 --------- d-----w C:\Documents and Settings\User\Application Data\FrostWire 2008-10-20 15:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-10-20 09:13 --------- d-----w C:\Program Files\Norton Internet Security 2008-10-20 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Norton 2008-10-20 06:35 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-20 06:35 --------- d-----w C:\Program Files\Sony 2008-09-29 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-09-29 19:09 --------- d-----w C:\Documents and Settings\User\Application Data\Symantec 2008-09-29 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCSettings 2008-09-29 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NortonInstaller 2008-09-20 12:53 --------- d-----w C:\Program Files\FrostWire 2008-09-20 12:52 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire 2008-09-15 15:25 1,846,656 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-09-06 19:12 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-09-06 18:00 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-09-06 12:24 --------- d-----w C:\Program Files\LimeWire 2008-09-06 01:20 --------- d-----w C:\Program Files\Java 2008-09-05 22:02 172 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat 2008-09-05 19:45 --------- d-----w C:\Program Files\FlashGet 2008-09-02 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir 2008-09-02 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir 2008-08-26 08:11 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-08-25 00:32 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-08-14 13:23 2,196,224 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 13:23 2,073,088 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-04-02 16:29 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2007-02-10 11:06 45,796 ----a-w C:\Program Files\setuplog.txt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] 2008-10-19 13:25 1569304 --a------ C:\Program Files\Freecorder\tbFre1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "C:\Program Files\Freecorder\tbFre1.dll" [2008-10-19 1569304] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "C:\Program Files\Freecorder\tbFre1.dll" [2008-10-19 1569304] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 21898024] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "SpybotDeletingB8959"="command" [X] "SpybotDeletingD4760"="del" [X] "SpybotDeletingB9188"="command" [X] "SpybotDeletingD8271"="del" [X] "SpybotDeletingB673"="command" [X] "SpybotDeletingD942"="del" [X] "SpybotDeletingB6054"="command" [X] "SpybotDeletingD8203"="del" [X] "SpybotDeletingB9406"="command" [X] "SpybotDeletingD6127"="del" [X] "SpybotDeletingB3961"="command" [X] "SpybotDeletingD7496"="del" [X] "SpybotDeletingB3251"="command" [X] "SpybotDeletingD9613"="del" [X] "SpybotDeletingB7511"="command" [X] "SpybotDeletingD8108"="del" [X] "SpybotDeletingB7715"="command" [X] "SpybotDeletingD9528"="del" [X] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-09-27 81920] "SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-12 77824] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 114688] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-09 6746112] "ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 94208] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 77824] "basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 114688] "VAIO Update 4"="C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe" [2008-08-24 870240] "RTHDCPL"="RTHDCPL.EXE" [2005-06-29 C:\WINDOWS\RTHDCPL.EXE] "Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 C:\WINDOWS\system32\ico.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2005-05-20 17:42 73728 C:\WINDOWS\system32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll "msacm.g723"= g723.acm "vidc.I263"= I263_32.drv [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Προγράμματα^Εκκίνηση^Picture Motion Browser Media Check Tool.lnk] path=C:\Documents and Settings\User\Start Menu\Προγράμματα\Εκκίνηση\Picture Motion Browser Media Check Tool.lnk backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] --a------ 2008-01-11 18:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2008-09-06 21:19 4608 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CnxDslTaskBar] -ra------ 2005-05-30 14:20 278528 C:\Program Files\CONEXANT\AccessRunner ADSL USB\CnxDslTb.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-14 18:30 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-30 12:01 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Sony\\VAIO Media 5.0\\Vc.exe"= "C:\\Program Files\\FrostWire\\FrostWire.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NIS\1000000.07D\SYMEFA.SYS [2008-10-20 309296] R3 USBSTOR;Πρόγραμμα οδήγησης μαζικής αποθήκευσης USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] R3 usbuhci;Πρόγραμμα οδήγησης Miniport ενιαίου κεντρικού ελεγκτή Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608] S1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2008-10-20 254512] S1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2008-10-20 362544] S1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081031.001\IDSxpx86.sys [2008-10-03 274808] S1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-10-26 160792] S2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 124280] S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 7520337] S2 Norton Internet Security;Norton Internet Security;C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\diMaster.dll [ ] S3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2005-05-30 131072] S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2005-05-30 618112] S3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgNP.sys [2005-05-30 61952] S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-07-14 32768] S3 pmxscan;USB ScanModule V5.0 Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 311872] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\Launch.exe /run [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{449f9ca1-434c-11dc-bda2-00166f651be2}] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47ef56aa-6010-11dd-bf5c-d22a445c9a20}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com i: \Shell\Open\command - I:\resycled\boot.com i: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a67c38a0-e51e-11db-bd39-94b187069962}] \Shell\AutoRun\command - H:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebbc4ec1-d087-11da-b82d-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d: \Shell\Open\command - D:\resycled\boot.com d: *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-10-27 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - User.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [] 2008-10-31 C:\WINDOWS\Tasks\Temp.job - C:\WINDOWS\Temp [2008-11-01 04:35] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Uniblue RegistryBooster 2009 - C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\jehef957.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-01 04:35:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security] "ImagePath"="\"C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1" . Completion time: 2008-11-01 4:39:08 ComboFix-quarantined-files.txt 2008-11-01 02:38:03 Pre-Run: 17 Κατάλογοι 16,342,454,272 διαθέσιμα byte SDFix: Version 1.238 Run by User on ‘˜™ 01/11/2008 at 05:23 Microsoft Windows XP [λ΅›¦©ž 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-01 05:37:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions] "\x2018\3“\3\3\xb3\3—\3‘\3\3\xbd\3\3’\3 ?\3‘\3\3“\3\xb1\3‘\3Œ\3\3\xb3\3\xad\3\xb1\3’\3 ?R?A?S?"=str(7):"1\0" "\xa0\3\xb1\3Š\3\xad\3”\3\3 ?—\3‘\3\3\xbd\3\3\x384\3‰\3\xb1\3\xb3\3‘\3\xac\3Œ\3Œ\3\xb1\3”\3\3’\3 ?M?i?n?i?p?o?r?t?"=str(7):"1\0002\0003\0" "\x2018\3\3µ\3•\3ˆ\3µ\3\x2015\3\xb1\3’\3 ?\3\xb1\3‘\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3"=str(7):"1\0" "\xa0\3‘\3\3“\3\xb1\3‘\3Œ\3\3\xb3\3\xad\3\xb1\3’\3 ?\x384\3‰\3Š\3”\3\3\3•\3 ?1?3?9?4?"=str(7):"1\0" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:6323484a "s2"=dword:b9f37d6b "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:45,12,e1,44,23,3f,93,c7,0a,49,da,ba,0d,01,ee,3c,19,98,a5,0b,ad,.. "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:cb,76,12,93,d5,63,c5,80,89,7d,be,03,57,11,93,e8,fd,db,66,9e,02,.. "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions] "\x2018\3“\3\3\xb3\3—\3‘\3\3\xbd\3\3’\3 ?\3‘\3\3“\3\xb1\3‘\3Œ\3\3\xb3\3\xad\3\xb1\3’\3 ?R?A?S?"=str(7):"1\0" "\xa0\3\xb1\3Š\3\xad\3”\3\3 ?—\3‘\3\3\xbd\3\3\x384\3‰\3\xb1\3\xb3\3‘\3\xac\3Œ\3Œ\3\xb1\3”\3\3’\3 ?M?i?n?i?p?o?r?t?"=str(7):"1\0002\0003\0" "\x2018\3\3µ\3•\3ˆ\3µ\3\x2015\3\xb1\3’\3 ?\3\xb1\3‘\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3"=str(7):"1\0" "\xa0\3‘\3\3“\3\xb1\3‘\3Œ\3\3\xb3\3\xad\3\xb1\3’\3 ?\x384\3‰\3Š\3”\3\3\3•\3 ?1?3?9?4?"=str(7):"1\0" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:45,12,e1,44,23,3f,93,c7,0a,49,da,ba,0d,01,ee,3c,19,98,a5,0b,ad,.. "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes] "\xa0\3‘\3\3µ\3\3‰\3\xbb\3µ\3\xb3\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="",,,,,,,,,,,,,"" "\x9a\3‰\3\xbd\3\3\3Œ\3µ\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,"" "\x2020\3“\3\3‘\3\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,"" "\xa7\3\xad\3‘\3‰\3\xb1\3 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"" "\xa7\3\xad\3‘\3‰\3\xb1\3 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,"" "\x201d\3µ\3‰\3\xbd\3œ\3“\3\xb1\3•\3‘\3\3’\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,"" "\xa0\3‘\3\3\xb7\3\xb3\3\3\3Œ\3µ\3\xbd\3\3 ?Œ\3\3\xbd\3”\3\xad\3\xbb\3\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"" "\xa3\3\3\xbd\3ˆ\3µ\3“\3\xb7\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"" "\x9c\3µ\3\xb3\3\xad\3ˆ\3•\3\xbd\3“\3\xb7\3"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,"" "\xa0\3\xb1\3‘\3\xb1\3\xbb\3\xbb\3\xb1\3\xb3\3\xad\3’\3"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,"" "\x9c\3\3‘\3\3\3”\3\xb6\3‰\3\xbd\3\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"" "\x9c\3\xb1\3\3‘\3\xb1\3 ?W?i?n?d?o?w?s? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur" "\x9c\3\xb1\3\3‘\3\xb1\3 ?W?i?n?d?o?w?s? ?(?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur" "\x9c\3\xb1\3\3‘\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\3\3\xbb\3\3 ?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur" "\x2018\3\xbd\3”\3µ\3“\3”\3‘\3\xb1\3Œ\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="C:\WINDOWS\cursors\arrow_i.cur,C:\WINDOWS\cursors\help_i.cur,C:\WINDOWS\cursors\wait_i.cur,C:\WINDOWS\cursors\busy_i.cur,C:\WINDOWS\cursors\cross_i.cur,C:\WINDOWS\cursors\beam_i.cur,C:\WINDOWS\cursors\pen_i.cur,C:\WINDOWS\cursors\no_i.cur,C:\WINDOWS\cursors\size4_i.cur,C:\WINDOWS\cursors\size3_i.cur,C:\WINDOWS\cursors\size2_i.cur,C:\WINDOWS\cursors\size1_i.cur,C:\WINDOWS\cursors\move_i.cur,C:\WINDOWS\cursors\up_i.cur" "\x2018\3\xbd\3”\3µ\3“\3”\3‘\3\xb1\3Œ\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur" "\x2018\3\xbd\3”\3µ\3“\3”\3‘\3\xb1\3Œ\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\3\3\xbb\3\3 ?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur" "\xa4\3•\3\3‰\3Š\3\xac\3 ?W?i?n?d?o?w?s? ?(?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur" "\xa4\3•\3\3‰\3Š\3\xac\3 ?W?i?n?d?o?w?s? ?(?\3\3\xbb\3\3 ?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups] "\xa0\3\xb1\3‰\3—\3\xbd\3\x2015\3\x384\3‰\3\xb1\3"="’Ώ·Έ®Ό±Δ±\*±ΉΗ½―΄Ή±" scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:?Torrent" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\Sony\\VAIO Media 5.0\\Vc.exe"="C:\\Program Files\\Sony\\VAIO Media 5.0\\Vc.exe:*:Disabled:[VAIO Media] VAIO Media" "C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:FrostWire" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : Files with Hidden Attributes : Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Tue 31 Jul 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sat 22 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Mon 2 Apr 2007 27,648 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Templates\~WRL2115.tmp" Sat 2 Feb 2008 312,320 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0127.tmp" Wed 5 Mar 2008 647,168 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0184.tmp" Mon 5 Nov 2007 15,360 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0236.tmp" Wed 5 Mar 2008 627,712 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0251.tmp" Wed 5 Mar 2008 597,504 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0252.tmp" Mon 2 Apr 2007 313,856 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0254.tmp" Tue 6 Nov 2007 15,872 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0272.tmp" Wed 5 Mar 2008 594,944 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0296.tmp" Wed 5 Mar 2008 404,480 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0315.tmp" Sun 3 Feb 2008 356,352 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0338.tmp" Wed 5 Mar 2008 455,168 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0344.tmp" Wed 5 Mar 2008 595,456 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0375.tmp" Mon 14 May 2007 18,532,352 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0383.tmp" Wed 5 Mar 2008 593,920 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0411.tmp" Wed 5 Mar 2008 594,432 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0420.tmp" Wed 5 Mar 2008 595,968 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0483.tmp" Thu 6 Mar 2008 601,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0485.tmp" Mon 14 May 2007 18,532,864 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0541.tmp" Wed 5 Mar 2008 592,384 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0564.tmp" Sun 13 May 2007 20,248,064 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0631.tmp" Wed 5 Mar 2008 462,848 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0651.tmp" Wed 5 Mar 2008 598,528 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0710.tmp" Tue 6 Nov 2007 19,456 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0750.tmp" Wed 5 Mar 2008 464,384 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0759.tmp" Wed 5 Mar 2008 593,920 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0772.tmp" Wed 5 Mar 2008 595,968 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0788.tmp" Wed 5 Mar 2008 600,064 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0793.tmp" Wed 5 Mar 2008 593,920 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0796.tmp" Mon 14 May 2007 18,532,864 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0828.tmp" Wed 5 Mar 2008 593,920 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0861.tmp" Sat 2 Feb 2008 297,472 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0875.tmp" Wed 5 Mar 2008 633,856 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0884.tmp" Wed 5 Mar 2008 592,896 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0926.tmp" Wed 5 Mar 2008 594,432 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0968.tmp" Wed 5 Mar 2008 592,896 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0988.tmp" Wed 5 Mar 2008 473,600 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1009.tmp" Wed 5 Mar 2008 456,192 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1060.tmp" Wed 5 Mar 2008 599,552 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1068.tmp" Wed 5 Mar 2008 601,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1074.tmp" Wed 5 Mar 2008 593,408 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1087.tmp" Fri 30 Mar 2007 227,840 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1109.tmp" Mon 14 May 2007 18,529,792 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1140.tmp" Wed 5 Mar 2008 457,216 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1148.tmp" Wed 5 Mar 2008 592,896 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1167.tmp" Sun 3 Feb 2008 355,328 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1202.tmp" Wed 5 Mar 2008 596,480 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1205.tmp" Mon 5 Nov 2007 15,360 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1230.tmp" Tue 6 Nov 2007 26,112 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1302.tmp" Wed 5 Mar 2008 588,800 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1347.tmp" Wed 5 Mar 2008 601,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1419.tmp" Sat 2 Feb 2008 304,640 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1433.tmp" Wed 5 Mar 2008 596,992 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1484.tmp" Wed 5 Mar 2008 460,800 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1679.tmp" Sun 3 Feb 2008 356,352 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1857.tmp" Mon 2 Apr 2007 254,464 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1892.tmp" Wed 5 Mar 2008 591,872 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1900.tmp" Wed 5 Mar 2008 464,384 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1921.tmp" Wed 5 Mar 2008 596,992 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1963.tmp" Wed 5 Mar 2008 462,848 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1995.tmp" Wed 5 Mar 2008 594,432 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2019.tmp" Wed 5 Mar 2008 393,216 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2032.tmp" Wed 5 Mar 2008 596,992 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2068.tmp" Sat 2 Feb 2008 304,128 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2108.tmp" Sun 3 Feb 2008 350,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2121.tmp" Wed 5 Mar 2008 596,992 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2124.tmp" Mon 14 May 2007 18,530,304 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2129.tmp" Mon 14 May 2007 18,530,304 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2229.tmp" Sun 3 Feb 2008 354,816 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2257.tmp" Wed 5 Mar 2008 594,944 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2313.tmp" Sat 2 Feb 2008 296,960 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2316.tmp" Wed 5 Mar 2008 461,312 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2317.tmp" Sat 2 Feb 2008 301,056 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2336.tmp" Wed 5 Mar 2008 592,896 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2392.tmp" Mon 14 May 2007 18,531,840 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2442.tmp" Mon 14 May 2007 18,529,792 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2476.tmp" Mon 14 May 2007 18,529,280 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2482.tmp" Wed 5 Mar 2008 599,552 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2591.tmp" Wed 5 Mar 2008 593,920 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2611.tmp" Wed 5 Mar 2008 463,360 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2637.tmp" Wed 5 Mar 2008 595,456 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2677.tmp" Wed 5 Mar 2008 593,408 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2689.tmp" Sun 3 Feb 2008 349,696 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2698.tmp" Mon 14 May 2007 18,529,792 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2706.tmp" Sun 3 Feb 2008 347,648 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2743.tmp" Wed 5 Mar 2008 600,576 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2759.tmp" Sat 2 Feb 2008 296,960 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2799.tmp" Sat 2 Feb 2008 316,928 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2817.tmp" Sun 3 Feb 2008 7,100,928 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2859.tmp" Tue 6 Nov 2007 28,672 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2864.tmp" Wed 5 Mar 2008 587,776 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2999.tmp" Wed 5 Mar 2008 596,480 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3058.tmp" Wed 5 Mar 2008 477,184 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3078.tmp" Wed 5 Mar 2008 595,968 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3081.tmp" Mon 2 Apr 2007 210,432 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3183.tmp" Fri 30 Mar 2007 227,840 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3193.tmp" Sun 3 Feb 2008 349,696 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3220.tmp" Wed 5 Mar 2008 599,552 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3264.tmp" Mon 2 Apr 2007 250,368 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3292.tmp" Wed 5 Mar 2008 457,216 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3294.tmp" Sun 13 May 2007 20,249,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3323.tmp" Thu 6 Mar 2008 629,248 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3347.tmp" Thu 6 Mar 2008 601,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3360.tmp" Sun 3 Feb 2008 355,328 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3388.tmp" Wed 5 Mar 2008 592,384 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3446.tmp" Wed 5 Mar 2008 601,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3464.tmp" Mon 2 Apr 2007 207,360 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3474.tmp" Sun 3 Feb 2008 354,816 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3520.tmp" Wed 5 Mar 2008 461,824 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3562.tmp" Wed 5 Mar 2008 588,800 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3565.tmp" Wed 5 Mar 2008 462,848 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3580.tmp" Wed 5 Mar 2008 465,408 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3604.tmp" Wed 5 Mar 2008 596,480 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3619.tmp" Sat 2 Feb 2008 300,544 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3647.tmp" Wed 5 Mar 2008 587,776 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3652.tmp" Tue 6 Nov 2007 24,576 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3653.tmp" Wed 5 Mar 2008 601,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3675.tmp" Sun 3 Feb 2008 7,100,928 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3693.tmp" Wed 5 Mar 2008 596,480 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3705.tmp" Wed 5 Mar 2008 476,672 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3717.tmp" Wed 5 Mar 2008 594,944 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3718.tmp" Sun 13 May 2007 20,249,088 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3746.tmp" Wed 5 Mar 2008 593,920 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3819.tmp" Wed 5 Mar 2008 461,824 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3874.tmp" Wed 5 Mar 2008 594,432 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3945.tmp" Wed 5 Mar 2008 455,680 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3960.tmp" Tue 6 Nov 2007 19,456 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3983.tmp" Tue 6 Nov 2007 17,408 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3992.tmp" Sun 3 Feb 2008 361,472 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3993.tmp" Sat 2 Feb 2008 304,640 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL4005.tmp" Sun 3 Feb 2008 348,160 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL4062.tmp" Wed 5 Mar 2008 593,920 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL4082.tmp" Tue 11 Apr 2006 2,461,696 A..H. --- "C:\Documents and Settings\User\Application Data\U3\temp\Launchpad Removal.exe" Finished! |
|
|
|
|
11-07-2008, 06:23 AM
|
#5 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Infected by trojans in pseudo-codec
You're welcome, yst_dfm. : )
Have you installed the Recovery Console yet? You really should have done that before running the tools.  Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. *************************************************** Close any open browsers. -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Open notepad and copy/paste the entire text in the quote box below: (don't forget to copy and paste REGEDIT4) Quote:
It should look like this:  Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. -------------------------------------------------------------------- What are your I: and D: drives? Do you know what this scheduled task is for? Is it something you created? 2008-10-31 C:\WINDOWS\Tasks\Temp.job - C:\WINDOWS\Temp [2008-11-01 04:35] |
|
|
|
|
|
11-07-2008, 12:22 PM
|
#6 (permalink) | ||||
|
Registered User
Join Date: Nov 2008
Posts: 10
OS: xp
|
Re: Infected by trojans in pseudo-codec
Quote:
 I installed the Recovery Console later and ran ComboFix once more. This time it deleted an additional file. I am copying the first few lines of the log below:ComboFix 08-11-02.02 - User 2008-11-03 0:40:37.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1253.1.1032.18.1535 [GMT 2:00] Running from: C:\Documents and Settings\User\Επιφάνεια εργασίας\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\mdhash.dll' C:\WINDOWS\system32\mdhsh.sys . ---- Previous Run ------- . C:\WINDOWS\system32\mdhash.dll' C:\WINDOWS\system32\mdhsh.sys . ((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 ))))))))))))))))))))))))))))))) . Quote:
Quote:
Quote:
Not sure. I noticed though that I can't create a new task (access denied). I may have created this file in the past to do a test but I can't remember. Is it ok that I deleted it now? |
||||
|
|
|
|
11-07-2008, 10:25 PM
|
#7 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Infected by trojans in pseudo-codec
Hello yst_dfm,
I am pleased you did install the Recovery Console. The task I asked you about appears to have been created on 11/1/08, so given what you just said, I doubt it was something you created in the past and of course it was fine you deleted it. I'd like for you to perform an online scan to search for remnants that may be lying about. Be sure to insert your I: drive so it may be scanned as well. Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review:
3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
**edit** Another question for you about the D: drive. My understanding is that the D: drive would have been shipped containing the Recovery Partition. Did you burn that partition to CD or DVD and delete the onboard Recovery? Last edited by Ried; 11-07-2008 at 10:49 PM. |
|
|
|
|
11-08-2008, 11:04 AM
|
#8 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 10
OS: xp
|
Re: Infected by trojans in pseudo-codec
Hello Ried
Thank you for your response and the detailed guidelines. I have already performed an online scan with Kasperski a few days ago following the same steps that you suggested in your previous post. It took more than 8 hrs to complete, so I thought I should post the existing log first and ask you if you think I should do the scan again. Here is the log: KASPERSKY ONLINE SCANNER 7 REPORTKASPERSKY ONLINE SCANNER 7 REPORT Monday, November 3, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, November 02, 2008 20:15:38 Records in database: 1367929 Scan settings Scan using the following databaseextended Scan archivesyes Scan mail databasesyes Scan areaMy Computer C:\ D:\ E:\ F:\ I:\ Scan statistics Files scanned218675 Threat name2 Infected objects3 Suspicious objects0 Duration of the scan15:42:01 File nameThreat nameThreats count I:\FILES\INTELLIGEN\SPD Work\First month\C++ LEARNING\HTP Examples\HTP-1 Basic Programming Concepts\debug\HTP-1.1.exeInfected: VirTool.Win32.MS04-028.bq1 I:\FILES\MANUAL\VAIO\NEW FILES_2008\WORK\INTELLIGEN\C++\HTP Examples\HTP-1 Basic Programming Concepts\debug\HTP-1.1.exeInfected: VirTool.Win32.MS04-028.bq1 I:\FILES\MANUAL\VAIO\temp\MP3\07 Track 7.wmaInfected: Trojan-Downloader.WMA.Wimad.l1 The selected area was scanned. Please note that file HTP-1.1.exe is a file I built when I was learning C++ and it is six months old. Probably a false positive, right? Regarding drive D:, as far as I am concerned it is just an ordinary partition (based on the approach that C: should have system files and D: user files). I think that VAIO's recovery files are stored in a hidden partition which is not accessible by Windows. Thank you again for your time!!! Much appreciated! |
|
|
|
|
11-08-2008, 12:15 PM
|
#9 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Infected by trojans in pseudo-codec
Yes, that is likely a false positive. And thanks--I wanted to be sure D: was not the Recovery Partition since that partition should not have been accessible by malware.
 Your logs are all coming up clean. You've run the proper tools and scan available to us so if there is anything lurking--we can't see it. Generally speaking, after any sustained infection it's always a good idea to change login and passwords to any sites you visit--especially financial institutions. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? Think Prevention **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. **Kindly respond one more time and let me know if we may consider this thread resolved. |
|
|
|
|
11-09-2008, 12:37 PM
|
#10 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 10
OS: xp
|
Re: Infected by trojans in pseudo-codec
Hello Ried,
I don't seem to have any problems and I surely feel much safer now thanks to your help! I will definately follow your advice especially with respect to online banking. I still have a few questions though I would like to ask you before closing this thread in order to better understand what I should do to avoid any problems in the future: 1. Is it possible that I am still infected e.g. by a keylogger? If so, would changing my bank account's login/password make any difference? 2. How certain can I be that my recovery partition is not infected? should I avoid using it in the future? Thank you very much |
|
|
|
|
11-09-2008, 03:36 PM
|
#12 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Infected by trojans in pseudo-codec
Hello yst_dfm,
1. After becoming infected, the only way to be certain the system is clean is to reformat and reinstall Windows. Please don't misunderstand, I'm not trying to be a smart alek here, but one can never be sure there isn't a keylogger still present. There may be files placed on a system that aren't yet recognized by scanners. If there is a keylogger still onboard, changing your login and passwords will not protect you. You would have to access financial institutions from a known clean computer to be 'safe'. Think of it this way--this is a cat and mouse situation--malware writers come out with new ways to infect a system, then AV's and Anti Malware vendors find out and try to add them to their database. Thing is, the mutations come out much faster than the vendors can keep up--which is where we come in with our specialty scanners and tools.  2. Now I'm confused again.  The recovery partition should not be accessible by you at all. Let me ask you this--which drive letter is your Recovery Partition?3. No, you want to keep the Recovery Console installed. While it may not be needed at this time, infections these days tend to patch a lot of critical system files which often result in multiple problems, one of which can be an unbootable machine. Having Window's Recovery Console installed on your machine in advance can save a lot of heartache in the future. See this link for a sampling of how the Recovery Console can be used. |
|
|
|
|
11-10-2008, 02:39 AM
|
#13 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 10
OS: xp
|
Re: Infected by trojans in pseudo-codec
Hi Ried,
I understand the cat and mouse situation that you refer to. Basically, my questions were 'what-would-you-do-in-my-place' type questions, as you may have realized. Based on the information that you already have of course. Let me clarify that the recovery partition is not directly accessible to me. By "using" it I just meant running the specific VAIO recovery application that uses it to reset the system to factory defaults (hopefully by reformatting/reinstalling). I am not sure if I can trust the hidden partition any more. I mean, from your experience, can a malware infect a hidden partition? If so, I'd better look for a windows installation cd and get rid of the recovery partition. |
|
|
|
|
11-10-2008, 05:09 AM
|
#14 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Infected by trojans in pseudo-codec
I'll be honest - if my system had been hit with the infections you named, I would backup my documents, bookmarks, pics, etc., and reformat.
At this time, I am unaware of any malware that can get into the Recovery Partition, but I'm sure you feel the same way I do that it's only a matter of time before they find a way. My HP gave me the option to burn the Recovery Partition to CD or DVD (for me, it took 8 CD's) via Start>All Programs>HP Tools. I would think Vaio would offer something similar, as shown and discussed here. Let me know if you've found that option. |
|
|
|
|
11-10-2008, 06:02 AM
|
#15 (permalink) |
|
Registered User
Join Date: Nov 2008
Posts: 10
OS: xp
|
Re: Infected by trojans in pseudo-codec
Yes, I do have a similar option but it failed when I tried to burn a dvd. Probably this is beyond the scope of this forum but just FYI, I googled to find a solution about it and it seems that if I use a "VAIO compatible" disk (sony?
 ) I will not have this problem. The reason that I wanted recovery to be the last option is that I've seen too many complaints about problems with the recovery process itself. I'll try to gather as much information as possible about these problems and perform recovery some time soon. For now, I will just forget online banking from this machine.
|
|
|
|
|
11-10-2008, 06:42 AM
|
#16 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 23,971
OS: WinXP and Vista
|
Re: Infected by trojans in pseudo-codec
It figures.
 While it is beyond the scope of this section of TSF, you may want to inquire with the folks in the Windows XP Support. I'm sure many who read that area have run into the same issue as you and would be able to better advise you. 
|
|
|
|
| Thread Tools | |
|
|
